| Summary: | libreswan FIPS test mistakenly looks for non-existent file hashes and reports FIPS failure | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Marcel Kolaja <mkolaja> |
| Component: | libreswan | Assignee: | Paul Wouters <pwouters> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | urgent | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | urgent | ||
| Version: | 7.3 | CC: | fkrska, jkurik, jreznik, lmiksik, mjahoda, omoris, pwouters |
| Target Milestone: | rc | Keywords: | Reopened, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libreswan-3.15-6.2.el7_2 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, Libreswan tried to delete non-existing IPsec Security Associations (SAs). As a consequence, the pluto IKE daemon terminated unexpectedly and then restarted. With this update, Libreswan no longer tries to delete on-existing
IPsec SAs, and thus no longer causes the pluto daemon to crash.
|
Story Points: | --- |
| Clone Of: | 1271811 | Environment: | |
| Last Closed: | 2016-11-09 17:16:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1271811 | ||
| Bug Blocks: | |||
|
Description
Marcel Kolaja
2016-09-06 10:47:28 UTC
There is one issues left: :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/secrets.hmac :: [ PASS ] :: Starting ipsec :: [ PASS ] :: Checking ipsec status :: [ PASS ] :: Stopping ipsec :: [ FAIL ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' IOW, there is a hmac file for /usr/libexec/ipsec/setup but it is not checked since setup is missing in programs/pluto/fips.h. When compared to 7.3 version of libreswan, there are two changes actually: # diff fips.h.3.15-6.1.el7_2 fips.h.3.15-6.el7 20c20 < # include <fipscheck.h> /* from fipscheck devel */ --- > # include <fipscheck.h> 35a36 > IPSEC_EXECDIR "/cavp", 39a41 > IPSEC_EXECDIR "/secrets", Removing cavp is perfectly fine since it is just a testing binary. Ahh, those changes are due to me backporting from upstream :( the "secrets" was just a shell script calling ipsec whack --rereadsecrets, so we had moved that functionality into the ipsec command directly. Which is why the check for secrets disappeared in later versions. But 3.15 still has the command so the check needs to be there. Since we needed to add secrets, I also re-added cavp. why not. While doing testing, I also found _pluto_adns was not checked. It turns out the define for HAVE_ADNS was lost in the Makefile somewhere, and I just re-added it without the ifdef around it. I've compared the list of hmac files installed by the rpm, and those found by running strace -v -f ipsec pluto and these now match. Commands used in my test: rpm -ql libreswan |grep hmac strace -v -f ipsec pluto --nofork 2>&1 | grep open | grep hmac This has been resolved in the new build libreswan-3.15-6.2.el7 Successfully verified on all architectures: OLD (libreswan-3.15-5.el7_1) ============================ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Sanity :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Checking checksums count (Assert: '31' should equal '31') :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_import_crl' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_keycensor' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_pluto_adns' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_plutorun' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_secretcensor' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_stackmanager' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_updown' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_updown.klips' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_updown.netkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/addconn' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/auto' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/barf' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/cavp' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/eroute' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/ikeping' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/klipsdebug' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/look' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/newhostkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/pf_key' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/pluto' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/readwriteconf' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/rsasigkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/secrets' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/setup' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/showhostkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/spi' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/spigrp' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/tncfg' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/verify' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/whack' (Expected 0, got 0) :: [ LOG ] :: Checking that no bogus is reported (BZ#1268873) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should not contain 'Non-fips mode set' :: [ PASS ] :: File 'journal' should contain 'FIPS: pluto daemon NOT running in FIPS mode' :: [ LOG ] :: FIPS mode NOT detected - simulating it :: [ PASS ] :: Command 'touch /etc/system-fips' (Expected 0, got 0) :: [ LOG ] :: Handling correct integrity :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification test passed' :: [ LOG ] :: Duration: 30s :: [ LOG ] :: Assertions: 40 good, 0 bad :: [ PASS ] :: RESULT: Sanity :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: HMAC Corruption :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_import_crl.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ FAIL ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_keycensor.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_plutorun.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_secretcensor.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_stackmanager.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_updown.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_updown.klips.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_updown.netkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/addconn.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/auto.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/barf.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/eroute.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/ikeping.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/ipsec.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/klipsdebug.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/look.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/newhostkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/pf_key.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/pluto.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/readwriteconf.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/rsasigkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/secrets.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/setup.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/showhostkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/spi.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/spigrp.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/tncfg.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/verify.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/whack.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ LOG ] :: Duration: 5m 49s :: [ LOG ] :: Assertions: 144 good, 1 bad :: [ FAIL ] :: RESULT: HMAC Corruption See TJ#1550979 for more details. NEW (libreswan-3.15-6.2.el7_2) ============================== :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Sanity :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Checking checksums count (Assert: '31' should equal '31') :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_import_crl' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_keycensor' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_pluto_adns' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_plutorun' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_secretcensor' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_stackmanager' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_updown' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_updown.klips' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/_updown.netkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/addconn' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/auto' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/barf' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/cavp' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/eroute' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/ikeping' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/klipsdebug' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/look' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/newhostkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/pf_key' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/pluto' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/readwriteconf' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/rsasigkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/secrets' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/setup' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/showhostkey' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/spi' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/spigrp' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/tncfg' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/verify' (Expected 0, got 0) :: [ PASS ] :: Command 'fipscheck /usr/libexec/ipsec/whack' (Expected 0, got 0) :: [ LOG ] :: Checking that no bogus is reported (BZ#1268873) :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should not contain 'Non-fips mode set' :: [ PASS ] :: File 'journal' should contain 'FIPS: pluto daemon NOT running in FIPS mode' :: [ LOG ] :: FIPS mode NOT detected - simulating it :: [ PASS ] :: Command 'touch /etc/system-fips' (Expected 0, got 0) :: [ LOG ] :: Handling correct integrity :: [ PASS ] :: Starting ipsec (Expected 0, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification test passed' :: [ LOG ] :: Duration: 30s :: [ LOG ] :: Assertions: 40 good, 0 bad :: [ PASS ] :: RESULT: Sanity :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: HMAC Corruption :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_import_crl.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_keycensor.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_plutorun.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_secretcensor.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_stackmanager.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_updown.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_updown.klips.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/_updown.netkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/addconn.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/auto.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/barf.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/eroute.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/ikeping.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/ipsec.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/klipsdebug.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/look.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/newhostkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/pf_key.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/pluto.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/readwriteconf.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/rsasigkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/secrets.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/setup.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/showhostkey.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/spi.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/spigrp.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/tncfg.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/verify.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ PASS ] :: Corrupting /usr/lib64/fipscheck/whack.hmac (Expected 0, got 0) :: [ PASS ] :: Starting ipsec (Expected 0-255, got 0) :: [ PASS ] :: Checking ipsec status (Expected 0, got 0) :: [ PASS ] :: Stopping ipsec (Expected 0, got 0) :: [ PASS ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' :: [ LOG ] :: Duration: 5m 48s :: [ LOG ] :: Assertions: 145 good, 0 bad :: [ PASS ] :: RESULT: HMAC Corruption See TJ#1550913 for more details. This bug still has FailedQA set. Can that flag be cleared ? It shows up in the errata as a problem I cleared it now Paul. It is set automatically when a bug goes from ON_QA back to ASSIGNED./ Unfortunately, it is not cleared automatically when it goes to ON_QA again (which would make sense to me). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2683.html |