Bug 1271811

Summary: libreswan FIPS test mistakenly looks for non-existent file hashes and reports FIPS failure
Product: Red Hat Enterprise Linux 7 Reporter: Paul Wouters <pwouters>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: urgent Docs Contact: Mirek Jahoda <mjahoda>
Priority: urgent    
Version: 7.3CC: fkrska, jkurik, jreznik, lmiksik, omoris
Target Milestone: rcKeywords: Reopened, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, Libreswan tried to delete non-existing IPsec Security Associations (SAs). As a consequence, the pluto IKE daemon terminated unexpectedly and then restarted. With this update, Libreswan no longer tries to delete on-existing IPsec SAs, and thus no longer causes the pluto daemon to crash.
 Story Points: ---
Clone Of:
: 1272080 1273719 1373458 (view as bug list) Environment:
Last Closed: 2016-11-03 21:21:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 717789, 1272080, 1273719, 1373458    

Description Paul Wouters 2015-10-14 19:12:10 UTC 
Description of problem:
libreswan FIPS test mistakenly looks for non-existent file hashes and reports FIPS failure

For example, /usr/libexec/ipsec/_updown.mast is no longer installed because we compile with USE_MAST=false but this did not properly update the file list for FIPS files, so booting in FIPS would fail.

Fix for this upstream:

https://github.com/libreswan/libreswan/commit/19b50a501772a06fb7648b531852fb588efb0021
Comment 3 Jan Kurik 2015-11-20 10:22:19 UTC 
This bug has been closed as CURRENTRELEASE due to delivery of the fix in a z-stream. As the component is not on ACL, the fix is currently included in y-stream as well.

For more information please see the zstream process documentation:
* https://engineering.redhat.com/trac/ZStream/attachment/wiki/WikiStart/Z-Stream_process_update_4.odp .
Comment 8 Karel Srot 2016-09-05 06:01:41 UTC 
Reopening the bug as the respective patch is missing in the code and it has to be fixed in 7.3.0.
Comment 12 Ondrej Moriš 2016-09-08 13:49:08 UTC 
(In reply to Karel Srot from comment #8)
> Reopening the bug as the respective patch is missing in the code and it has
> to be fixed in 7.3.0.

Let me clarify this confusing issue. I just carefully checked which version of 
libreswan is affected:

a) [NOT AFFECTED] libreswan-3.12-10.1.el7_1 (ER#20182, 7.1.z, 2015-Jun-23)
==========================================================================
pluto[22827]: FIPS: pluto daemon running in FIPS mode
pluto[22827]: FIPS HMAC integrity verification test passed
pluto[22827]: FIPS Kernel Mode detected
pluto[22827]: FIPS Product detected (/etc/system-fips)

b) [NOT AFFECTED] libreswan-3.15-5.el7_1 (ER#21591, 7.1.z, 2015-Nov-04)
=======================================================================
pluto[21867]: FIPS: pluto daemon running in FIPS mode
pluto[21867]: FIPS HMAC integrity verification test passed
pluto[21867]: FIPS Kernel Mode detected
pluto[21867]: FIPS Product detected (/etc/system-fips)

c) [NOT AFFECTED] libreswan-3.15-6.el7.x86_64 (ER#24004, 7.3.0, 2017-Oct-25)
============================================================================
pluto[20850]: FIPS: pluto daemon running in FIPS mode
pluto[20850]: FIPS HMAC integrity verification test passed
pluto[20850]: FIPS Kernel Mode detected
pluto[20850]: FIPS Product detected (/etc/system-fips)

The only affected version is libreswan-3.15-2.el7_1.x86_64 which was never
publicly released AFAIK. It was just a working version in ER#21591:

d) [AFFECTED] libreswan-3.15-2.el7_1 (NOT RELEASED)
===================================================
pluto[8536]: ABORT: FIPS product and kernel in FIPS mode
pluto[8536]: FIPS HMAC integrity verification FAILURE
pluto[8536]: FIPS Kernel Mode detected
pluto[8536]: FIPS Product detected (/etc/system-fips)

The problem in 3.15-2.el7_1 was caused by the fact that _updown.mast binary
was not present in the build but it was kept in the list of binaries for
fipscheck at the same time. 

Since ER#21591 (2015-Nov-04) we are checking [1] that 

  * every binary from the package has its hmac file,
  * every hmac file in the package has a corresponding binary,
  * ipsec service correctly starts with FIPS disabled and enabled,
  * hmac files are correct (via fipscheck) and 
  * corruption of a hmac file has a desired effect  
    - ipsec service fails to start with FIPS mode enabled,
    - ipsec service complains but starts with FIPS mode disabled.

Nevertheless, (c) proves that this issues is no longer, see [2] for more
details.

[1] TC#510244 - /CoreOS/libreswan/Sanity/integrity
[2] CR#12948479
Comment 16 errata-xmlrpc 2016-11-03 21:21:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2603.html