Bug 2196876

Summary:	OPENSSL_FORCE_FIPS_MODE=1 doesn't work on my Fedora 37.
Product:	[Fedora] Fedora	Reporter:	Jun Aruga <jaruga>
Component:	openssl	Assignee:	Dmitry Belyavskiy <dbelyavs>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	37	CC:	cllang, crypto-team, dbelyavs, mspacek, mturk, sahana, tm
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-05-10 15:38:10 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jun Aruga 2023-05-10 15:22:35 UTC

I noticed that the Fedora downstream feature `OPENSSL_FORCE_FIPS_MODE=1` works to enable FIPS mode on the non-FIPS mode environment in the current Fedora rawhide mock environment. I tested it with my testing program in the <https://github.com/junaruga/openssl-test>.

However I see that the `OPENSSL_FORCE_FIPS_MODE=1` doesn't work with the latest openssl RPM package on Fedora 37, on my local environment.

Is it an expected behavior? Could you tell me which commit is the one to make the `OPENSSL_FORCE_FIPS_MODE=1` work on the rawhide branch of the rpms/openssl dist-git? Do you have a plan to backport the commit to the old Fedora 38, 27 if it is not backported yet?

## Fedora rawhide

```
$ cat /etc/fedora-release 
Fedora release 39 (Rawhide)

$ rpm -q gcc
gcc-13.1.1-1.fc39.x86_64

$ rpm -q openssl openssl-libs openssl-devel
openssl-3.0.8-2.fc39.x86_64
openssl-libs-3.0.8-2.fc39.x86_64
openssl-devel-3.0.8-2.fc39.x86_64
```

```
# fips-mode-setup --check
FIPS mode is disabled.
Initramfs fips module is disabled.
The current crypto policy (DEFAULT) neither is the FIPS policy nor is based on the FIPS policy.
```

```
$ git clone https://github.com/junaruga/openssl-test.git

$ cd openssl-test

$ gcc -lcrypto -o fips_mode fips_mode.c

$ ./fips_mode
Loaded providers:
  default
FIPS mode enabled: 0

$ OPENSSL_FORCE_FIPS_MODE=1 ./fips_mode
Loaded providers:
  default
  fips
  base
FIPS mode enabled: 1
```

## Fedora 37 on my local

```
$ cat /etc/fedora-release 
Fedora release 37 (Thirty Seven)

$ rpm -q gcc
gcc-12.2.1-4.fc37.x86_64

$ rpm -q openssl openssl-libs openssl-devel
openssl-3.0.8-1.fc37.x86_64
openssl-libs-3.0.8-1.fc37.x86_64
openssl-devel-3.0.8-1.fc37.x86_64
```

```
$ sudo fips-mode-setup --check
FIPS mode is disabled.
Initramfs fips module is disabled.
The current crypto policy (DEFAULT) neither is the FIPS policy nor is based on the FIPS policy.
```

```
$ pwd
/home/jaruga/git/openssl-test

$ gcc -lcrypto -o fips_mode fips_mode.c

$ ./fips_mode 
Loaded providers:
  default
FIPS mode enabled: 0

$ OPENSSL_FORCE_FIPS_MODE=1 ./fips_mode
Loaded providers:
  default
FIPS mode enabled: 0
```


Reproducible: Always

Steps to Reproduce:
1. Login to the Fedora 37
2. git clone https://github.com/junaruga/openssl-test.git 
3. cd openssl-test
4. gcc -lcrypto -o fips_mode fips_mode.c
5. OPENSSL_FORCE_FIPS_MODE=1 ./fips_mode



Actual Results:  
```
$ OPENSSL_FORCE_FIPS_MODE=1 ./fips_mode
Loaded providers:
  default
FIPS mode enabled: 0
```


Expected Results:  
```
$ OPENSSL_FORCE_FIPS_MODE=1 ./fips_mode
Loaded providers:
  default
  fips
  base
FIPS mode enabled: 1
```

Comment 1 Clemens Lang 2023-05-10 15:34:11 UTC

The patch in question is 0009-Add-Kernel-FIPS-mode-flag-support.patch.

At the moment, we do not have plans to backport the large number of FIPS patches to F37 due to the large number of them and the effect that would have on existing applications.

Comment 2 Jun Aruga 2023-05-11 14:36:57 UTC

> At the moment, we do not have plans to backport the large number of FIPS patches to F37 due to the large number of them and the effect that would have on existing applications.

Sure. That's okay.

> The patch in question is 0009-Add-Kernel-FIPS-mode-flag-support.patch.

Below are the commits modifying the `0009-Add-Kernel-FIPS-mode-flag-support.patch` file on rawhide. The `0009-Add-Kernel-FIPS-mode-flag-support.patch` also exists in f37 branch too.
Could you tell me which commit is the one to make the `OPENSSL_FORCE_FIPS_MODE=1` work in the 3 commits below?

```
$ git log --pretty=oneline 0009-Add-Kernel-FIPS-mode-flag-support.patch
194ef7464a4a825d24ffce8fb260dd79f95105d7 Rebase to upstream version 3.0.8
080143cbc1510f6f472685e88390b4509abb7365 Sync with RHEL - applying patches
347681c6b246d9b6a08c73bb40e5eefaf8596d71 Rebase to upstream version 3.0.0
```

I want to know what versions of the openssl RPM packages the `OPENSSL_FORCE_FIPS_MODE=1` can work in on rawhide (f39) (and f38).

* rawhide (f39): it works >= `openssl-X.Y.Z-R`
* f38: it works >= `openssl-X.Y.Z-R`
* f37: it doesn't work

There is no difference of the `0009-Add-Kernel-FIPS-mode-flag-support.patch` between f38 and f39 branches.
There is a big difference of the `0009-Add-Kernel-FIPS-mode-flag-support.patch` between f37 and f38 branches.

Comment 3 Clemens Lang 2023-05-11 15:00:13 UTC

It's probably 080143cbc1510f6f472685e88390b4509abb7365, where we applied most of the patches we had for FIPS compliance in RHEL at that time to Fedora.

I'm not entirely sure why you're asking. F37 is not a good platform to test FIPS mode, since it will only have a partial implementation of the limitations now required by FIPS 140-3. If you want to test FIPS mode, use RHEL or Fedora rawhide (although RHEL is still ahead with a few more patches).

Can you elaborate on what your use case is?

Comment 4 Jun Aruga 2023-05-11 15:08:30 UTC

> It's probably 080143cbc1510f6f472685e88390b4509abb7365, where we applied most of the patches we had for FIPS compliance in RHEL at that time to Fedora.

Sure. Thank you for your input.

> I'm not entirely sure why you're asking. F37 is not a good platform to test FIPS mode, since it will only have a partial implementation of the limitations now required by FIPS 140-3. If you want to test FIPS mode, use RHEL or Fedora rawhide (although RHEL is still ahead with a few more patches).
>
> Can you elaborate on what your use case is?

My use case is that I want to test Ruby OpenSSL binding features in the Ruby RPM (rpms/ruby) with OpenSSL RPM enabling FIPS mode in the Fedora's mock environment, and also may test it in the ruby.spec file %check section.
The `OPENSSL_FORCE_FIPS_MODE=1` is a great convenient feature to test with the OpenSSL FIPS mode in Fedora. That's why I needed to know the OpenSSL package versions supporting the `OPENSSL_FORCE_FIPS_MODE=1`.

Comment 5 Clemens Lang 2023-05-11 15:26:06 UTC

4855397272f7585ea8fa9f9659a7d4e410bd7a65 is the first commit that would enable OPENSSL_FORCE_FIPS_MODE. The patch was present before that, but not enabled in openssl.spec.

That would be openssl-3.0.5-3.fc38. I believe that was before F38 was branched, i.e. in rawhide, so any version of OpenSSL on F38 should support OPENSSL_FORCE_FIPS_MODE.

Note that there are a few additional changes in RHEL's FIPS mode that we have not yet ported to Fedora, so be aware that what you're getting might not match what RHEL has. We'll probably fix this in the coming months.

Comment 6 Jun Aruga 2023-05-11 19:56:59 UTC

All right. Thank you for checking the info! It's very helpful!

> Note that there are a few additional changes in RHEL's FIPS mode that we have not yet ported to Fedora, so be aware that what you're getting might not match what RHEL has. We'll probably fix this in the coming months.

Sure. I will keep it in mind.