Bug 618595

Summary: openssl fails on FIPS enabled machine with CPACF
Product: Red Hat Enterprise Linux 6 Reporter: Miroslav Vadkerti <mvadkert>
Component: openssl-ibmcaAssignee: Dan Horák <dhorak>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: creynold, cww, dhorak, gmuelas, omoris, ovasik, rvokal, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 617239 Environment:
Last Closed: 2016-08-09 19:23:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 617239    
Bug Blocks: 617227, 691449, 1172231, 1179384, 1269194    
Attachments:
Description Flags
openssl configuration with enaled IBMCA module none

Description Miroslav Vadkerti 2010-07-27 10:45:26 UTC 
Created attachment 434657 [details]
openssl configuration with enaled IBMCA module

Description of problem:
When testing on s390x in FIPS mode on RHEL6 openssl fails. The errors differ when CPACF enabled/disabled

# prelink -u -a
# rpm -q openssl
openssl-1.0.0-4.el6.s390x
# ./enable_cpacf 
# openssl speed rsa
internal error loading RSA key number 0
2199029471344:error:0406A095:rsa routines:RSA_new_method:non fips method:rsa_lib.c:183:
2199029471344:error:0D079064:asn1 encoding routines:ASN1_ITEM_EX_COMBINE_NEW:aux error:tasn_new.c:221:
2199029471344:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:404:Type=RSA
# ./disable_cpacf 
# openssl speed rsa
cmll_fblk.c(65): OpenSSL internal error, assertion failed: CAMELLIA Algorithm forbidden in FIPS mode
Aborted (core dumped)
Comment 1 Jan F. Chadima 2010-07-28 08:59:52 UTC 
Redirecting to ibmca, because it's IBMca hardware specific bug.
Comment 3 Jan F. Chadima 2010-07-30 13:04:29 UTC 
This is not only s390x specific problem, reproduced in i386, changing summary
Comment 4 Miroslav Vadkerti 2010-07-30 13:11:57 UTC 
Changed arch
Comment 6 Miroslav Vadkerti 2010-07-30 13:25:01 UTC 
Bug 619762  - openssl fails on FIPS enabled machine
Comment 7 Tomas Mraz 2010-08-02 06:26:35 UTC 
Does the error happen also with other more meaningful commands such as openssl rsa/rsagen/smime or others?
Comment 8 Tomas Mraz 2010-08-02 06:37:35 UTC 
Answering to myself - it seems it does affect openssh according to bug 617227.
Comment 9 Tomas Mraz 2010-08-02 12:29:48 UTC 
*** Bug 617227 has been marked as a duplicate of this bug. ***
Comment 10 Tomas Mraz 2010-08-02 12:40:06 UTC 
If the ibmca engine for openssl and the HW is FIPS certified, then the engine
must set proper flag for its RSA implementation method. (This is the RSA_FLAG_FIPS_METHOD.)

If it is not certified, it means the ibmca engine simply has to be disabled and thus not used by the administrator in the FIPS mode.
Comment 11 Gonzalo Muelas Serrano 2010-08-20 14:16:35 UTC 
Hello,

at this point of time is openssl-ibmca and the underlying crypto HW not completely FIPS certified, but we are working on it. Till the work is finished we should have in RHEL fips_mode=no and ibmca engine on. IBM will request (via standard feature request) to RH a change of this setting as soon as we are with SW and HW FIPS certified.

Kind regards,
Gonzalo.
Comment 13 RHEL Program Management 2011-01-07 16:04:21 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 15 Dan Horák 2011-06-24 15:05:17 UTC 
(In reply to comment #11)
> at this point of time is openssl-ibmca and the underlying crypto HW not
> completely FIPS certified, but we are working on it. Till the work is finished
> we should have in RHEL fips_mode=no and ibmca engine on. IBM will request (via
> standard feature request) to RH a change of this setting as soon as we are with
> SW and HW FIPS certified.

Gonzalo, is there any progress in making the s390 specific crypto modules/libraries FIPS compatible?
Comment 16 Gonzalo Muelas Serrano 2011-06-27 10:50:41 UTC 
Dan, as far as I know, it still work in progress. As soon as we are with SW and HW FIPS certified we will submit a feature request to RH to change this setting.
Thank you for asking!
Gonzalo.
Comment 18 Suzanne Logcher 2012-02-14 23:01:10 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.