Bug 610989 - Please clarify status of FIPS mode in Fedora openssl
Summary: Please clarify status of FIPS mode in Fedora openssl
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: 13
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-03 00:09 UTC by Dave Malcolm
Modified: 2010-07-07 08:08 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2010-07-07 08:08:58 UTC


Attachments (Terms of Use)

Description Dave Malcolm 2010-07-03 00:09:52 UTC
We appear to be heavily patching openssl to add FIPS mode:

I am attempting to fix a segfault seen in Python's hashlib module with FIPS mode enabled (see bug 563986, which is marked as RHEL6, but I can reproduce it fine on Fedora 13).  See http://bugs.python.org/issue9146 for more details.

However vanilla openssl-1.0.0 doesn't seem to have FIPS mode.  It looks like we have a backport of this from a later version of openssl.

Please can you clarify which upstream version of openssl I should point Python upstream in, regarding http://bugs.python.org/issue9146

Thanks!

Comment 1 Tomas Mraz 2010-07-07 08:08:58 UTC
You should be able to reproduce the problem on upstream 0.9.8 version if it is compiled with the upstream FIPS validated openssl module support.

Our FIPS patch differs in some aspects from the upstream FIPS support but this problem should be reproduceable with it. However for the upstream openssl FIPS mode to be activated the FIPS_mode_set(1); has to be called after OpenSSl library is initialized. This is one of places where our FIPS module differs as it automatically initializes the FIPS mode in case the kernel FIPS mode flag is set.

Our FIPS patch is not a backport as there is no FIPS validation support in later versions of openssl. It is rather a forward port from the 0.9.8 branch with substantial changes such as the one mentioned above.


Note You need to log in before you can comment on or make changes to this bug.