Non FIPS Approved Ciphers/Algorithms Should not be allowed when FIPS is enabled

[wumiaont]

FIPS requires non FIPS approved Ciphers/Algorithms should not be allowed when FIPS is enabled on Sonic platform. It's found that Algorithms such as Chacha20 etc are still supported by Openssl under FIPS mode.

Solution could be taking back openssl-fips.conf back. Adding the following into openssl-fips.conf.

[openssl_init]
providers = provider_sect
alg_section = evp_properties

[evp_properties]
default_properties = "fips=yes"

Another approach could be adding EVP_default_properties_enable_fips(NULL, 1) to the 30-load-symcrypt-engine-provider.patch
which will do the same work with the above configuration to enable FIPS for he default properties.

[xumia]

@wumiaont , after enabled the config, 65 UTs failed.

Test Summary Report

02-test_internal_context.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
03-test_internal_curve448.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
03-test_internal_ffc.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
03-test_internal_sm2.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
03-test_property.t (Wstat: 256 (exited 1) Tests: 2 Failed: 1)
Failed test: 1
Non-zero exit status: 1
04-test_encoder_decoder.t (Wstat: 256 (exited 1) Tests: 2 Failed: 1)
Failed test: 1
Non-zero exit status: 1
04-test_encoder_decoder_legacy.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
04-test_nodefltctx.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
04-test_pem_read_depr.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
04-test_provider_fallback.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
05-test_des.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
05-test_hmac.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
05-test_pbe.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
05-test_rand.t (Wstat: 256 (exited 1) Tests: 4 Failed: 1)
Failed test: 1
Non-zero exit status: 1
06-test_algorithmid.t (Wstat: 256 (exited 1) Tests: 11 Failed: 1)
Failed test: 3
Non-zero exit status: 1
15-test_dh.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
15-test_dsa.t (Wstat: 512 (exited 2) Tests: 7 Failed: 2)
Failed tests: 2-3
Non-zero exit status: 2
15-test_dsaparam.t (Wstat: 2048 (exited 8) Tests: 28 Failed: 8)
Failed tests: 5-6, 11-14, 21-22
Non-zero exit status: 8
15-test_ec.t (Wstat: 768 (exited 3) Tests: 15 Failed: 3)
Failed tests: 2, 12-13
Non-zero exit status: 3
15-test_gendh.t (Wstat: 768 (exited 3) Tests: 9 Failed: 3)
Failed tests: 3-5
Non-zero exit status: 3
15-test_gendhparam.t (Wstat: 2304 (exited 9) Tests: 16 Failed: 9)
Failed tests: 1, 3-5, 8, 11-14
Non-zero exit status: 9
15-test_gendsa.t (Wstat: 2304 (exited 9) Tests: 11 Failed: 9)
Failed tests: 1-5, 7-10
Non-zero exit status: 9
15-test_genec.t (Wstat: 65024 (exited 254) Tests: 1144 Failed: 1081)
Failed tests: 4-117, 124-141, 148-153, 160-165, 172-237
244-969, 976-981, 988-993, 1000-1005, 1012-1017
1024-1144
Non-zero exit status: 254
15-test_genrsa.t (Wstat: 512 (exited 2) Tests: 15 Failed: 2)
Failed tests: 14-15
Non-zero exit status: 2
15-test_rsa.t (Wstat: 256 (exited 1) Tests: 12 Failed: 1)
Failed test: 12
Non-zero exit status: 1
15-test_sha.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
20-test_dgst.t (Wstat: 1536 (exited 6) Tests: 13 Failed: 6)
Failed tests: 3, 8-12
Non-zero exit status: 6
20-test_dhparam.t (Wstat: 1536 (exited 6) Tests: 21 Failed: 6)
Failed tests: 9-13, 16
Non-zero exit status: 6
20-test_enc_more.t (Wstat: 29440 (exited 115) Tests: 132 Failed: 115)
Failed tests: 5, 7, 9, 12, 14, 16, 19, 21, 23, 27-132
Non-zero exit status: 115
20-test_kdf.t (Wstat: 2816 (exited 11) Tests: 19 Failed: 11)
Failed tests: 4-7, 12-15, 17-19
Non-zero exit status: 11
20-test_mac.t (Wstat: 512 (exited 2) Tests: 13 Failed: 4)
Failed tests: 3-4, 8, 11
Non-zero exit status: 2
Parse errors: Bad plan. You planned 26 tests but ran 13.
20-test_pkeyutl.t (Wstat: 2816 (exited 11) Tests: 14 Failed: 11)
Failed tests: 1-8, 11, 13-14
Non-zero exit status: 11
20-test_spkac.t (Wstat: 512 (exited 2) Tests: 4 Failed: 2)
Failed tests: 1-2
Non-zero exit status: 2
25-test_req.t (Wstat: 1024 (exited 4) Tests: 46 Failed: 4)
Failed tests: 11, 13-14, 16
Non-zero exit status: 4
25-test_verify.t (Wstat: 1280 (exited 5) Tests: 166 Failed: 5)
Failed tests: 108, 110, 155, 161-162
Non-zero exit status: 5
25-test_x509.t (Wstat: 512 (exited 2) Tests: 28 Failed: 2)
Failed tests: 6, 17
Non-zero exit status: 2
30-test_aesgcm.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
30-test_defltfips.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
30-test_evp.t (Wstat: 768 (exited 3) Tests: 72 Failed: 3)
Failed tests: 2, 16, 20
Non-zero exit status: 3
30-test_evp_kdf.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
30-test_evp_libctx.t (Wstat: 512 (exited 2) Tests: 2 Failed: 2)
Failed tests: 1-2
Non-zero exit status: 2
30-test_evp_pkey_provided.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
30-test_pkey_meth_kdf.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
65-test_cmp_msg.t (Wstat: 256 (exited 1) Tests: 2 Failed: 1)
Failed test: 2
Non-zero exit status: 1
70-test_asyncio.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
70-test_bad_dtls.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
70-test_clienthello.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
70-test_comp.t (Wstat: 256 (exited 1) Tests: 4 Failed: 1)
Failed test: 1
Non-zero exit status: 1
70-test_key_share.t (Wstat: 2304 (exited 9) Tests: 23 Failed: 9)
Failed tests: 1, 4, 6-7, 13-14, 20-21, 23
Non-zero exit status: 9
70-test_recordlen.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
70-test_renegotiation.t (Wstat: 512 (exited 2) Tests: 5 Failed: 2)
Failed tests: 1, 3
Non-zero exit status: 2
70-test_servername.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
70-test_sslcertstatus.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
70-test_sslextension.t (Wstat: 1024 (exited 4) Tests: 8 Failed: 4)
Failed tests: 3, 5-6, 8
Non-zero exit status: 4
70-test_sslmessages.t (Wstat: 7424 (exited 29) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 29
Parse errors: Bad plan. You planned 21 tests but ran 1.
70-test_sslrecords.t (Wstat: 2560 (exited 10) Tests: 20 Failed: 10)
Failed tests: 2, 5, 7, 11, 14-15, 17-20
Non-zero exit status: 10
70-test_sslsessiontick.t (Wstat: 7424 (exited 29) Tests: 3 Failed: 3)
Failed tests: 1-3
Non-zero exit status: 29
Parse errors: Bad plan. You planned 10 tests but ran 3.
70-test_sslsigalgs.t (Wstat: 3072 (exited 12) Tests: 26 Failed: 12)
Failed tests: 1, 6, 9-10, 15-16, 19, 21-23, 25-26
Non-zero exit status: 12
70-test_sslsignature.t (Wstat: 256 (exited 1) Tests: 4 Failed: 1)
Failed test: 1
Non-zero exit status: 1
70-test_sslversions.t (Wstat: 1024 (exited 4) Tests: 8 Failed: 4)
Failed tests: 3, 5-7
Non-zero exit status: 4
70-test_sslvertol.t (Wstat: 512 (exited 2) Tests: 3 Failed: 2)
Failed tests: 1-2
Non-zero exit status: 2
70-test_tls13alerts.t (Wstat: 65280 (exited 255) Tests: 0 Failed: 0)
Non-zero exit status: 255
Parse errors: No plan found in TAP output
70-test_tls13cookie.t (Wstat: 512 (exited 2) Tests: 2 Failed: 2)
Failed tests: 1-2
Non-zero exit status: 2
70-test_tls13downgrade.t (Wstat: 512 (exited 2) Tests: 6 Failed: 2)
Failed tests: 5-6
Non-zero exit status: 2
70-test_tls13hrr.t (Wstat: 28416 (exited 111) Tests: 3 Failed: 0)
Non-zero exit status: 111
Parse errors: Bad plan. You planned 4 tests but ran 3.
70-test_tls13kexmodes.t (Wstat: 7424 (exited 29) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 29
Parse errors: Bad plan. You planned 11 tests but ran 1.
70-test_tls13messages.t (Wstat: 7424 (exited 29) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 29
Parse errors: Bad plan. You planned 17 tests but ran 1.
70-test_tls13psk.t (Wstat: 7424 (exited 29) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 29
Parse errors: Bad plan. You planned 5 tests but ran 1.
70-test_tlsextms.t (Wstat: 7424 (exited 29) Tests: 4 Failed: 4)
Failed tests: 1-4
Non-zero exit status: 29
Parse errors: Bad plan. You planned 10 tests but ran 4.
80-test_cipherlist.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
80-test_cmp_http.t (Wstat: 1280 (exited 5) Tests: 6 Failed: 5)
Failed tests: 1-5
Non-zero exit status: 5
80-test_cms.t (Wstat: 512 (exited 2) Tests: 17 Failed: 2)
Failed tests: 4-5
Non-zero exit status: 2
80-test_dtls.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
80-test_dtls_mtu.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
80-test_pkcs12.t (Wstat: 3328 (exited 13) Tests: 13 Failed: 13)
Failed tests: 1-13
Non-zero exit status: 13
80-test_ssl_new.t (Wstat: 7168 (exited 28) Tests: 30 Failed: 28)
Failed tests: 1-21, 23-28, 30
Non-zero exit status: 28
80-test_ssl_old.t (Wstat: 768 (exited 3) Tests: 6 Failed: 3)
Failed tests: 1, 3-4
Non-zero exit status: 3
80-test_sslcorrupt.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
90-test_bio_enc.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
90-test_sslapi.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
90-test_sslbuffers.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
90-test_store.t (Wstat: 512 (exited 2) Tests: 8 Failed: 0)
Non-zero exit status: 2
Parse errors: Bad plan. You planned 434 tests but ran 8.
90-test_threads.t (Wstat: 256 (exited 1) Tests: 2 Failed: 1)
Failed test: 1
Non-zero exit status: 1
90-test_tls13ccs.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
90-test_tls13secrets.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
Files=245, Tests=2696, 685 wallclock secs ( 4.60 usr 0.68 sys + 269.83 cusr 49.67 csys = 324.78 CPU)
Result: FAIL
make[1]: *** [Makefile:3261: run_tests] Error 1
make[1]: Leaving directory '/home/xumia/fips3/src/openssl/build_shared'
make: *** [Makefile:3256: tests] Error 2

[wumiaont]

I tried openssl 3.0 and run self-test. When the above config is made to make fips mode enabled for openssl, lots of self test failed.

This makes sense as many self-tests are not fips compliant so disable those non fips compliant algorithms/ciphers will make tests using those algorithms to fail.