Red Hat Bugzilla – Bug 610989
Please clarify status of FIPS mode in Fedora openssl
Last modified: 2010-07-07 04:08:58 EDT
We appear to be heavily patching openssl to add FIPS mode: I am attempting to fix a segfault seen in Python's hashlib module with FIPS mode enabled (see bug 563986, which is marked as RHEL6, but I can reproduce it fine on Fedora 13). See http://bugs.python.org/issue9146 for more details. However vanilla openssl-1.0.0 doesn't seem to have FIPS mode. It looks like we have a backport of this from a later version of openssl. Please can you clarify which upstream version of openssl I should point Python upstream in, regarding http://bugs.python.org/issue9146 Thanks!
You should be able to reproduce the problem on upstream 0.9.8 version if it is compiled with the upstream FIPS validated openssl module support. Our FIPS patch differs in some aspects from the upstream FIPS support but this problem should be reproduceable with it. However for the upstream openssl FIPS mode to be activated the FIPS_mode_set(1); has to be called after OpenSSl library is initialized. This is one of places where our FIPS module differs as it automatically initializes the FIPS mode in case the kernel FIPS mode flag is set. Our FIPS patch is not a backport as there is no FIPS validation support in later versions of openssl. It is rather a forward port from the 0.9.8 branch with substantial changes such as the one mentioned above.