Bug 2124718

Summary:	Allow to run non FIPS algorithm when in FIPS mode
Product:	[Fedora] Fedora	Reporter:	Marco Fargetta <mfargett>
Component:	openssl	Assignee:	Dmitry Belyavskiy <dbelyavs>
Status:	CLOSED NEXTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	36	CC:	cllang, crypto-team, dbelyavs, mspacek, mturk, sahana, support.web-tv, tm
Target Milestone:	---	Keywords:	FutureFeature, Triaged
Target Release:	---	Flags:	fedora-admin-xmlrpc: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-11-28 09:15:21 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Marco Fargetta 2022-09-06 22:30:24 UTC

Description of problem:
I have enabled FIPS mode on a Fedora 36 but openssl works with non FIPS algorithm.



Version-Release number of selected component (if applicable):

[root@fedora tls]# cat /etc/fedora-release 
Fedora release 36 (Thirty Six)
[root@fedora tls]# rpm -qa|grep openssl
openssl-pkcs11-0.4.11-8.fc36.x86_64
apr-util-openssl-1.6.1-20.fc36.x86_64
xmlsec1-openssl-1.2.33-2.fc36.x86_64
openssl-libs-3.0.5-1.fc36.x86_64
openssl-3.0.5-1.fc36.x86_64



How reproducible:


Steps to Reproduce:

Install F36. Update all the packages. 
Move to fips mode
  [root@fedora tls]# fips-mode-setup --enable

Reboot the machine


Actual results:
[root@fedora tls]# fips-mode-setup --check
FIPS mode is enabled.
[root@fedora tls]# openssl md5 openssl.cnf 
MD5(openssl.cnf)= 552242d0f0336fcb0e7697887373332c

Expected results:
(From RHEL9)
[root@localhost tls]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 9.0 (Plow)
[root@localhost tls]# fips-mode-setup --check
FIPS mode is enabled.
[root@localhost tls]# openssl md5 openssl.cnf 
Error setting digest
80EB021DB67F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 97), Properties ()
80EB021DB67F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:237:



Additional info:

Comment 1 Clemens Lang 2022-09-07 08:39:26 UTC

That's expected with openssl-3.0.5-1.fc36.x86_64; it doesn't support FIPS mode.

Backports of
 - https://src.fedoraproject.org/rpms/openssl/c/080143cbc1510f6f472685e88390b4509abb7365?branch=rawhide
 - https://src.fedoraproject.org/rpms/openssl/c/89541c6ea482836e9dd91ac6afd7755cb7f32516?branch=rawhide and
 - https://src.fedoraproject.org/rpms/openssl/c/4855397272f7585ea8fa9f9659a7d4e410bd7a65?branch=rawhide
are needed to fix this.

Comment 2 Dmitry Belyavskiy 2022-11-28 09:15:21 UTC

Fixed in rawhide (to be f38)