Bug 2179331

Summary:

In FIPS mode, openssl should indicate that RSA encryption and RSASVE are unapproved

Product:

Red Hat Enterprise Linux 9

Reporter:

Clemens Lang <cllang>

Component:

openssl

Assignee:

Clemens Lang <cllang>

Status:

CLOSED ERRATA

QA Contact:

Alicja Kario <hkario>

Severity:

urgent

Docs Contact:

Priority:

high

Version:

9.0

CC:

cllang, dbelyavs, hkario, ssorce

Target Milestone:

Keywords:

Triaged, ZStream

Target Release:

---

Flags:

pm-rhel: mirror+

Hardware:

x86_64

OS:

Linux

Whiteboard:

Fixed In Version:

openssl-3.0.7-17.el9

Doc Type:

No Doc Update

Doc Text:

Story Points:

---

Clone Of:

Clones:

2179379 2179380 2179381 (view as bug list)

Environment:

Last Closed:

2023-11-07 08:53:05 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

2179379, 2179380, 2179381

Attachments:

Description	Flags
Reproducer that will print explicit indicators for RSA encryption and decryption	none
Reproducer that will print explicit indicators for RSASVE	none

Description Clemens Lang 2023-03-17 12:15:50 UTC

Description of problem:
Our lab tells us that OpenSSL does not fulfill the SP 800-56Br2 requirements for key confirmation, and does not meet the trusted third party requirements specified in section 6.4.2.2. While we do not agree with this assessment, we will for now add an indicator to mark RSA encryption and decryption and RSASVE as unapproved.

Version-Release number of selected component (if applicable):
openssl-3.0.1-46.el9_0

How reproducible:
Check the explicit indicator documented in `fips_module_indicators(7ossl)` for whether it lists RSA encryption and decryption and RSASVE as approved.

Actual results:
Indicator shows that these interfaces are approved.

Expected results:
Indicator shows that these interfaces are unapproved.

Additional info:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf

Comment 5 Clemens Lang 2023-03-21 16:33:24 UTC

Created attachment 1952461 [details]
Reproducer that will print explicit indicators for RSA encryption and decryption

Comment 6 Clemens Lang 2023-03-21 16:33:55 UTC

Created attachment 1952462 [details]
Reproducer that will print explicit indicators for RSASVE

Comment 17 errata-xmlrpc 2023-11-07 08:53:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openssl bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6627