Bug 1659495

Summary: Non-approved hashes MUST NOT be allowed in enforced FIPS mode
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: libgcryptAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Daiki Ueno <dueno>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: asosedki, dueno, hkario, inikolch, ssorce
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libgcrypt-1.8.3-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:27:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1682482    
Bug Blocks:    
Attachments:
Description Flags
Reproducer none

Description Ondrej Moriš 2018-12-14 14:28:15 UTC 
Created attachment 1514382 [details]
Reproducer

Description of problem:

On RHEL-6 and RHEL-7, for libgcrypt there were three modes of FIPS

 * NON-FIPS MODE
   * FIPS mode disabled and
   * no /etc/gcrypt/fips_enabled and
   * GCRYCTL_FORCE_FIPS_MODE "off"
 
 * SOFT-FIPS MODE
   * FIPS mode enabled or
   * GCRYCTL_FORCE_FIPS_MODE "on" or
   * /etc/gcrypt/fips_enabled exists without a non-zero value

 * ENFORCED-FIPS MODE
   * /etc/gcrypt/fips_enabled exists with a non-zero value or
   * ( GCRYCTL_FORCE_FIPS_MODE "on" or 
       FIPS mode enabled or
       /etc/gcrypt/fips_enabled exists without a non-zero value 
     ) and GCRYCTL_SET_ENFORCED_FIPS_FLAG "on"

In RHEL-6 and RHEL-7 MD4 was allowed in NON-FIPS MODE only. On RHEL-8, MD4 is allowed in all modes.
 
Version-Release number of selected component (if applicable):

libgcrypt-1.8.3-2.el8

How reproducible:

Always

Steps to Reproduce:

0. Set modes according to description.

1. Compile attached reproducer: 
   gcc -o gcrypt gcrypt.c -lgcrypt -lgpg-error

2. Execute it
   ./gcrypt --enforced-fips --md4

Actual results:

Reproducer pass in all modes.

Expected results:

Reproducer should pass only in NON-FIPS MODE.

Additional info:

N/A
Comment 1 Ondrej Moriš 2018-12-14 14:31:31 UTC 
See also BZ#808520.
Comment 11 errata-xmlrpc 2019-11-05 22:27:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3605