Bug 610989 - Please clarify status of FIPS mode in Fedora openssl
Please clarify status of FIPS mode in Fedora openssl
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: openssl (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-02 20:09 EDT by Dave Malcolm
Modified: 2010-07-07 04:08 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-07 04:08:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Malcolm 2010-07-02 20:09:52 EDT
We appear to be heavily patching openssl to add FIPS mode:

I am attempting to fix a segfault seen in Python's hashlib module with FIPS mode enabled (see bug 563986, which is marked as RHEL6, but I can reproduce it fine on Fedora 13).  See http://bugs.python.org/issue9146 for more details.

However vanilla openssl-1.0.0 doesn't seem to have FIPS mode.  It looks like we have a backport of this from a later version of openssl.

Please can you clarify which upstream version of openssl I should point Python upstream in, regarding http://bugs.python.org/issue9146

Thanks!
Comment 1 Tomas Mraz 2010-07-07 04:08:58 EDT
You should be able to reproduce the problem on upstream 0.9.8 version if it is compiled with the upstream FIPS validated openssl module support.

Our FIPS patch differs in some aspects from the upstream FIPS support but this problem should be reproduceable with it. However for the upstream openssl FIPS mode to be activated the FIPS_mode_set(1); has to be called after OpenSSl library is initialized. This is one of places where our FIPS module differs as it automatically initializes the FIPS mode in case the kernel FIPS mode flag is set.

Our FIPS patch is not a backport as there is no FIPS validation support in later versions of openssl. It is rather a forward port from the 0.9.8 branch with substantial changes such as the one mentioned above.

Note You need to log in before you can comment on or make changes to this bug.