Bug 695693

Summary: [openssl] bind mounts allow FIPS mode checks to be bypassed
Product: [Fedora] Fedora Reporter: Bryn M. Reeves <bmr>
Component: opensslAssignee: Steve Grubb <sgrubb>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 695694 (view as bug list) Environment:
Last Closed: 2011-07-26 10:49:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Bryn M. Reeves 2011-04-12 12:48:01 UTC 
Description of problem:
The procfs file /proc/sys/crypto/fips_enabled is used to gate FIPS-compliant behaviour in userspace cryptography libraries.

When set to '1' during boot the kernel will reject attempts to write to this file as it is created with mode 0444.

A malicious administrator can bind mount a file containing a single '0' over this path causing userspace libraries to incorrectly behave as though FIPS was not enabled.

Version-Release number of selected component (if applicable):
openssl-1.0.0d-2.fc16 and earlier

How reproducible:
100%

Steps to Reproduce:
1. echo 0 > /tmp/my_fips_enabled
2. mount --bind /tmp/my_fips_enabled /proc/sys/crypto/fips_enabled
3. cat /proc/sys/crypto/fips_enabled
4. <do something forbidden in FIPS e.g. openssl md5 digest>
  
Actual results:
3. # cat /proc/sys/crypto/fips_enabled
0
4. FIPS forbidden operations work

Expected results:
4. FIPS forbidden operations fail

Additional info:
Comment 1 Tomas Mraz 2011-04-12 13:35:12 UTC 
I do not think this is something that the library can guard against. There is a myriad of ways how to bypass the FIPS mode if especially (but not exclusively) the administrator wants to.
Comment 2 Bryn M. Reeves 2011-04-12 16:27:00 UTC 
Agreed - I noticed this last week (while testing FIPS changes for sos) and mentioned it to sgrubb who asked me to file a bug. Apparently since then it's been discussed on the FIPS list with the conclusion that this is hard if not impossible to avoid. Am happy with whatever disposition the relevant folks have for this bz ;)