Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-107272

fips-provider-next doesn't seed as openssl-fips-provider in FIPS mode [RHEL-10]

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-10.1
    • fips-provider-next
    • None
    • No
    • Low
    • rhel-security-crypto-clubs
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      When fips-provider-next seeds from getrandom we have:

      :: [ 15:24:06 ] :: [  BEGIN   ] :: Running 'cat split-calls.child_1.0'
      'getrandom("\\x2d\\x02\\x87\\xdc\\x26\\x36\\xa5\\x66\\x32\\xa7\\x3d\\xec\\x49\\xd8\\xf8\\xd3\\x90\\x67\\x0a\\xc8\\x2e\\x5d\\xb5\\x10\\xc5\\xd9\\xdc\\xa6\\x61\\xa8\\x0b\\x58"..., 40, GRND_RANDOM) = 40\r\r'
      ...
      :: [ 15:24:06 ] :: [   PASS   ] :: Command 'cat split-calls.child_1.0' (Expected 0, got 0)
      :: [ 15:24:06 ] :: [  BEGIN   ] :: Running 'cat split-calls.parent.0'
      'getrandom("\\x61\\x63\\xe9\\x5a\\xb0\\x6a\\xee\\x8a", 8, GRND_NONBLOCK) = 8\r\r'
      ...
      :: [ 15:24:06 ] :: [   PASS   ] :: Command 'cat split-calls.parent.0' (Expected 0, got 0)
      :: [ 15:24:06 ] :: [  BEGIN   ] :: Running 'cat split-calls.parent.1'
      'getrandom("\\x14\\x02\\x33\\xbc\\x5a\\xfb\\x27\\xf1\\x0b\\x75\\x34\\x62\\x1d\\xec\\xda\\x5a\\x7c\\x38\\xdf\\xca\\xe3\\x0b\\xba\\x3e\\x61\\xac\\x47\\xf5\\xc4\\x46\\xe0\\x83"..., 56, GRND_RANDOM) = 56\r\r'
      ...
       

      but openssl-fips-provider is doing:

      :: [ 15:24:25 ] :: [  BEGIN   ] :: Running 'cat split-calls.child_1.0'
      'getrandom("\\x9b\\xfa\\x6d\\xb1\\xff\\xf1\\x9b\\x3f\\x18\\x3f\\xba\\x52\\x4e\\xe0\\xe9\\x07\\x17\\x97\\x85\\xc5\\x28\\xf1\\x03\\xe5\\x2e\\x06\\xee\\x83\\x60\\x34\\x40\\x75", 32, GRND_RANDOM) = 32\r\r'
      ...
      :: [ 15:24:25 ] :: [   PASS   ] :: Command 'cat split-calls.child_1.0' (Expected 0, got 0)
      :: [ 15:24:25 ] :: [  BEGIN   ] :: Running 'cat split-calls.child_1.1'
      'getrandom("\\xdb\\x9d\\xfd\\x96\\xe9\\x18\\x7b\\x17\\x40\\x0f\\xa6\\x7c\\xb2\\x37\\xa3\\x46\\x8c\\x6f\\x7f\\x4a\\xac\\x89\\x15\\xd2\\xdd\\xb7\\x58\\x92\\xfa\\xcd\\xc7\\xc0", 32, GRND_RANDOM) = 32\r\r'
      ...
      :: [ 15:24:25 ] :: [   PASS   ] :: Command 'cat split-calls.child_1.1' (Expected 0, got 0)
      :: [ 15:24:25 ] :: [  BEGIN   ] :: Running 'cat split-calls.parent.0'
      'getrandom("\\xbe\\x5e\\xa0\\x9b\\x15\\xa7\\x0e\\xa7", 8, GRND_NONBLOCK) = 8\r\r'
      ...
      :: [ 15:24:25 ] :: [   PASS   ] :: Command 'cat split-calls.parent.0' (Expected 0, got 0)
      ...
      :: [ 15:24:26 ] :: [  BEGIN   ] :: Running 'cat split-calls.parent.4'
      'getrandom("\\xc8\\xc6\\x4c\\x60\\x5d\\x5d\\x42\\xc2\\xcc\\x70\\x13\\xcf\\x9f\\x69\\xd3\\x09\\xf3\\xf8\\x78\\x58\\x09\\xaf\\x33\\x73\\xa7\\x88\\x7e\\xdc\\x83\\x2b\\x17\\x2c", 32, GRND_RANDOM) = 32\r\r'
      ...
      :: [ 15:24:26 ] :: [   PASS   ] :: Command 'cat split-calls.parent.4' (Expected 0, got 0)
      :: [ 15:24:26 ] :: [  BEGIN   ] :: Running 'cat split-calls.parent.5'
      'getrandom("\\x9f\\xde\\xea\\xff\\x35\\x9d\\x36\\xb2\\xae\\xc8\\x6e\\x64\\x90\\xaa\\x84\\x2f\\x3f\\xd6\\x14\\x57\\x0d\\x34\\x71\\x79\\xf4\\x1f\\xb2\\x10\\xce\\xc4\\x2d\\xb1", 32, GRND_RANDOM) = 32\r\r'
      ...

      So the real question is: Do we have enough entropy for FIPS mode?

              rhn-engineering-ssorce Simo Sorce
              rh-ee-gpantela George Pantelakis
              Simo Sorce Simo Sorce
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: