2124718 – Allow to run non FIPS algorithm when in FIPS mode

Bug 2124718 - Allow to run non FIPS algorithm when in FIPS mode

Summary: Allow to run non FIPS algorithm when in FIPS mode

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssl
Sub Component:
Version:	36
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Dmitry Belyavskiy
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-06 22:30 UTC by Marco Fargetta
Modified:	2022-11-28 09:15 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-11-28 09:15:21 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FC-599	0	None	None	None	2022-09-06 22:42:17 UTC

Description Marco Fargetta 2022-09-06 22:30:24 UTC

Description of problem:
I have enabled FIPS mode on a Fedora 36 but openssl works with non FIPS algorithm.



Version-Release number of selected component (if applicable):

[root@fedora tls]# cat /etc/fedora-release 
Fedora release 36 (Thirty Six)
[root@fedora tls]# rpm -qa|grep openssl
openssl-pkcs11-0.4.11-8.fc36.x86_64
apr-util-openssl-1.6.1-20.fc36.x86_64
xmlsec1-openssl-1.2.33-2.fc36.x86_64
openssl-libs-3.0.5-1.fc36.x86_64
openssl-3.0.5-1.fc36.x86_64



How reproducible:


Steps to Reproduce:

Install F36. Update all the packages. 
Move to fips mode
  [root@fedora tls]# fips-mode-setup --enable

Reboot the machine


Actual results:
[root@fedora tls]# fips-mode-setup --check
FIPS mode is enabled.
[root@fedora tls]# openssl md5 openssl.cnf 
MD5(openssl.cnf)= 552242d0f0336fcb0e7697887373332c

Expected results:
(From RHEL9)
[root@localhost tls]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 9.0 (Plow)
[root@localhost tls]# fips-mode-setup --check
FIPS mode is enabled.
[root@localhost tls]# openssl md5 openssl.cnf 
Error setting digest
80EB021DB67F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 97), Properties ()
80EB021DB67F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:237:



Additional info:

Comment 1 Clemens Lang 2022-09-07 08:39:26 UTC

That's expected with openssl-3.0.5-1.fc36.x86_64; it doesn't support FIPS mode.

Backports of
 - https://src.fedoraproject.org/rpms/openssl/c/080143cbc1510f6f472685e88390b4509abb7365?branch=rawhide
 - https://src.fedoraproject.org/rpms/openssl/c/89541c6ea482836e9dd91ac6afd7755cb7f32516?branch=rawhide and
 - https://src.fedoraproject.org/rpms/openssl/c/4855397272f7585ea8fa9f9659a7d4e410bd7a65?branch=rawhide
are needed to fix this.

Comment 2 Dmitry Belyavskiy 2022-11-28 09:15:21 UTC

Fixed in rawhide (to be f38)

Note You need to log in before you can comment on or make changes to this bug.