FIPS_mode_set reports incorrect error message

Bug #1588524 reported by Spencer Jackson on 2016-06-02
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)

Bug Description

Hi! Some integration tests we run attempt to enable FIPS mode in OpenSSL, and assert that either our software continues to work, or that the error message emitted by OpenSSL is related to missing the FIPS module.

On Ubuntu 14.10, running FIPS_mode_set fails and produces an error like:
140225357260448:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported:o_fips.c:92:

On Ubuntu 16.04 running OpenSSL/libssl1.0.0 version 1.0.2g-1ubuntu4.1, FIPS_mode_set fails, but does not produce an error message.

I have attached a C file which, when executed on both these platforms, will demonstrate this behavior.

I believe this may have been introduced by this ticket:
It provides a patch called openssl-1.0.2g-ubuntu-fips-cleanup.patch which includes this statement:
+@@ -443,6 +430,7 @@ int FIPS_module_mode_set(int onoff, const char *auth)
+ fips_selftest_fail = 0;
+ ret = 1;
+ end:
++ ERR_clear_error(); /* clear above err msg; fips mode disabled for now */
+ fips_clear_owning_thread();
+ fips_w_unlock();
+ return ret;

This appears to be clearing the error messages we're asserting on before returning from FIPS_module_mode_set.

For reference, here is our ticket where we are tracking this issue:

Joy Latten (j-latten) wrote :

I purposely cleared this error message from the queue so that no one would be distracted or thwarted by the addition of the fips code while it is a work in progress and not complete. FIPS_module_mode_set() at this point will always fail and return an error code.
But yes, I see in your test program that you also want to print the error message if
you get an error code.

Joy Latten (j-latten) wrote :

Will definitely remove clearing the error as we continue completing the code.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.2g-1ubuntu8

openssl (1.0.2g-1ubuntu8) yakkety; urgency=medium

  * Remove unused FIPS patches for now. (LP: #1594748, LP: #1593953,
    LP: #1591797, LP: #1588524)

 -- Marc Deslauriers <email address hidden> Mon, 15 Aug 2016 14:20:42 -0400

Changed in openssl (Ubuntu):
status: New → Fix Released

Hello Spencer, or anyone else affected,

Accepted openssl into xenial-proposed. The package will build now and be available at in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at . Thank you in advance!

tags: added: verification-needed
Joy Latten (j-latten) wrote :

I tested this on 1.0.2g-1ubuntu4.3 using the openssl_fips_test.c that was attached. And all worked as expected and I received the expected error message. Thus verifying this issue has been resolved in 1.0.2g-1ubuntu4.3,

tags: added: verification-done
removed: verification-needed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers