Skip to content

pairwise job fails when configured with --enable-fips-mode

After FIPS got improved with !4281 (merged) on main, the pairwise CI job started failing on Debian "bullseye" image in daily pipelines, when the --enable-fips-mode ./configure option is present (the image does not have FIPS system components in place).

Configuration: --enable-developer --disable-warn-error --disable-kqueue --disable-epoll --disable-devpoll --enable-geoip --with-maxminddb=yes --with-locktype=adaptive --enable-doh --with-libnghttp2=yes --disable-pthread-rwlock --enable-fips-mode --without-gssapi --with-lmdb=yes --with-libxml2=yes --without-json-c --with-zlib=auto --without-libsystemd --enable-tcp-fastopen --with-readline=libedit --disable-chroot --enable-fixed-rrset --disable-dnstap --with-libidn2=yes --without-cmocka --with-jemalloc=yes --enable-leak-detection --enable-singletrace --enable-querytrace --disable-auto-validation --disable-dnsrps --disable-full-report

named failed to start:

04-Apr-2023 00:06:10.882 FIPS_mode_set (../../../lib/dns/openssl_link.c:76) failed (crypto failure)
04-Apr-2023 00:06:10.882 error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported:../crypto/o_fips.c:22:

Locally, on Fedora 37 without FIPS, I get:

04-Apr-2023 09:13:11.113 EVP_PKEY_CTX_new_from_name (../../../lib/dns/opensslrsa_link.c:579) failed (crypto failure)
04-Apr-2023 09:13:11.113 error:0308010C:digital envelope routines::unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (HMAC : 0), Properties (<null>)
04-Apr-2023 09:13:11.113 error:0308010C:digital envelope routines::unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (HMAC : 175), Properties (<null>)
04-Apr-2023 09:13:11.113 error:0308010C:digital envelope routines::unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (HMAC : 175), Properties (<null>)
04-Apr-2023 09:13:11.113 error:0308010C:digital envelope routines::unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (HMAC : 175), Properties (<null>)
04-Apr-2023 09:13:11.113 error:0308010C:digital envelope routines::unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (HMAC : 175), Properties (<null>)
04-Apr-2023 09:13:11.113 error:0308010C:digital envelope routines::unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (HMAC : 175), Properties (<null>)
04-Apr-2023 09:13:11.113 error:0308010C:digital envelope routines::unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (rsaEncryption : 101), Properties (<null>)
timeout: the monitored command dumped core
#0  pause_loop (loop=0x86b408acddc8) at ../../../lib/isc/loop.c:91
#1  isc_loopmgr_pause (loopmgr=0x7f7c08a582a0) at ../../../lib/isc/loop.c:515
#2  0x000000000042a077 in fatal (msg=msg@entry=0x45a0ce "initializing DST", result=DST_R_CRYPTOFAILURE) at ../../../bin/named/server.c:10299
#3  0x00000000004390c1 in named_server_create (mctx=0x7f7c08a089c0, serverp=serverp@entry=0x4791b0 <named_g_server>) at ../../../bin/named/server.c:10169
#4  0x000000000041855d in setup () at ../../../bin/named/main.c:1262
#5  main (argc=<optimized out>, argv=<optimized out>) at ../../../bin/named/main.c:1500

The simple fix is

-# [pairwise: --enable-fips-mode, --disable-fips-mode]
+# [pairwise: skip]

But shouldn't the --enable-fips-mode option detect the FIPS system components availability properly and fail if not really there? Crashing on runtime seems suboptimal.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information