Bug 1978628

Summary: rhel9 fips mode is non-function with openssl-3
Product: Red Hat Enterprise Linux 9 Reporter: Vladis Dronov <vdronov>
Component: opensslAssignee: Sahana Prasad <sahana>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 9.0CC: jpazdziora, sahana, vpolasek
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-02 13:19:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vladis Dronov 2021-07-02 11:02:03 UTC 
RHEP-9 FIPS mode is not function with open ssl-3 libs. I belive the urgency and priority is somewhere between Urgent and Critical.

(compose is openssl-1 RHEL-9.0.0-20210617.1 and openssl-3 latest compose is configured as *-bad-*)

# uname -r
5.13.0-2.ecdhfix.el9.x86_64 // exact kernel version is not important here

# fips-mode-setup --check
FIPS mode is enabled.

# rpm -qa openssl\*
openssl-pkcs11-0.4.11-4.el9.x86_64
openssl-libs-1.1.1j-1.el9.x86_64
openssl-1.1.1j-1.el9.x86_64
openssl-devel-1.1.1j-1.el9.x86_64

# dnf --showd list openssl
Last metadata expiration check: 0:00:15 ago on Fri 02 Jul 2021 12:47:01 CEST.
Installed Packages
openssl.x86_64    1:1.1.1j-1.el9             @rhel9blc-baseos   
Available Packages
openssl.x86_64    1:1.1.1j-1.el9             rhel9blc-baseos    
openssl.x86_64    1:3.0.0-0.alpha16.4.el9    rhel9blc-bad-baseos

(ALL IS GOOD)

# dnf upgrade openssl
...(full list in #c1)...
Install   1 Package
Upgrade  65 Packages
Total download size: 40 M
...skip...
  Cleanup          : libsss_idmap-2.4.2-4.el9.x86_64      130/131 
  Cleanup          : libsss_nss_idmap-2.4.2-4.el9.x86_64  131/131 
  Running scriptlet: rpm-4.16.1.3-1.el9.2.x86_64          131/131 
  Running scriptlet: sssd-common-2.5.1-2.el9.x86_64       131/131 
  Running scriptlet: libsss_nss_idmap-2.4.2-4.el9.x86_64  131/131 

^C^C
^C^C^C^C^C^C^C^C
^C^C^C^C^C^C
Job for sshd.service failed because a timeout was exceeded.
See "systemctl status sshd.service" and "journalctl -xeu sshd.service" for details.

# dnf list
^C^C^C^C^C
^C^C^C^C^C
(THAT'S ALL FOLKS, SYSTEM OF A DOWN)
Comment 1 Vladis Dronov 2021-07-02 11:08:17 UTC 
1) This definitely is a blocker, setting blocker?.

2) a system can be configured for the FIPS mode with:

# rpm -qf $(command -v fips-mode-setup)
crypto-policies-scripts-20210218-2.git2246c55.el9.noarch

# fips-mode-setup
Check, enable, or disable the system FIPS mode.
usage: /usr/bin/fips-mode-setup --enable|--disable [--no-bootcfg]
usage: /usr/bin/fips-mode-setup --check
usage: /usr/bin/fips-mode-setup --is-enabled

3) an exact list of installed packages:

# dnf upgrade openssl
Last metadata expiration check: 0:03:23 ago on Fri 02 Jul 2021 12:47:01 CEST.
Dependencies resolved.
======================================================================================
 Package                  Arch   Version                 Repository              Size
======================================================================================
Upgrading:
 coreutils                x86_64 8.32-28.el9             rhel9blc-bad-baseos    1.1 M
 coreutils-common         x86_64 8.32-28.el9             rhel9blc-bad-baseos    2.0 M
 cryptsetup-libs          x86_64 2.3.6-2.el9             rhel9blc-bad-baseos    492 k
 git-core                 x86_64 2.31.1-2.el9.1          rhel9blc-bad-appstream 3.6 M
 ima-evm-utils            x86_64 1.3.2-4.el9             rhel9blc-bad-baseos     63 k
 kmod                     x86_64 28-4.el9                rhel9blc-bad-baseos    125 k
 kmod-libs                x86_64 28-4.el9                rhel9blc-bad-baseos     65 k
 krb5-libs                x86_64 1.19.1-8.el9            rhel9blc-bad-baseos    744 k
 libarchive               x86_64 3.5.1-6.el9             rhel9blc-bad-baseos    394 k
 libcurl                  x86_64 7.76.1-6.el9            rhel9blc-bad-baseos    291 k
 libdnf                   x86_64 0.63.0-1.el9            rhel9blc-bad-baseos    645 k
 libdnf-plugin-subscription-manager
                          x86_64 1.29.12-2.el9           rhel9blc-bad-baseos     59 k
 libevent                 x86_64 2.1.12-5.el9            rhel9blc-bad-baseos    270 k
 libfido2                 x86_64 1.6.0-6.el9             rhel9blc-bad-baseos     73 k
 librepo                  x86_64 1.14.0-3.el9            rhel9blc-bad-baseos     93 k
 librhsm                  x86_64 0.0.3-6.el9             rhel9blc-bad-baseos     36 k
 libssh                   x86_64 0.9.5-5.el9             rhel9blc-bad-baseos    212 k
 libssh-config            noarch 0.9.5-5.el9             rhel9blc-bad-baseos     12 k
 libsss_certmap           x86_64 2.5.1-2.el9             rhel9blc-bad-baseos     72 k
 libsss_idmap             x86_64 2.5.1-2.el9             rhel9blc-bad-baseos     41 k
 libsss_nss_idmap         x86_64 2.5.1-2.el9             rhel9blc-bad-baseos     43 k
 openldap                 x86_64 2.4.57-5.el9            rhel9blc-bad-baseos    264 k
 openssh                  x86_64 8.6p1-5.el9.1           rhel9blc-bad-baseos    448 k
 openssh-clients          x86_64 8.6p1-5.el9.1           rhel9blc-bad-baseos    689 k
 openssh-server           x86_64 8.6p1-5.el9.1           rhel9blc-bad-baseos    458 k
 openssl                  x86_64 1:3.0.0-0.alpha16.4.el9 rhel9blc-bad-baseos    1.0 M
 openssl-devel            x86_64 1:3.0.0-0.alpha16.4.el9 rhel9blc-bad-appstream 2.3 M
 openssl-libs             x86_64 1:3.0.0-0.alpha16.4.el9 rhel9blc-bad-baseos    2.1 M
 openssl-pkcs11           x86_64 0.4.11-6.el9            rhel9blc-bad-baseos     76 k
 perl-Net-SSLeay          x86_64 1.90-5.el9              rhel9blc-bad-appstream 357 k
 python-unversioned-command
                          noarch 3.9.5-6.el9             rhel9blc-bad-appstream  13 k
 python3                  x86_64 3.9.5-6.el9             rhel9blc-bad-baseos     30 k
 python3-devel            x86_64 3.9.5-6.el9             rhel9blc-bad-appstream 208 k
 python3-hawkey           x86_64 0.63.0-1.el9            rhel9blc-bad-baseos    117 k
 python3-libdnf           x86_64 0.63.0-1.el9            rhel9blc-bad-baseos    799 k
 python3-librepo          x86_64 1.14.0-3.el9            rhel9blc-bad-baseos     53 k
 python3-libs             x86_64 3.9.5-6.el9             rhel9blc-bad-baseos    7.4 M
 python3-rpm              x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-baseos     98 k
 python3-subscription-manager-rhsm
                          x86_64 1.29.12-2.el9           rhel9blc-bad-baseos    141 k
 python3-unbound          x86_64 1.13.1-7.el9            rhel9blc-bad-appstream 103 k
 rng-tools                x86_64 6.13-2.el9              rhel9blc-bad-baseos     64 k
 rpm                      x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-baseos    501 k
 rpm-build                x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-appstream  98 k
 rpm-build-libs           x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-baseos     97 k
 rpm-libs                 x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-baseos    319 k
 rpm-plugin-selinux       x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-baseos     22 k
 rpm-plugin-systemd-inhibit
                          x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-appstream  22 k
 rpm-sign-libs            x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-baseos     26 k
 rsync                    x86_64 3.2.3-8.el9             rhel9blc-bad-baseos    394 k
 sssd-client              x86_64 2.5.1-2.el9             rhel9blc-bad-baseos    125 k
 sssd-common              x86_64 2.5.1-2.el9             rhel9blc-bad-baseos    1.5 M
 sssd-kcm                 x86_64 2.5.1-2.el9             rhel9blc-bad-baseos    111 k
 subscription-manager-rhsm-certificates
                          x86_64 1.29.12-2.el9           rhel9blc-bad-baseos     42 k
 sudo                     x86_64 1.9.5p2-4.el9           rhel9blc-bad-baseos    1.1 M
 sudo-python-plugin       x86_64 1.9.5p2-4.el9           rhel9blc-bad-appstream  57 k
 systemd                  x86_64 248-7.el9               rhel9blc-bad-baseos    3.7 M
 systemd-libs             x86_64 248-7.el9               rhel9blc-bad-baseos    598 k
 systemd-pam              x86_64 248-7.el9               rhel9blc-bad-baseos    238 k
 systemd-rpm-macros       noarch 248-7.el9               rhel9blc-bad-baseos     29 k
 systemd-udev             x86_64 248-7.el9               rhel9blc-bad-baseos    1.4 M
 tpm2-tss                 x86_64 3.0.3-4.el9             rhel9blc-bad-baseos    577 k
 trousers                 x86_64 0.3.15-4.el9            rhel9blc-bad-baseos    147 k
 trousers-lib             x86_64 0.3.15-4.el9            rhel9blc-bad-baseos    171 k
 unbound-libs             x86_64 1.13.1-7.el9            rhel9blc-bad-appstream 529 k
 zchunk-libs              x86_64 1.1.9-4.el9             rhel9blc-bad-baseos     47 k
Installing dependencies:
 compat-openssl11         x86_64 1:1.1.1k-1.el9          rhel9blc-bad-baseos    1.5 M

Transaction Summary
======================================================================================
Install   1 Package
Upgrade  65 Packages

Total download size: 40 M
Comment 3 Vladis Dronov 2021-07-02 11:27:23 UTC 
though i cannot set ITR here, i'll provide my view on this re: blocker+

> 1. What is the scope of harm if this BZ is not resolved in this release?  Reviewers want to know which RHEL features or
> customers are affected and if it will impact any Layered Product or Hardware partner plans.

the whole RHEL9 FIPS mode is affected, we cannot certify RHEL9 for FIPS with this issue.

> 2. What are the risks associated with resolving this BZ?  Reviewers want to know the scope of retesting, potential regressions

i do not think there is any risk. as soon as core problem is resolved the system should be functioning again. surely, a carefull
testing is required.

> 3. Provide any other details that meet blocker criteria or should be weighed in making a decision (Other releases affected,
> upstream status, business impacts, etc).

We just cannot release even Beta (this is published to Partners, afaik) with thia issue.
Comment 4 Sahana Prasad 2021-07-02 13:19:54 UTC 

*** This bug has been marked as a duplicate of bug 1977318 ***