618595 – openssl fails on FIPS enabled machine with CPACF

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 618595 - openssl fails on FIPS enabled machine with CPACF

Summary: openssl fails on FIPS enabled machine with CPACF

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openssl-ibmca
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Dan Horák
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	617227 (view as bug list)
Depends On:	617239
Blocks:	617227 BaseOS-FIPS-Tracker 1172231 1179384 1269194
TreeView+	depends on / blocked

Reported:	2010-07-27 10:45 UTC by Miroslav Vadkerti
Modified:	2019-05-20 11:00 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	617239
Environment:
Last Closed:	2016-08-09 19:23:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
openssl configuration with enaled IBMCA module (10.91 KB, text/plain) 2010-07-27 10:45 UTC, Miroslav Vadkerti	no flags	Details
View All

Description Miroslav Vadkerti 2010-07-27 10:45:26 UTC

Created attachment 434657 [details]
openssl configuration with enaled IBMCA module

Description of problem:
When testing on s390x in FIPS mode on RHEL6 openssl fails. The errors differ when CPACF enabled/disabled

# prelink -u -a
# rpm -q openssl
openssl-1.0.0-4.el6.s390x
# ./enable_cpacf 
# openssl speed rsa
internal error loading RSA key number 0
2199029471344:error:0406A095:rsa routines:RSA_new_method:non fips method:rsa_lib.c:183:
2199029471344:error:0D079064:asn1 encoding routines:ASN1_ITEM_EX_COMBINE_NEW:aux error:tasn_new.c:221:
2199029471344:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:404:Type=RSA
# ./disable_cpacf 
# openssl speed rsa
cmll_fblk.c(65): OpenSSL internal error, assertion failed: CAMELLIA Algorithm forbidden in FIPS mode
Aborted (core dumped)

Comment 1 Jan F. Chadima 2010-07-28 08:59:52 UTC

Redirecting to ibmca, because it's IBMca hardware specific bug.

Comment 3 Jan F. Chadima 2010-07-30 13:04:29 UTC

This is not only s390x specific problem, reproduced in i386, changing summary

Comment 4 Miroslav Vadkerti 2010-07-30 13:11:57 UTC

Changed arch

Comment 6 Miroslav Vadkerti 2010-07-30 13:25:01 UTC

Bug 619762  - openssl fails on FIPS enabled machine

Comment 7 Tomas Mraz 2010-08-02 06:26:35 UTC

Does the error happen also with other more meaningful commands such as openssl rsa/rsagen/smime or others?

Comment 8 Tomas Mraz 2010-08-02 06:37:35 UTC

Answering to myself - it seems it does affect openssh according to bug 617227.

Comment 9 Tomas Mraz 2010-08-02 12:29:48 UTC

*** Bug 617227 has been marked as a duplicate of this bug. ***

Comment 10 Tomas Mraz 2010-08-02 12:40:06 UTC

If the ibmca engine for openssl and the HW is FIPS certified, then the engine
must set proper flag for its RSA implementation method. (This is the RSA_FLAG_FIPS_METHOD.)

If it is not certified, it means the ibmca engine simply has to be disabled and thus not used by the administrator in the FIPS mode.

Comment 11 Gonzalo Muelas Serrano 2010-08-20 14:16:35 UTC

Hello,

at this point of time is openssl-ibmca and the underlying crypto HW not completely FIPS certified, but we are working on it. Till the work is finished we should have in RHEL fips_mode=no and ibmca engine on. IBM will request (via standard feature request) to RH a change of this setting as soon as we are with SW and HW FIPS certified.

Kind regards,
Gonzalo.

Comment 13 RHEL Program Management 2011-01-07 16:04:21 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 15 Dan Horák 2011-06-24 15:05:17 UTC

(In reply to comment #11)
> at this point of time is openssl-ibmca and the underlying crypto HW not
> completely FIPS certified, but we are working on it. Till the work is finished
> we should have in RHEL fips_mode=no and ibmca engine on. IBM will request (via
> standard feature request) to RH a change of this setting as soon as we are with
> SW and HW FIPS certified.

Gonzalo, is there any progress in making the s390 specific crypto modules/libraries FIPS compatible?

Comment 16 Gonzalo Muelas Serrano 2011-06-27 10:50:41 UTC

Dan, as far as I know, it still work in progress. As soon as we are with SW and HW FIPS certified we will submit a feature request to RH to change this setting.
Thank you for asking!
Gonzalo.

Comment 18 Suzanne Logcher 2012-02-14 23:01:10 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Note You need to log in before you can comment on or make changes to this bug.