RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1163462 - self-test fails when FIPS mode is enabled [rhel-7]
Summary: self-test fails when FIPS mode is enabled [rhel-7]
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openscap
Version: 7.1
Hardware: Unspecified
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Šimon Lukašík
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On: 966529
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-12 18:18 UTC by Hubert Kario
Modified: 2014-12-16 21:42 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 966529
Environment:
Last Closed: 2014-12-16 21:42:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Hubert Kario 2014-11-12 18:18:00 UTC 
Fail on RHEL 7 using openscap-1.0.3-2.el7.x86_64

+++ This bug was initially created as a clone of Bug #966529 +++

Description of problem:

The following tests in the self-test (also known as 'make check') are not "FIPS" compatible:

* test_probes_filehash (tests/API/crypt/test_api_crypt.sh)
* test_crapi_mdigest   (tests/API/crypt/test_api_crypt.sh)
* test_probes_filehash (tests/probes/filehash/test_probes_filehash.sh)

The reason is that they use MD5 cryptography provided by libgcrypt which is not FIPS 140-2 approved and hence the library forbids them.

Version-Release number of selected component (if applicable):

openscap-0.9.3-1.el6

How reproducible:

100 %

Steps to Reproduce:

Notice that in order to reproduce this bug, you need not to have a machine in FIPS mode (with 1 in /proc/sys/crypto/fips_enabled). It is sufficient to turn libgcrypt into FIPS mode by creating /etc/gcrypt/fips_enabled.

1. touch /etc/gcrypt/fips_enabled
2. download and build the source rpm package
3. execute self test in the build directory

Actual results:

FAIL in FIPS mode

Expected results:

PASS in FIPS mode

Additional info:

One might detect FIPS mode of libgcrypt quite easily [1] in order to skip the problematic parts of aforementioned tests.

[1] http://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html
Comment 1 Šimon Lukašík 2014-11-13 10:11:45 UTC 
I wonder if this is a bug in the test suite or in the product?
Comment 2 Hubert Kario 2014-11-13 11:27:52 UTC 
most likely the test suite - there are restriction on cryptographic algorithms and key sizes which may cause tests that pass in normal mode to fail in fips mode - but I haven't investigated in detail
Comment 3 Šimon Lukašík 2014-11-13 12:08:58 UTC 
Ok, so this needs to be investigated!
Comment 4 Šimon Lukašík 2014-12-16 21:42:53 UTC 
Investigated as per bug 966529 comment 4.

Closing as a notabug (see bug 966529 comment 5).
Note You need to log in before you can comment on or make changes to this bug.