Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1940085
| Summary: | FIPS_selftest() fails in FIPS mode. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Martin Poole <mpoole> | |
| Component: | openssl | Assignee: | Nobody <nobody> | |
| Status: | VERIFIED --- | QA Contact: | Hubert Kario <hkario> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.3 | CC: | hkario, qguo, xiliang | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | openssl-1.1.1k-3.el8 | Doc Type: | Bug Fix | |
| Doc Text: |
Cause:
The FIPS_selftest() library call tries to perform operations that are forbidden for a library working in FIPS mode.
Consequence:
Application calling the method fails FIPS_selftest and reports error or crashes.
Fix:
FIPS_selftest() updated to perform only operations allowed in FIPS mode.
Please note that FIPS_selftest() is not a part of API of the current FIPS module. Calling it is not necessary for FIPS compliance. OpenSSL automatically performs self-tests when it detects that the system is running in FIPS mode.
Result:
Applications that call FIPS_selftest() no longer crash.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1969692 (view as bug list) | Environment: | ||
| Last Closed: | Type: | Bug | ||
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1969692 | |||
Description of problem: The FIPS_selftest() routine fails if the system is in FIPS mode. Version-Release number of selected component (if applicable): openssl-1.1.1g-12.el8_3.x86_64 How reproducible: Always. Steps to Reproduce: #include <stdio.h> #include <openssl/ssl.h> #include <openssl/fips.h> #include <openssl/err.h> int main(int argc, char *argv[]) { fprintf(stderr,"Startup\n"); fprintf(stderr,"all algos added\n"); if(FIPS_mode()) fprintf(stderr,"FIPS mode already set.\n"); else { fprintf(stderr,"Not to set FIPS mode...\n"); } fprintf(stderr,"Attempt FIPS self tests...\n"); if (FIPS_selftest()) { fprintf(stderr,"FIPS self tests succeeded.\n"); } else { fprintf(stderr,"ERROR: FIPS self tests failed.\n"); ERR_print_errors_fp(stderr); } return 0; } Actual results: Startup all algos added FIPS mode already set. Attempt FIPS self tests... ERROR: FIPS self tests failed. 139731764220864:error:0607B0C8:digital envelope routines:EVP_CipherInit_ex:disabled for FIPS:crypto/evp/evp_enc.c:226: 139731764220864:error:2D06F065:FIPS routines:func(111):reason(101):crypto/fips/fips_des_selftest.c:129: Expected results: self tests should succeed. Additional info: The failure seems to stem from the presence of the the 2-Key 3DES test in FIPS_selftest_des(). From the flags in crypto/evp/e_des3.c that particular cipher is not marked as FIPS.