Red Hat Bugzilla – Bug 1271811
libreswan FIPS test mistakenly looks for non-existent file hashes and reports FIPS failure
Last modified: 2016-11-08 06:20:55 EST
Description of problem: libreswan FIPS test mistakenly looks for non-existent file hashes and reports FIPS failure For example, /usr/libexec/ipsec/_updown.mast is no longer installed because we compile with USE_MAST=false but this did not properly update the file list for FIPS files, so booting in FIPS would fail. Fix for this upstream: https://github.com/libreswan/libreswan/commit/19b50a501772a06fb7648b531852fb588efb0021
This bug has been closed as CURRENTRELEASE due to delivery of the fix in a z-stream. As the component is not on ACL, the fix is currently included in y-stream as well. For more information please see the zstream process documentation: * https://engineering.redhat.com/trac/ZStream/attachment/wiki/WikiStart/Z-Stream_process_update_4.odp .
Reopening the bug as the respective patch is missing in the code and it has to be fixed in 7.3.0.
(In reply to Karel Srot from comment #8) > Reopening the bug as the respective patch is missing in the code and it has > to be fixed in 7.3.0. Let me clarify this confusing issue. I just carefully checked which version of libreswan is affected: a) [NOT AFFECTED] libreswan-3.12-10.1.el7_1 (ER#20182, 7.1.z, 2015-Jun-23) ========================================================================== pluto[22827]: FIPS: pluto daemon running in FIPS mode pluto[22827]: FIPS HMAC integrity verification test passed pluto[22827]: FIPS Kernel Mode detected pluto[22827]: FIPS Product detected (/etc/system-fips) b) [NOT AFFECTED] libreswan-3.15-5.el7_1 (ER#21591, 7.1.z, 2015-Nov-04) ======================================================================= pluto[21867]: FIPS: pluto daemon running in FIPS mode pluto[21867]: FIPS HMAC integrity verification test passed pluto[21867]: FIPS Kernel Mode detected pluto[21867]: FIPS Product detected (/etc/system-fips) c) [NOT AFFECTED] libreswan-3.15-6.el7.x86_64 (ER#24004, 7.3.0, 2017-Oct-25) ============================================================================ pluto[20850]: FIPS: pluto daemon running in FIPS mode pluto[20850]: FIPS HMAC integrity verification test passed pluto[20850]: FIPS Kernel Mode detected pluto[20850]: FIPS Product detected (/etc/system-fips) The only affected version is libreswan-3.15-2.el7_1.x86_64 which was never publicly released AFAIK. It was just a working version in ER#21591: d) [AFFECTED] libreswan-3.15-2.el7_1 (NOT RELEASED) =================================================== pluto[8536]: ABORT: FIPS product and kernel in FIPS mode pluto[8536]: FIPS HMAC integrity verification FAILURE pluto[8536]: FIPS Kernel Mode detected pluto[8536]: FIPS Product detected (/etc/system-fips) The problem in 3.15-2.el7_1 was caused by the fact that _updown.mast binary was not present in the build but it was kept in the list of binaries for fipscheck at the same time. Since ER#21591 (2015-Nov-04) we are checking [1] that * every binary from the package has its hmac file, * every hmac file in the package has a corresponding binary, * ipsec service correctly starts with FIPS disabled and enabled, * hmac files are correct (via fipscheck) and * corruption of a hmac file has a desired effect - ipsec service fails to start with FIPS mode enabled, - ipsec service complains but starts with FIPS mode disabled. Nevertheless, (c) proves that this issues is no longer, see [2] for more details. [1] TC#510244 - /CoreOS/libreswan/Sanity/integrity [2] CR#12948479
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2603.html