Bug 2124718 - Allow to run non FIPS algorithm when in FIPS mode
Summary: Allow to run non FIPS algorithm when in FIPS mode
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: 36
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Dmitry Belyavskiy
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-06 22:30 UTC by Marco Fargetta
Modified: 2022-11-28 09:15 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-28 09:15:21 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-599 0 None None None 2022-09-06 22:42:17 UTC

Description Marco Fargetta 2022-09-06 22:30:24 UTC
Description of problem:
I have enabled FIPS mode on a Fedora 36 but openssl works with non FIPS algorithm.



Version-Release number of selected component (if applicable):

[root@fedora tls]# cat /etc/fedora-release 
Fedora release 36 (Thirty Six)
[root@fedora tls]# rpm -qa|grep openssl
openssl-pkcs11-0.4.11-8.fc36.x86_64
apr-util-openssl-1.6.1-20.fc36.x86_64
xmlsec1-openssl-1.2.33-2.fc36.x86_64
openssl-libs-3.0.5-1.fc36.x86_64
openssl-3.0.5-1.fc36.x86_64



How reproducible:


Steps to Reproduce:

Install F36. Update all the packages. 
Move to fips mode
  [root@fedora tls]# fips-mode-setup --enable

Reboot the machine


Actual results:
[root@fedora tls]# fips-mode-setup --check
FIPS mode is enabled.
[root@fedora tls]# openssl md5 openssl.cnf 
MD5(openssl.cnf)= 552242d0f0336fcb0e7697887373332c

Expected results:
(From RHEL9)
[root@localhost tls]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 9.0 (Plow)
[root@localhost tls]# fips-mode-setup --check
FIPS mode is enabled.
[root@localhost tls]# openssl md5 openssl.cnf 
Error setting digest
80EB021DB67F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 97), Properties ()
80EB021DB67F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:237:



Additional info:

Comment 2 Dmitry Belyavskiy 2022-11-28 09:15:21 UTC
Fixed in rawhide (to be f38)


Note You need to log in before you can comment on or make changes to this bug.