Bug 1272080
| Summary: | libreswan FIPS test mistakenly looks for non-existent file hashes and reports FIPS failure | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Ondrej Moriš <omoris> | |
| Component: | libreswan | Assignee: | Paul Wouters <pwouters> | |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 6.6 | CC: | jaster, jreznik, omoris, pwouters, qe-baseos-security, salmy | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | 6.8 | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 1271811 | |||
| : | 1272317 (view as bug list) | Environment: | ||
| Last Closed: | 2016-05-11 00:16:07 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1271811 | |||
| Bug Blocks: | 1272317 | |||
|
Description
Ondrej Moriš
2015-10-15 12:41:41 UTC
Successfully reproduced and verified. Old (libreswan-3.15-2.el6) ========================== :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Sanity :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Checking checksums count (Assert: '31' should equal '31') :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_import_crl' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_keycensor' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_pluto_adns' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_plutorun' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_secretcensor' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_stackmanager' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_updown' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_updown.klips' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_updown.netkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/addconn' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/auto' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/barf' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/cavp' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/eroute' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/ikeping' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/klipsdebug' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/look' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/newhostkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/pf_key' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/pluto' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/readwriteconf' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/rsasigkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/secrets' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/setup' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/showhostkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/spi' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/spigrp' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/tncfg' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/verify' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/whack' (Expected 0, got 0) :: [ LOG ] :: Checking that no bogus is reported (BZ#1268873) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should not contain 'Non-fips mode set' :: [ PASS ] :: File 'journal' should contain 'FIPS: pluto daemon NOT running in FIPS mode' :: [ LOG ] :: FIPS mode NOT detected - simulating it :: [ PASS ] :: Command 'touch /etc/system-fips' (Expected 0, got 0) :: [ LOG ] :: Handling correct integrity :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ FAIL ] :: File 'journal' should contain 'FIPS HMAC integrity verification test passed' :: [ LOG ] :: Duration: 19s :: [ LOG ] :: Assertions: 37 good, 1 bad :: [ FAIL ] :: RESULT: Sanity New (libreswan-3.15-5.3.el6) ============================ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Sanity :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Checking checksums count (Assert: '31' should equal '31') :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_import_crl' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_keycensor' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_pluto_adns' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_plutorun' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_secretcensor' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_stackmanager' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_updown' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_updown.klips' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_updown.netkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/addconn' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/auto' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/barf' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/cavp' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/eroute' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/ikeping' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/klipsdebug' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/look' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/newhostkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/pf_key' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/pluto' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/readwriteconf' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/rsasigkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/secrets' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/setup' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/showhostkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/spi' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/spigrp' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/tncfg' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/verify' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/whack' (Expected 0, got 0) :: [ LOG ] :: Checking that no bogus is reported (BZ#1268873) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should not contain 'Non-fips mode set' :: [ PASS ] :: File 'journal' should contain 'FIPS: pluto daemon NOT running in FIPS mode' :: [ LOG ] :: FIPS mode NOT detected - simulating it :: [ PASS ] :: Command 'touch /etc/system-fips' (Expected 0, got 0) :: [ LOG ] :: Handling correct integrity :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification test passed' :: [ LOG ] :: Duration: 20s :: [ LOG ] :: Assertions: 38 good, 0 bad :: [ PASS ] :: RESULT: Sanity :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: HMAC Corruption :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._import_crl.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ FAIL ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._keycensor.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._plutorun.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._secretcensor.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._stackmanager.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._updown.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._updown.klips.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._updown.netkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.addconn.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.auto.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.barf.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.cavp.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ FAIL ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.eroute.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.ikeping.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.klipsdebug.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.look.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.newhostkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.pf_key.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.pluto.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.readwriteconf.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.rsasigkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.secrets.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.setup.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.showhostkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.spi.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.spigrp.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.tncfg.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.verify.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.whack.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/sbin/.ipsec.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ LOG ] :: Duration: 3m 38s :: [ LOG ] :: Assertions: 88 good, 2 bad :: [ FAIL ] :: RESULT: HMAC Corruption FIPS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: HMAC Corruption :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._import_crl.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ FAIL ] :: Checking ipsec status (Expected 1-255, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ FAIL ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ FAIL ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._keycensor.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._plutorun.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._secretcensor.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._stackmanager.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._updown.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._updown.klips.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/._updown.netkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.addconn.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.auto.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.barf.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.cavp.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ FAIL ] :: Checking ipsec status (Expected 1-255, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ FAIL ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ FAIL ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.eroute.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.ikeping.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.klipsdebug.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.look.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.newhostkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.pf_key.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.pluto.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.readwriteconf.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.rsasigkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.secrets.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.setup.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.showhostkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.spi.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.spigrp.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.tncfg.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.verify.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/libexec/ipsec/.whack.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ PASS ] :: Corrupting /usr/sbin/.ipsec.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 1) :: [ PASS ] :: Checking ipsec status (Expected 1-255, got 3) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: File 'journal' should contain 'ABORT: FIPS product and kernel in FIPS mode' :: [ LOG ] :: Duration: 7m 36s :: [ LOG ] :: Assertions: 174 good, 6 bad :: [ FAIL ] :: RESULT: HMAC Corruption Failures in NEW are tracked in BZ#1316616 proposed for 6.9.0. From 6.8.0 perspective they are expected and harmless. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0890.html |