Bug 814983

Summary: yum install fails in FIPS mode
Product: Red Hat Enterprise Linux 5 Reporter: Miroslav Vadkerti <mvadkert>
Component: yumAssignee: James Antill <james.antill>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 5.9CC: ksrot, nhorman, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-23 12:43:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
[PATCH] vlan: filter device events on bonds none

Description Miroslav Vadkerti 2012-04-21 21:04:33 UTC 
Description of problem:
yum install fails in FIPS mode (see reproducer)

# yum -y reinstall openssl
malloc: using debugging hooks
 	Loaded plugins: katello, product-id, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Setting up Reinstall Process
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
Aborted

Version-Release number of selected component (if applicable):
yum-3.2.22-39.el5
openssl-0.9.8e-22.el5_8.2

How reproducible:
100% on i386

Steps to Reproduce:
1. Install EL5.8
2. Remove prelink
# prelink -u -a
# yum -y 
3. Switch to FIPS
4. yum install anything
  
Actual results:
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
Aborted

Expected results:
No error and yum works

Additional info:
I assume this is a yum issue, but feel free to reassign to openssl in needed.
Tested onlu on i386 architecture. Tested also with older openssl, doesn't seem to be a regression in openssl (found while testing openssl ASYNC)
Comment 1 Karel Srot 2012-04-23 08:12:32 UTC 
Just for reference the RHEL6 fixed bug is bug 541974.
Comment 2 James Antill 2012-04-23 12:43:38 UTC 
 I'm sure this was discussed in previous bugs ... the problems are:

1. If the repos. you are using have MD5 checksumed metadata ... yum will need to call MD5.

2. It's possible there are still bugs where yum calls MD5 routines where it doesn't need to, esp. in RHEL-5.

2. OpenSSL MD5 calls abort() in FIPS mode ... even if the usage was not in a security context.
Comment 3 Neil Horman 2012-07-20 19:59:49 UTC 
Created attachment 599453 [details]
[PATCH] vlan: filter device events on bonds


Since bond masters and slaves only have separate vlan groups now, the
vlan_device_event handler has to be taught to ignore network events from slave
devices when they're truly attached to the bond master.  We do this by looking
up the network device of a given vide on both the slave and its master.  if they
match, then we're processing an event for a physical device that we don't really
care about (since the masters events are realy what we're interested in.

This patch adds that comparison, and allows us to filter those slave events that
the vlan code should ignore.
---
 net/8021q/vlan.c |   64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 64 insertions(+), 0 deletions(-)
Comment 4 Neil Horman 2012-07-20 20:02:23 UTC 
sorry, wrong bug, ignore last post