[MDEV-14567] MariaDB won't work in FIPS mode - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.2(EOL)
Fix Version/s: 10.2.13
Component/s: Server, SSL
Labels:
- contribution
- foundation
Environment:
Fedora 27
package 'dracut-fips' installed

Sprint:
10.2.13

Description

Hello,

On Fedora 27, if you install 'dracut-fips' package, MariaDB server won't start with folowing explanation:

mysql-prepare-db-dir[17281]: 2017-12-04  8:24:26 140228227141056 [ERROR] Incompatible OpenSSL version. Cannot continue...

it calls CRYPTO_set_mem_functions() from libcrypto.so, which returns 0 here:

┌──crypto/mem.c──────────────────────

│39          if (!allow_customize)

│40              return 0;

And that's the issue.
Package 'dracut-fips' will cause, that in libcrypto constructor FIPS self-tests must be called. FIPS self-test calls allocations and that's why the allocation function cannot be altered.

—

The same state should be achieved in FIPS mode, although so far I talked about installed 'dracut-fips' package, but still disabled FIPS mode.

Attachments

Activity

Ascending order - Click to sort in descending order

Michal Schorm created issue - 2017-12-04 15:24

Michal Schorm made changes - 2017-12-04 15:24

Field	Original Value	New Value
Description	Hello, On Fedora 27, if you install 'dracut-fips' package, MariaDB server won't start with folowing explanation: {code:bash} mysql-prepare-db-dir[17281]: 2017-12-04 8:24:26 140228227141056 [ERROR] Incompatible OpenSSL version. Cannot continue... {code} it calls CRYPTO_set_mem_functions() from libcrypto.so, which returns 0 here: {code:c} ┌──crypto/mem.c────────────────────── │39 if (!allow_customize) │40 return 0; {code} And that's the issue. Package 'dracut-fips' will cause, that in libcrypto constructor FIPS self-tests must be called. FIPS self-test calls allocations and that's why the allocation function cannot be altered. --- The same state should be achieved in FIPS mode, although so far I talked about installed 'dracut-fips' package, but still disabled FIPS mode.	Hello, On Fedora 27, if you install 'dracut-fips' package, MariaDB server won't start with folowing explanation: {code:bash} mysql-prepare-db-dir[17281]: 2017-12-04 8:24:26 140228227141056 [ERROR] Incompatible OpenSSL version. Cannot continue... {code} it calls CRYPTO_set_mem_functions() from libcrypto.so, which returns 0 here: {code:c} ┌──crypto/mem.c────────────────────── │39 if (!allow_customize) │40 return 0; {code} And that's the issue. Package 'dracut-fips' will cause, that in libcrypto constructor FIPS self-tests must be called. FIPS self-test calls allocations and that's why the allocation function cannot be altered. --- The same state should be achieved in FIPS mode, although so far I talked about installed 'dracut-fips' package, but still disabled FIPS mode.

Sergei Golubchik added a comment - 2017-12-04 16:46

Yes. This is basically, a FIPS bug — as far as I understand, Ubuntu fixed it here: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748 (although it looks like they've simply removed some FIPS patches).

I'm not quite sure what we can do about it. I can disable the OpenSSL compatibility check if FIPS mode is enabled. Meaning if next OpenSSL release changes sizes of its internal structures, we won't notices it in FIPS mode and the server might crash instead of failing to start. The chance of this happening is not very high, normally we would've tried the server on a non-FIPS version of OpenSSL by then and adjusted the buffers.

Sergei Golubchik added a comment - 2017-12-04 16:46 Yes. This is basically, a FIPS bug — as far as I understand, Ubuntu fixed it here: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748 (although it looks like they've simply removed some FIPS patches). I'm not quite sure what we can do about it. I can disable the OpenSSL compatibility check if FIPS mode is enabled. Meaning if next OpenSSL release changes sizes of its internal structures, we won't notices it in FIPS mode and the server might crash instead of failing to start. The chance of this happening is not very high, normally we would've tried the server on a non-FIPS version of OpenSSL by then and adjusted the buffers.

Sergei Golubchik made changes - 2017-12-04 16:46

Fix Version/s

10.2 [ 14601 ]

Elena Stepanova added a comment - 2017-12-16 02:58

Setting to Confirmed based on the comment above.

Elena Stepanova added a comment - 2017-12-16 02:58 Setting to Confirmed based on the comment above.

Elena Stepanova made changes - 2017-12-16 02:58

Status

Open [ 1 ]

Confirmed [ 10101 ]

Sergei Golubchik made changes - 2018-01-18 20:31

Assignee

Sergei Golubchik [ serg ]

Sergei Golubchik made changes - 2018-01-18 20:31

Priority

Major [ 3 ]

Critical [ 2 ]

Sergey Vojtovich made changes - 2018-01-23 10:46

Labels

contribution foundation

Sergei Golubchik made changes - 2018-01-31 17:18

Sprint

10.2.13 [ 228 ]

Daniel Black added a comment - 2018-02-04 08:48

One byte fix as per PR. Details in commit message.

Daniel Black added a comment - 2018-02-04 08:48 One byte fix as per PR. Details in commit message.

Sergei Golubchik made changes - 2018-02-06 12:30

Status

Confirmed [ 10101 ]

In Progress [ 3 ]

Sergei Golubchik made changes - 2018-02-07 10:46

Fix Version/s		10.2.13 [ 22910 ]
Fix Version/s	10.2 [ 14601 ]
Resolution		Fixed [ 1 ]
Status	In Progress [ 3 ]	Closed [ 6 ]

Sergei Golubchik made changes - 2021-12-06 21:46

Workflow

MariaDB v3 [ 84286 ]

MariaDB v4 [ 153291 ]

People

Assignee:: Sergei Golubchik

Reporter:: Michal Schorm

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2017-12-04 15:24

Updated:: 2018-02-07 10:46

Resolved:: 2018-02-07 10:46

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server