Hide Forgot
Created attachment 794252 [details] Reproducer Description of problem: Net-SNMP uses OpenSSL EVP API without calling OpenSSL_add_all_digests() or similar function and it is able to compute MD5 hashes in FIPS mode. See attached reproducer. Version-Release number of selected component (if applicable): openssl-1.0.0-27.el6.2.x86_64 How reproducible: always Steps to Reproduce: 1. enable FIPS mode 2. gcc -o test test.c -lssl -lcrypto 3. ./test Actual results: OpenSSL computes MD5 digest of something. Expected results: EVP_DigestInit_ex failed, MD5 not found. Additional info: EVP_DigestInit_ex() correctly fails if OpenSSL_add_all_digests() is called before. man 3 EVP_DigestInit mentions that OpenSSL_add_all_digests() is necessary only when EVP_get_digestbyname(), EVP_get_digestbynid() or EVP_get_digestbyobj() are used and they are not in my reproducer (and in Net-SNMP). EVP_DigestInit_ex() should either fail if OpenSSL was not initialized properly or it should attempt to initialize by itself. Computing MD5 in FIPS mode is IMHO wrong.
You have to call the OpenSSL_add_all_digests or similar initialization function otherwise you're outside of the OpenSSL FIPS module policy. Another thing is that due to a new NIST guidance the new validation of OpenSSL will require to initialize the FIPS mode without this call directly from library constructor which means that in RHEL-6.5 this call will not be necessary. But anyway this is not a bug in OpenSSL.