Bug 1940085 - FIPS_selftest() fails in FIPS mode.
Summary: FIPS_selftest() fails in FIPS mode.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssl
Version: 8.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Dmitry Belyavskiy
QA Contact: Hubert Kario
URL:
Whiteboard:
Depends On:
Blocks: 1969692
TreeView+ depends on / blocked
 
Reported: 2021-03-17 15:08 UTC by Martin Poole
Modified: 2021-11-10 08:47 UTC (History)
5 users (show)

Fixed In Version: openssl-1.1.1k-3.el8
Doc Type: Bug Fix
Doc Text:
Cause: The FIPS_selftest() library call tries to perform operations that are forbidden for a library working in FIPS mode. Consequence: Application calling the method fails FIPS_selftest and reports error or crashes. Fix: FIPS_selftest() updated to perform only operations allowed in FIPS mode. Please note that FIPS_selftest() is not a part of API of the current FIPS module. Calling it is not necessary for FIPS compliance. OpenSSL automatically performs self-tests when it detects that the system is running in FIPS mode. Result: Applications that call FIPS_selftest() no longer crash.
Clone Of:
: 1969692 (view as bug list)
Environment:
Last Closed: 2021-11-09 19:44:31 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4424 0 None None None 2021-11-09 19:45:06 UTC

Description Martin Poole 2021-03-17 15:08:45 UTC
Description of problem:

The FIPS_selftest() routine fails if the system is in FIPS mode.


Version-Release number of selected component (if applicable):

openssl-1.1.1g-12.el8_3.x86_64

How reproducible:

Always.

Steps to Reproduce:

#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/fips.h>
#include <openssl/err.h>
int main(int argc, char *argv[])
{
   fprintf(stderr,"Startup\n");
   fprintf(stderr,"all algos added\n");
   if(FIPS_mode())
      fprintf(stderr,"FIPS mode already set.\n");
   else {
      fprintf(stderr,"Not to set FIPS mode...\n");
   }
   fprintf(stderr,"Attempt FIPS self tests...\n");
   if (FIPS_selftest()) {
      fprintf(stderr,"FIPS self tests succeeded.\n");
   }
   else {
      fprintf(stderr,"ERROR: FIPS self tests failed.\n");
      ERR_print_errors_fp(stderr);
   }
   return 0;
}


Actual results:

Startup
all algos added
FIPS mode already set.
Attempt FIPS self tests...
ERROR: FIPS self tests failed.
139731764220864:error:0607B0C8:digital envelope routines:EVP_CipherInit_ex:disabled for FIPS:crypto/evp/evp_enc.c:226:
139731764220864:error:2D06F065:FIPS routines:func(111):reason(101):crypto/fips/fips_des_selftest.c:129:


Expected results:

self tests should succeed.

Additional info:

The failure seems to stem from the presence of the the 2-Key 3DES test in FIPS_selftest_des().

From the flags in crypto/evp/e_des3.c that particular cipher is not marked as FIPS.

Comment 18 errata-xmlrpc 2021-11-09 19:44:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: openssl security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4424


Note You need to log in before you can comment on or make changes to this bug.