Bug 618595 - openssl fails on FIPS enabled machine with CPACF
openssl fails on FIPS enabled machine with CPACF
Status: NEW
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssl-ibmca (Show other bugs)
6.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Dan Horák
BaseOS QE Security Team
:
: 617227 (view as bug list)
Depends On: 617239
Blocks: BaseOS-FIPS-Tracker 1172231 1269194 617227 1179384
  Show dependency treegraph
 
Reported: 2010-07-27 06:45 EDT by Miroslav Vadkerti
Modified: 2016-04-19 15:00 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 617239
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
openssl configuration with enaled IBMCA module (10.91 KB, text/plain)
2010-07-27 06:45 EDT, Miroslav Vadkerti
no flags Details

  None (edit)
Description Miroslav Vadkerti 2010-07-27 06:45:26 EDT
Created attachment 434657 [details]
openssl configuration with enaled IBMCA module

Description of problem:
When testing on s390x in FIPS mode on RHEL6 openssl fails. The errors differ when CPACF enabled/disabled

# prelink -u -a
# rpm -q openssl
openssl-1.0.0-4.el6.s390x
# ./enable_cpacf 
# openssl speed rsa
internal error loading RSA key number 0
2199029471344:error:0406A095:rsa routines:RSA_new_method:non fips method:rsa_lib.c:183:
2199029471344:error:0D079064:asn1 encoding routines:ASN1_ITEM_EX_COMBINE_NEW:aux error:tasn_new.c:221:
2199029471344:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:404:Type=RSA
# ./disable_cpacf 
# openssl speed rsa
cmll_fblk.c(65): OpenSSL internal error, assertion failed: CAMELLIA Algorithm forbidden in FIPS mode
Aborted (core dumped)
Comment 1 Jan F. Chadima 2010-07-28 04:59:52 EDT
Redirecting to ibmca, because it's IBMca hardware specific bug.
Comment 3 Jan F. Chadima 2010-07-30 09:04:29 EDT
This is not only s390x specific problem, reproduced in i386, changing summary
Comment 4 Miroslav Vadkerti 2010-07-30 09:11:57 EDT
Changed arch
Comment 6 Miroslav Vadkerti 2010-07-30 09:25:01 EDT
Bug 619762  - openssl fails on FIPS enabled machine
Comment 7 Tomas Mraz 2010-08-02 02:26:35 EDT
Does the error happen also with other more meaningful commands such as openssl rsa/rsagen/smime or others?
Comment 8 Tomas Mraz 2010-08-02 02:37:35 EDT
Answering to myself - it seems it does affect openssh according to bug 617227.
Comment 9 Tomas Mraz 2010-08-02 08:29:48 EDT
*** Bug 617227 has been marked as a duplicate of this bug. ***
Comment 10 Tomas Mraz 2010-08-02 08:40:06 EDT
If the ibmca engine for openssl and the HW is FIPS certified, then the engine
must set proper flag for its RSA implementation method. (This is the RSA_FLAG_FIPS_METHOD.)

If it is not certified, it means the ibmca engine simply has to be disabled and thus not used by the administrator in the FIPS mode.
Comment 11 Gonzalo Muelas Serrano 2010-08-20 10:16:35 EDT
Hello,

at this point of time is openssl-ibmca and the underlying crypto HW not completely FIPS certified, but we are working on it. Till the work is finished we should have in RHEL fips_mode=no and ibmca engine on. IBM will request (via standard feature request) to RH a change of this setting as soon as we are with SW and HW FIPS certified.

Kind regards,
Gonzalo.
Comment 13 RHEL Product and Program Management 2011-01-07 11:04:21 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 15 Dan Horák 2011-06-24 11:05:17 EDT
(In reply to comment #11)
> at this point of time is openssl-ibmca and the underlying crypto HW not
> completely FIPS certified, but we are working on it. Till the work is finished
> we should have in RHEL fips_mode=no and ibmca engine on. IBM will request (via
> standard feature request) to RH a change of this setting as soon as we are with
> SW and HW FIPS certified.

Gonzalo, is there any progress in making the s390 specific crypto modules/libraries FIPS compatible?
Comment 16 Gonzalo Muelas Serrano 2011-06-27 06:50:41 EDT
Dan, as far as I know, it still work in progress. As soon as we are with SW and HW FIPS certified we will submit a feature request to RH to change this setting.
Thank you for asking!
Gonzalo.
Comment 18 Suzanne Yeghiayan 2012-02-14 18:01:10 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Note You need to log in before you can comment on or make changes to this bug.