Bug 1004754

Summary: In FIPS-mode, EVP_DigestInit / EVP_DigestUpdate allows MD5
Product: Red Hat Enterprise Linux 6 Reporter: Jan Safranek <jsafrane>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4CC: omoris
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-05 12:29:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Reproducer none

Description Jan Safranek 2013-09-05 12:11:45 UTC
Created attachment 794252 [details]
Reproducer

Description of problem:
Net-SNMP uses OpenSSL EVP API without calling OpenSSL_add_all_digests() or similar function and it is able to compute MD5 hashes in FIPS mode.

See attached reproducer.

Version-Release number of selected component (if applicable):
openssl-1.0.0-27.el6.2.x86_64

How reproducible:
always

Steps to Reproduce:
1. enable FIPS mode
2. gcc -o test test.c -lssl -lcrypto
3. ./test

Actual results:
OpenSSL computes MD5 digest of something.

Expected results:
EVP_DigestInit_ex failed, MD5 not found.

Additional info:
EVP_DigestInit_ex() correctly fails if OpenSSL_add_all_digests() is called before.

man 3 EVP_DigestInit mentions that OpenSSL_add_all_digests() is necessary only when EVP_get_digestbyname(), EVP_get_digestbynid() or EVP_get_digestbyobj() are used and they are not in my reproducer (and in Net-SNMP).

EVP_DigestInit_ex() should either fail if OpenSSL was not initialized properly or it should attempt to initialize by itself. Computing MD5 in FIPS mode is IMHO wrong.

Comment 2 Tomas Mraz 2013-09-05 12:29:49 UTC
You have to call the OpenSSL_add_all_digests or similar initialization function otherwise you're outside of the OpenSSL FIPS module policy.

Another thing is that due to a new NIST guidance the new validation of OpenSSL will require to initialize the FIPS mode without this call directly from library constructor which means that in RHEL-6.5 this call will not be necessary.

But anyway this is not a bug in OpenSSL.