Bug 618595
Summary: | openssl fails on FIPS enabled machine with CPACF | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Miroslav Vadkerti <mvadkert> | ||||
Component: | openssl-ibmca | Assignee: | Dan Horák <dhorak> | ||||
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 6.0 | CC: | creynold, cww, dhorak, gmuelas, omoris, ovasik, rvokal, tmraz | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | 617239 | Environment: | |||||
Last Closed: | 2016-08-09 19:23:13 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 617239 | ||||||
Bug Blocks: | 617227, 691449, 1172231, 1179384, 1269194 | ||||||
Attachments: |
|
Redirecting to ibmca, because it's IBMca hardware specific bug. This is not only s390x specific problem, reproduced in i386, changing summary Changed arch Bug 619762 - openssl fails on FIPS enabled machine Does the error happen also with other more meaningful commands such as openssl rsa/rsagen/smime or others? Answering to myself - it seems it does affect openssh according to bug 617227. *** Bug 617227 has been marked as a duplicate of this bug. *** If the ibmca engine for openssl and the HW is FIPS certified, then the engine must set proper flag for its RSA implementation method. (This is the RSA_FLAG_FIPS_METHOD.) If it is not certified, it means the ibmca engine simply has to be disabled and thus not used by the administrator in the FIPS mode. Hello, at this point of time is openssl-ibmca and the underlying crypto HW not completely FIPS certified, but we are working on it. Till the work is finished we should have in RHEL fips_mode=no and ibmca engine on. IBM will request (via standard feature request) to RH a change of this setting as soon as we are with SW and HW FIPS certified. Kind regards, Gonzalo. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. (In reply to comment #11) > at this point of time is openssl-ibmca and the underlying crypto HW not > completely FIPS certified, but we are working on it. Till the work is finished > we should have in RHEL fips_mode=no and ibmca engine on. IBM will request (via > standard feature request) to RH a change of this setting as soon as we are with > SW and HW FIPS certified. Gonzalo, is there any progress in making the s390 specific crypto modules/libraries FIPS compatible? Dan, as far as I know, it still work in progress. As soon as we are with SW and HW FIPS certified we will submit a feature request to RH to change this setting. Thank you for asking! Gonzalo. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. |
Created attachment 434657 [details] openssl configuration with enaled IBMCA module Description of problem: When testing on s390x in FIPS mode on RHEL6 openssl fails. The errors differ when CPACF enabled/disabled # prelink -u -a # rpm -q openssl openssl-1.0.0-4.el6.s390x # ./enable_cpacf # openssl speed rsa internal error loading RSA key number 0 2199029471344:error:0406A095:rsa routines:RSA_new_method:non fips method:rsa_lib.c:183: 2199029471344:error:0D079064:asn1 encoding routines:ASN1_ITEM_EX_COMBINE_NEW:aux error:tasn_new.c:221: 2199029471344:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:404:Type=RSA # ./disable_cpacf # openssl speed rsa cmll_fblk.c(65): OpenSSL internal error, assertion failed: CAMELLIA Algorithm forbidden in FIPS mode Aborted (core dumped)