Bug 1940085

Summary: FIPS_selftest() fails in FIPS mode.
Product: Red Hat Enterprise Linux 8 Reporter: Martin Poole <mpoole>
Component: opensslAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED ERRATA QA Contact: Hubert Kario <hkario>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: dbelyavs, hkario, qguo, sahana, xiliang
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: openssl-1.1.1k-3.el8 Doc Type: Bug Fix
Doc Text:
Cause: The FIPS_selftest() library call tries to perform operations that are forbidden for a library working in FIPS mode. Consequence: Application calling the method fails FIPS_selftest and reports error or crashes. Fix: FIPS_selftest() updated to perform only operations allowed in FIPS mode. Please note that FIPS_selftest() is not a part of API of the current FIPS module. Calling it is not necessary for FIPS compliance. OpenSSL automatically performs self-tests when it detects that the system is running in FIPS mode. Result: Applications that call FIPS_selftest() no longer crash.
Story Points: ---
Clone Of:
: 1969692 (view as bug list) Environment:
Last Closed: 2021-11-09 19:44:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1969692    

Description Martin Poole 2021-03-17 15:08:45 UTC
Description of problem:

The FIPS_selftest() routine fails if the system is in FIPS mode.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/fips.h>
#include <openssl/err.h>
int main(int argc, char *argv[])
   fprintf(stderr,"all algos added\n");
      fprintf(stderr,"FIPS mode already set.\n");
   else {
      fprintf(stderr,"Not to set FIPS mode...\n");
   fprintf(stderr,"Attempt FIPS self tests...\n");
   if (FIPS_selftest()) {
      fprintf(stderr,"FIPS self tests succeeded.\n");
   else {
      fprintf(stderr,"ERROR: FIPS self tests failed.\n");
   return 0;

Actual results:

all algos added
FIPS mode already set.
Attempt FIPS self tests...
ERROR: FIPS self tests failed.
139731764220864:error:0607B0C8:digital envelope routines:EVP_CipherInit_ex:disabled for FIPS:crypto/evp/evp_enc.c:226:
139731764220864:error:2D06F065:FIPS routines:func(111):reason(101):crypto/fips/fips_des_selftest.c:129:

Expected results:

self tests should succeed.

Additional info:

The failure seems to stem from the presence of the the 2-Key 3DES test in FIPS_selftest_des().

From the flags in crypto/evp/e_des3.c that particular cipher is not marked as FIPS.

Comment 18 errata-xmlrpc 2021-11-09 19:44:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: openssl security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.