Cause:
The FIPS_selftest() library call tries to perform operations that are forbidden for a library working in FIPS mode.
Consequence:
Application calling the method fails FIPS_selftest and reports error or crashes.
Fix:
FIPS_selftest() updated to perform only operations allowed in FIPS mode.
Please note that FIPS_selftest() is not a part of API of the current FIPS module. Calling it is not necessary for FIPS compliance. OpenSSL automatically performs self-tests when it detects that the system is running in FIPS mode.
Result:
Applications that call FIPS_selftest() no longer crash.
Description of problem:
The FIPS_selftest() routine fails if the system is in FIPS mode.
Version-Release number of selected component (if applicable):
openssl-1.1.1g-12.el8_3.x86_64
How reproducible:
Always.
Steps to Reproduce:
#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/fips.h>
#include <openssl/err.h>
int main(int argc, char *argv[])
{
fprintf(stderr,"Startup\n");
fprintf(stderr,"all algos added\n");
if(FIPS_mode())
fprintf(stderr,"FIPS mode already set.\n");
else {
fprintf(stderr,"Not to set FIPS mode...\n");
}
fprintf(stderr,"Attempt FIPS self tests...\n");
if (FIPS_selftest()) {
fprintf(stderr,"FIPS self tests succeeded.\n");
}
else {
fprintf(stderr,"ERROR: FIPS self tests failed.\n");
ERR_print_errors_fp(stderr);
}
return 0;
}
Actual results:
Startup
all algos added
FIPS mode already set.
Attempt FIPS self tests...
ERROR: FIPS self tests failed.
139731764220864:error:0607B0C8:digital envelope routines:EVP_CipherInit_ex:disabled for FIPS:crypto/evp/evp_enc.c:226:
139731764220864:error:2D06F065:FIPS routines:func(111):reason(101):crypto/fips/fips_des_selftest.c:129:
Expected results:
self tests should succeed.
Additional info:
The failure seems to stem from the presence of the the 2-Key 3DES test in FIPS_selftest_des().
From the flags in crypto/evp/e_des3.c that particular cipher is not marked as FIPS.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: openssl security and bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2021:4424
Description of problem: The FIPS_selftest() routine fails if the system is in FIPS mode. Version-Release number of selected component (if applicable): openssl-1.1.1g-12.el8_3.x86_64 How reproducible: Always. Steps to Reproduce: #include <stdio.h> #include <openssl/ssl.h> #include <openssl/fips.h> #include <openssl/err.h> int main(int argc, char *argv[]) { fprintf(stderr,"Startup\n"); fprintf(stderr,"all algos added\n"); if(FIPS_mode()) fprintf(stderr,"FIPS mode already set.\n"); else { fprintf(stderr,"Not to set FIPS mode...\n"); } fprintf(stderr,"Attempt FIPS self tests...\n"); if (FIPS_selftest()) { fprintf(stderr,"FIPS self tests succeeded.\n"); } else { fprintf(stderr,"ERROR: FIPS self tests failed.\n"); ERR_print_errors_fp(stderr); } return 0; } Actual results: Startup all algos added FIPS mode already set. Attempt FIPS self tests... ERROR: FIPS self tests failed. 139731764220864:error:0607B0C8:digital envelope routines:EVP_CipherInit_ex:disabled for FIPS:crypto/evp/evp_enc.c:226: 139731764220864:error:2D06F065:FIPS routines:func(111):reason(101):crypto/fips/fips_des_selftest.c:129: Expected results: self tests should succeed. Additional info: The failure seems to stem from the presence of the the 2-Key 3DES test in FIPS_selftest_des(). From the flags in crypto/evp/e_des3.c that particular cipher is not marked as FIPS.