Bug 1544143
| Summary: | ipsec newhostkey fails in FIPS mode when RSA key is generated | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ondrej Moriš <omoris> | |
| Component: | libreswan | Assignee: | Paul Wouters <pwouters> | |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> | |
| Severity: | low | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.5 | CC: | jreznik, mgrepl, mthacker, omoris, ravpatil, tmraz | |
| Target Milestone: | rc | Keywords: | Regression, ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1573949 (view as bug list) | Environment: | ||
| Last Closed: | 2018-10-30 10:51:34 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1472750, 1573949 | |||
upstream patch: https://github.com/libreswan/libreswan/commit/a62f6d144e8764f0c18c446a0a173a1a5336ef3c *** Bug 1573898 has been marked as a duplicate of this bug. *** Successfully verified on all supported platforms (RHEL) and architectures (x86_64, ppc64, ppc64le, s390x) in FIPS mode. # rpm -q libreswan libreswan-3.25-2.el7.x86_64 # cat /proc/sys/crypto/fips_enabled 1 # ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.secrets --password "1a2Ikyn0h87OMKS5kNME"' ipsec newhostkey warning: --configdir is obsoleted, use --nssdir Generated RSA key pair with CKAID ec7f19d08a7d07f8150712c72f8f253e8c3600e9 was stored in the NSS database Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:3174 |
Description of problem: In FIPS mode, comman "ispec newhostkey" fails during HMAC integrity verification when generating RSA key: # cat /proc/sys/crypto/fips_enabled 1 # ipsec newhostkey FIPS HMAC integrity verification test failed. Apparently, it tries to verify HMAC integrity for rsasigkey binary: # strace -f ipsec newhostkey ... [pid 15129] open("/usr/lib64/fipscheck/rsasigkey.hmac", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 15129] open("/usr/libexec/ipsec/.rsasigkey.hmac", O_RDONLY) = -1 ENOENT (No such file or directory) ... It is because function rsasigkey() in programs/rsasigkey/rsasigkey.c contains the following code: #ifdef FIPS_CHECK if (PK11_IsFIPS() && !FIPSCHECK_verify(NULL, NULL)) { fprintf(stderr, "FIPS HMAC integrity verification test failed.\n"); exit(1); } #endif Since RHEL-7.5 libreswan ships HMAC only for pluto binary and hence aforementioned code is no longer needed. Version-Release number of selected component (if applicable): libreswan-3.23-3.el7 How reproducible: 100% (in FIPS mode) Steps to Reproduce: 1. Enable FIPS mode 2. ipsec initnss 3. ipsec newhostkey Actual results: FIPS HMAC integrity verification test failed. Expected results: Generated RSA key pair with CKAID ... was stored in the NSS database Additional info: * When FIPS mode is disabled, RSA key is generated correctly. * This is not really a regression, since standard tools for key generation work in FIPS mode correctly (openssl, NSS, ...).