Bug 689387
| Summary: | Sosreport crashes when generating md5 sum in FIPS mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | David Kutálek <dkutalek> |
| Component: | sos | Assignee: | Bryn M. Reeves <bmr> |
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE - Apps <qe-baseos-apps> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | CC: | agk, andriusb, bmr, gavin, iboverma, prc, sgrubb, syeghiay, tcapek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
When FIPS (Federal Information Processing Standard) compliance mode was active on the system, the sosreport program terminated with a traceback during generation of the MD5 checksum. As a consequence, no MD5 checksum was generated and no information about the name of the generated report was given, even though the report archive was generated correctly. This bug has been fixed, MD5 checksums are now generated in non-FIPS compliant mode (for compatibility with prior release) and SHA-2 checksums are generated in FIPS compliant mode.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-19 14:27:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 682670, 689963, 691449 | ||
Odd. Nothing changed here recently - is it just that this hasn't been tested before? Anyway, thanks for the headsup - looking into this now. Cannot reproduce with openssl 1.0.0-4.el6_0.2 on my system. Did I miss something? # export OPENSSL_FIPS=1; openssl version; mkdir sos; sosreport --batch --tmp-dir=./sos/ OpenSSL 1.0.0-fips 29 Mar 2010 sosreport (version 2.2) [...] Your sosreport has been generated and saved in: /root/sos/sosreport-rhn-support-pcarrier-20110321133428-9911.tar.xz The md5sum is: c7a121bd0acf6ccf55d0ab0befec9911 Please send this file to your support representative. To find out whether is your system FIPS enabled, run: cat /proc/sys/crypto/fips_enabled I am not sure what is official and correct way how to enable it on RHEL6, though. We have a problem with hashlib in FIPS mode:
# sosreport
Traceback (most recent call last):
File "/usr/sbin/sosreport", line 18, in <module>
from sos.sosreport import sosreport, doExitCode
File "/usr/lib/python2.6/site-packages/sos/sosreport.py", line 40, in <module>
import sos.policyredhat
File "/usr/lib/python2.6/site-packages/sos/policyredhat.py", line 27, in <module>
import hashlib
File "/usr/lib64/python2.6/hashlib.py", line 101, in <module>
f(usedforsecurity=False)
ValueError: error:2D07D06A:FIPS routines:EVP_DigestInit_ex:fips selftest failed
Looking into this now.. may affect other packages that use python hashlib when run with FIPS.
My openssl was out of date (1.0.0-4.el6) - -7 and -8 had a bunch of opensssl FIPS fixes.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
When FIPS (Federal Information Processing Standard) compliance mode was active on the system, the sosreport program terminated with a traceback during generation of the MD5 checksum. As a consequence, no MD5 checksum was generated and no information about the name of the generated report was given, even though the report archive was generated correctly. This bug has been fixed, MD5 checksums are now generated in non-FIPS compliant mode (for compatibility with prior release) and SHA-2 checksums are generated in FIPS compliant mode.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0773.html |
Description of problem: In FIPS mode, sosreport always crashes during generation of md5sum. Report archive itself is generated correctly, but because of crash there is no md5sum and no info what is the name of generated report. Version-Release number of selected component (if applicable): sos-2.2-6.el6.noarch How reproducible: Always in FIPS mode Steps to Reproduce: 1. On FIPS enabled machine, run sosreport 2. 3. Actual results: # sosreport --batch --tmp-dir=./ sosreport (version 2.2) This utility will collect some detailed information about the hardware and setup of your Red Hat Enterprise Linux system. The information is collected and an archive is packaged under /tmp, which you can send to a support representative. Red Hat Enterprise Linux will use this information for diagnostic purposes ONLY and it will be considered confidential information. This process may take a while to complete. No changes will be made to your system. Running plugins. Please wait ... Completed [52/52] ... Creating compressed archive... Traceback (most recent call last): File "/usr/sbin/sosreport", line 23, in <module> sosreport(sys.argv[1:]) File "/usr/lib/python2.6/site-packages/sos/sosreport.py", line 843, in sosreport GlobalVars.policy.displayResults() File "/usr/lib/python2.6/site-packages/sos/policyredhat.py", line 316, in displayResults self.report_md5 = md5(fp.read()).hexdigest() ValueError: error:060800A0:digital envelope routines:EVP_DigestInit_ex:unknown cipher # ls -l total 1144 -rw-------. 1 root root 1167824 Mar 21 06:05 sosreport-qa.tar.xz Expected results: No crash, md5sum created if possible. If not (because of FIPS), create some other hash, or at least inform user that it was not produced because of its unavailability. No traceback should be produced. Additional info: