Hide Forgot
Description of problem: The procfs file /proc/sys/crypto/fips_enabled is used to gate FIPS-compliant behaviour in userspace cryptography libraries. When set to '1' during boot the kernel will reject attempts to write to this file as it is created with mode 0444. A malicious administrator can bind mount a file containing a single '0' over this path causing userspace libraries to incorrectly behave as though FIPS was not enabled. Version-Release number of selected component (if applicable): openssl-1.0.0d-2.fc16 and earlier How reproducible: 100% Steps to Reproduce: 1. echo 0 > /tmp/my_fips_enabled 2. mount --bind /tmp/my_fips_enabled /proc/sys/crypto/fips_enabled 3. cat /proc/sys/crypto/fips_enabled 4. <do something forbidden in FIPS e.g. openssl md5 digest> Actual results: 3. # cat /proc/sys/crypto/fips_enabled 0 4. FIPS forbidden operations work Expected results: 4. FIPS forbidden operations fail Additional info:
I do not think this is something that the library can guard against. There is a myriad of ways how to bypass the FIPS mode if especially (but not exclusively) the administrator wants to.
Agreed - I noticed this last week (while testing FIPS changes for sos) and mentioned it to sgrubb who asked me to file a bug. Apparently since then it's been discussed on the FIPS list with the conclusion that this is hard if not impossible to avoid. Am happy with whatever disposition the relevant folks have for this bz ;)