Bug 1004754
Summary: | In FIPS-mode, EVP_DigestInit / EVP_DigestUpdate allows MD5 | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Safranek <jsafrane> | ||||
Component: | openssl | Assignee: | Tomas Mraz <tmraz> | ||||
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.4 | CC: | omoris | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-09-05 12:29:49 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
You have to call the OpenSSL_add_all_digests or similar initialization function otherwise you're outside of the OpenSSL FIPS module policy. Another thing is that due to a new NIST guidance the new validation of OpenSSL will require to initialize the FIPS mode without this call directly from library constructor which means that in RHEL-6.5 this call will not be necessary. But anyway this is not a bug in OpenSSL. |
Created attachment 794252 [details] Reproducer Description of problem: Net-SNMP uses OpenSSL EVP API without calling OpenSSL_add_all_digests() or similar function and it is able to compute MD5 hashes in FIPS mode. See attached reproducer. Version-Release number of selected component (if applicable): openssl-1.0.0-27.el6.2.x86_64 How reproducible: always Steps to Reproduce: 1. enable FIPS mode 2. gcc -o test test.c -lssl -lcrypto 3. ./test Actual results: OpenSSL computes MD5 digest of something. Expected results: EVP_DigestInit_ex failed, MD5 not found. Additional info: EVP_DigestInit_ex() correctly fails if OpenSSL_add_all_digests() is called before. man 3 EVP_DigestInit mentions that OpenSSL_add_all_digests() is necessary only when EVP_get_digestbyname(), EVP_get_digestbynid() or EVP_get_digestbyobj() are used and they are not in my reproducer (and in Net-SNMP). EVP_DigestInit_ex() should either fail if OpenSSL was not initialized properly or it should attempt to initialize by itself. Computing MD5 in FIPS mode is IMHO wrong.