Bug 1659495 - Non-approved hashes MUST NOT be allowed in enforced FIPS mode
Summary: Non-approved hashes MUST NOT be allowed in enforced FIPS mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libgcrypt
Version: 8.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Tomas Mraz
QA Contact: Daiki Ueno
URL:
Whiteboard:
Depends On: 1682482
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-14 14:28 UTC by Ondrej Moriš
Modified: 2019-11-05 22:27 UTC (History)
5 users (show)

Fixed In Version: libgcrypt-1.8.3-3.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 22:27:22 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)
Reproducer (4.44 KB, text/x-csrc)
2018-12-14 14:28 UTC, Ondrej Moriš
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3605 None None None 2019-11-05 22:27:25 UTC

Description Ondrej Moriš 2018-12-14 14:28:15 UTC
Created attachment 1514382 [details]
Reproducer

Description of problem:

On RHEL-6 and RHEL-7, for libgcrypt there were three modes of FIPS

 * NON-FIPS MODE
   * FIPS mode disabled and
   * no /etc/gcrypt/fips_enabled and
   * GCRYCTL_FORCE_FIPS_MODE "off"
 
 * SOFT-FIPS MODE
   * FIPS mode enabled or
   * GCRYCTL_FORCE_FIPS_MODE "on" or
   * /etc/gcrypt/fips_enabled exists without a non-zero value

 * ENFORCED-FIPS MODE
   * /etc/gcrypt/fips_enabled exists with a non-zero value or
   * ( GCRYCTL_FORCE_FIPS_MODE "on" or 
       FIPS mode enabled or
       /etc/gcrypt/fips_enabled exists without a non-zero value 
     ) and GCRYCTL_SET_ENFORCED_FIPS_FLAG "on"

In RHEL-6 and RHEL-7 MD4 was allowed in NON-FIPS MODE only. On RHEL-8, MD4 is allowed in all modes.
 
Version-Release number of selected component (if applicable):

libgcrypt-1.8.3-2.el8

How reproducible:

Always

Steps to Reproduce:

0. Set modes according to description.

1. Compile attached reproducer: 
   gcc -o gcrypt gcrypt.c -lgcrypt -lgpg-error

2. Execute it
   ./gcrypt --enforced-fips --md4

Actual results:

Reproducer pass in all modes.

Expected results:

Reproducer should pass only in NON-FIPS MODE.

Additional info:

N/A

Comment 1 Ondrej Moriš 2018-12-14 14:31:31 UTC
See also BZ#808520.

Comment 11 errata-xmlrpc 2019-11-05 22:27:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3605


Note You need to log in before you can comment on or make changes to this bug.