Red Hat Bugzilla – Bug 618595
openssl fails on FIPS enabled machine with CPACF
Last modified: 2016-08-09 15:23:13 EDT
Created attachment 434657 [details]
openssl configuration with enaled IBMCA module
Description of problem:
When testing on s390x in FIPS mode on RHEL6 openssl fails. The errors differ when CPACF enabled/disabled
# prelink -u -a
# rpm -q openssl
# openssl speed rsa
internal error loading RSA key number 0
2199029471344:error:0406A095:rsa routines:RSA_new_method:non fips method:rsa_lib.c:183:
2199029471344:error:0D079064:asn1 encoding routines:ASN1_ITEM_EX_COMBINE_NEW:aux error:tasn_new.c:221:
2199029471344:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:404:Type=RSA
# openssl speed rsa
cmll_fblk.c(65): OpenSSL internal error, assertion failed: CAMELLIA Algorithm forbidden in FIPS mode
Aborted (core dumped)
Redirecting to ibmca, because it's IBMca hardware specific bug.
This is not only s390x specific problem, reproduced in i386, changing summary
Bug 619762 - openssl fails on FIPS enabled machine
Does the error happen also with other more meaningful commands such as openssl rsa/rsagen/smime or others?
Answering to myself - it seems it does affect openssh according to bug 617227.
*** Bug 617227 has been marked as a duplicate of this bug. ***
If the ibmca engine for openssl and the HW is FIPS certified, then the engine
must set proper flag for its RSA implementation method. (This is the RSA_FLAG_FIPS_METHOD.)
If it is not certified, it means the ibmca engine simply has to be disabled and thus not used by the administrator in the FIPS mode.
at this point of time is openssl-ibmca and the underlying crypto HW not completely FIPS certified, but we are working on it. Till the work is finished we should have in RHEL fips_mode=no and ibmca engine on. IBM will request (via standard feature request) to RH a change of this setting as soon as we are with SW and HW FIPS certified.
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
(In reply to comment #11)
> at this point of time is openssl-ibmca and the underlying crypto HW not
> completely FIPS certified, but we are working on it. Till the work is finished
> we should have in RHEL fips_mode=no and ibmca engine on. IBM will request (via
> standard feature request) to RH a change of this setting as soon as we are with
> SW and HW FIPS certified.
Gonzalo, is there any progress in making the s390 specific crypto modules/libraries FIPS compatible?
Dan, as far as I know, it still work in progress. As soon as we are with SW and HW FIPS certified we will submit a feature request to RH to change this setting.
Thank you for asking!