1373458 – libreswan FIPS test mistakenly looks for non-existent file hashes and reports FIPS failure

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1373458 - libreswan FIPS test mistakenly looks for non-existent file hashes and reports FIPS failure

Summary: libreswan FIPS test mistakenly looks for non-existent file hashes and reports...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libreswan
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Wouters
QA Contact:	Ondrej Moriš
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:	1271811
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-06 10:47 UTC by Marcel Kolaja
Modified:	2016-11-09 17:16 UTC (History)
CC List:	7 users (show)
Fixed In Version:	libreswan-3.15-6.2.el7_2
Doc Type:	Bug Fix
Doc Text:	Previously, Libreswan tried to delete non-existing IPsec Security Associations (SAs). As a consequence, the pluto IKE daemon terminated unexpectedly and then restarted. With this update, Libreswan no longer tries to delete on-existing IPsec SAs, and thus no longer causes the pluto daemon to crash.
Clone Of:	1271811
Environment:
Last Closed:	2016-11-09 17:16:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2683	0	normal	SHIPPED_LIVE	libreswan bug fix update	2016-11-09 22:09:44 UTC

Description Marcel Kolaja 2016-09-06 10:47:28 UTC

This bug has been copied from bug #1271811 and has been proposed
to be backported to 7.2 z-stream (EUS).

Comment 4 Ondrej Moriš 2016-09-09 10:42:54 UTC

There is one issues left:

:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/secrets.hmac
:: [   PASS   ] :: Starting ipsec 
:: [   PASS   ] :: Checking ipsec status
:: [   PASS   ] :: Stopping ipsec
:: [   FAIL   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 

IOW, there is a hmac file for /usr/libexec/ipsec/setup but it is not checked since setup is missing in programs/pluto/fips.h. When compared to 7.3 version of libreswan, there are two changes actually:

# diff fips.h.3.15-6.1.el7_2 fips.h.3.15-6.el7 
20c20
< # include <fipscheck.h>	/* from fipscheck devel */
---
> # include <fipscheck.h>
35a36
> 				IPSEC_EXECDIR "/cavp",
39a41
> 				IPSEC_EXECDIR "/secrets",

Removing cavp is perfectly fine since it is just a testing binary.

Comment 5 Paul Wouters 2016-09-09 16:15:22 UTC

Ahh, those changes are due to me backporting from upstream :(

the "secrets" was just a shell script calling ipsec whack --rereadsecrets, so we had moved that functionality into the ipsec command directly. Which is why the check for secrets disappeared in later versions. But 3.15 still has the command so the check needs to be there.

Since we needed to add secrets, I also re-added cavp. why not.

While doing testing, I also found _pluto_adns was not checked. It turns out the define for HAVE_ADNS was lost in the Makefile somewhere, and I just re-added it without the ifdef around it.

I've compared the list of hmac files installed by the rpm, and those found by running strace -v -f ipsec pluto and these now match. Commands used in my test:

rpm -ql libreswan |grep hmac
strace -v -f ipsec pluto --nofork 2>&1 | grep open | grep hmac 

This has been resolved in the new build libreswan-3.15-6.2.el7

Comment 6 Ondrej Moriš 2016-10-13 12:35:43 UTC

Successfully verified on all architectures:

OLD (libreswan-3.15-5.el7_1)
============================

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Sanity
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Checking checksums count (Assert: '31' should equal '31')
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_import_crl' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_keycensor' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_pluto_adns' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_plutorun' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_secretcensor' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_stackmanager' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_updown' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_updown.klips' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_updown.netkey' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/addconn' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/auto' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/barf' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/cavp' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/eroute' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/ikeping' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/klipsdebug' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/look' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/newhostkey' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/pf_key' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/pluto' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/readwriteconf' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/rsasigkey' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/secrets' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/setup' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/showhostkey' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/spi' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/spigrp' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/tncfg' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/verify' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/whack' (Expected 0, got 0)
:: [   LOG    ] :: Checking that no bogus is reported (BZ#1268873)
:: [   PASS   ] :: Starting ipsec (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should not contain 'Non-fips mode set' 
:: [   PASS   ] :: File 'journal' should contain 'FIPS: pluto daemon NOT running in FIPS mode' 
:: [   LOG    ] :: FIPS mode NOT detected - simulating it
:: [   PASS   ] :: Command 'touch /etc/system-fips' (Expected 0, got 0)
:: [   LOG    ] :: Handling correct integrity
:: [   PASS   ] :: Starting ipsec (Expected 0, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification test passed' 
:: [   LOG    ] :: Duration: 30s
:: [   LOG    ] :: Assertions: 40 good, 0 bad
:: [   PASS   ] :: RESULT: Sanity

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: HMAC Corruption
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_import_crl.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   FAIL   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_keycensor.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_plutorun.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_secretcensor.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_stackmanager.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_updown.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_updown.klips.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_updown.netkey.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/addconn.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/auto.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/barf.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/eroute.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/ikeping.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/ipsec.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/klipsdebug.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/look.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/newhostkey.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/pf_key.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/pluto.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/readwriteconf.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/rsasigkey.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/secrets.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/setup.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/showhostkey.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/spi.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/spigrp.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/tncfg.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/verify.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/whack.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   LOG    ] :: Duration: 5m 49s
:: [   LOG    ] :: Assertions: 144 good, 1 bad
:: [   FAIL   ] :: RESULT: HMAC Corruption

See TJ#1550979 for more details.

NEW (libreswan-3.15-6.2.el7_2)
==============================

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Sanity
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Checking checksums count (Assert: '31' should equal '31')
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_import_crl' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_keycensor' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_pluto_adns' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_plutorun' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_secretcensor' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_stackmanager' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_updown' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_updown.klips' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/_updown.netkey' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/addconn' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/auto' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/barf' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/cavp' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/eroute' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/ikeping' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/klipsdebug' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/look' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/newhostkey' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/pf_key' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/pluto' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/readwriteconf' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/rsasigkey' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/secrets' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/setup' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/showhostkey' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/spi' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/spigrp' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/tncfg' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/verify' (Expected 0, got 0)
:: [   PASS   ] :: Command 'fipscheck /usr/libexec/ipsec/whack' (Expected 0, got 0)
:: [   LOG    ] :: Checking that no bogus is reported (BZ#1268873)
:: [   PASS   ] :: Starting ipsec (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should not contain 'Non-fips mode set' 
:: [   PASS   ] :: File 'journal' should contain 'FIPS: pluto daemon NOT running in FIPS mode' 
:: [   LOG    ] :: FIPS mode NOT detected - simulating it
:: [   PASS   ] :: Command 'touch /etc/system-fips' (Expected 0, got 0)
:: [   LOG    ] :: Handling correct integrity
:: [   PASS   ] :: Starting ipsec (Expected 0, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification test passed' 
:: [   LOG    ] :: Duration: 30s
:: [   LOG    ] :: Assertions: 40 good, 0 bad
:: [   PASS   ] :: RESULT: Sanity

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: HMAC Corruption
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_import_crl.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_keycensor.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_plutorun.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_secretcensor.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_stackmanager.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_updown.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_updown.klips.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/_updown.netkey.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/addconn.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/auto.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/barf.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/eroute.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/ikeping.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/ipsec.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/klipsdebug.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/look.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/newhostkey.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/pf_key.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/pluto.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/readwriteconf.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/rsasigkey.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/secrets.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/setup.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/showhostkey.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/spi.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/spigrp.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/tncfg.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/verify.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   PASS   ] :: Corrupting /usr/lib64/fipscheck/whack.hmac (Expected 0, got 0)
:: [   PASS   ] :: Starting ipsec (Expected 0-255, got 0)
:: [   PASS   ] :: Checking ipsec status (Expected 0, got 0)
:: [   PASS   ] :: Stopping ipsec (Expected 0, got 0)
:: [   PASS   ] :: File 'journal' should contain 'FIPS HMAC integrity verification FAILURE' 
:: [   LOG    ] :: Duration: 5m 48s
:: [   LOG    ] :: Assertions: 145 good, 0 bad
:: [   PASS   ] :: RESULT: HMAC Corruption

See TJ#1550913 for more details.

Comment 7 Paul Wouters 2016-11-08 06:25:37 UTC

This bug still has FailedQA set. Can that flag be cleared ? It shows up in the errata as a problem

Comment 8 Ondrej Moriš 2016-11-08 08:31:29 UTC

I cleared it now Paul. It is set automatically when a bug goes from ON_QA back to ASSIGNED./ Unfortunately, it is not cleared automatically when it goes to ON_QA again (which would make sense to me).

Comment 10 errata-xmlrpc 2016-11-09 17:16:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2683.html

Note You need to log in before you can comment on or make changes to this bug.