Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-2750

Setting propquery doesn't work for some operations in FIPS mode

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-9.0.0
    • openssl
    • None
    • Low
    • rhel-security-crypto-diamonds
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None
    • 57,005

      Description of problem:
      When in FIPS mode, using the -propquery '?fips!=yes' to disable FIPS requirements for the command execution doesn't work for some commands.

      Version-Release number of selected component (if applicable):
      openssl-3.0.7-2.el9.x86_64

      How reproducible:
      always

      Steps to Reproduce:
      1. Set the system up in fips mode
      2. try any of the following operations:

      • openssl pkeyutl -propquery '?fips!=yes' -kdf scrypt -out kdf -kdflen 16 -pkeyopt_passin pass:pass:SomeLongishPa55word -pkeyopt hexsalt:aabbcc -pkeyopt N:16384 -pkeyopt r:8 -pkeyopt p:1
      • openssl mac -propquery '?fips!=yes' -digest MD5 -macopt hexkey:000102030405060708090A0B0C0D0E0F10111213 -in msg.bin HMAC
      • openssl mac -propquery '?fips!=yes' -cipher DES-EDE3-CBC -macopt hexkey:000102030405060708090a0b0c0d0e0f1011121314151617 -in msg.bin CMAC
      • openssl ocsp -propquery '?fips!=yes' -rmd RIPEMD160 -index ca/index.txt -rsigner ca.crt -rkey ca.key -CA ca.crt -reqin ocsp.req -respout ocsp.resp
      • openssl passwd -propquery '?fips!=yes' SomeLongishPa55word
      • openssl pkcs12 -propquery '?fips!=yes' -export -out root.p12 -passout pass:SomeLongishPa55word -inkey root.key -in root.crt -caname root
      • openssl pkcs8 -propquery '?fips!=yes' -in rsa.key -out rsa-3des.pem -topk8 -passout pass:SomeLongishPa55word -v2 des3
      • openssl genrsa -propquery '?fips!=yes' -out rsa.key -passout pass:SomeLongishPa55word -camellia256 2048
      • openssl rsa -propquery '?fips!=yes' -in rsa.key -out rsa.enc -des3 -passout pass:SomeLongishPa55word
      • openssl rsautl -propquery '?fips!=yes' -encrypt -pubin -inkey rsa.pub -in message.txt -out message.enc
        (with pkcs#1 encrypted message)
      • openssl cms -propquery '?fips!=yes' -sign -in message.txt -out message.eml -md sha256 -signer client/cert.pem -keyopt rsa_padding_mode:pss -keyopt rsa_mgf1_md:md5 -inkey client/key.pem
      • openssl spkac -propquery '?fips!=yes' -key key.pem -out spkac.pem -digest md5

      Actual results:
      Some kind of error, usually along the lines of
      40EC874B8B7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (DES-EDE3-CBC : 27), Properties ()

      Expected results:
      Operations successful, as if executed on a system not running in FIPS mode.

      Additional info:
      Some of the related issues are handled in bug 2160756, bug 2160797, and bug 2160837

              dbelyavs@redhat.com Dmitry Belyavskiy
              hkario@redhat.com Alicja Kario
              Clemens Lang Clemens Lang
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: