Description of problem: In RHEL8/CentOS8, freshclam and clamscan do not run as expected in FIPS mode Version-Release number of selected component (if applicable): 0.101.4 How reproducible: Always Steps to Reproduce: 1. Minimal build 2. Add EPEL8 repo, and dnf install clamav clamav-update 3. Enable FIPS: fips-mode-setup --enable 4. Run freshclam -v Actual results: [root@localhost clamav]# freshclam -v Current working dir is /var/lib/clamav ClamAV update process started at Mon Oct 28 21:28:05 2019 Using IPv6 aware code Max retries == 3 Querying current.cvd.clamav.net TTL: 5 Software version from DNS: 0.102.0 Retrieving http://database.clamav.net/main.cvd Trying to download http://database.clamav.net/main.cvd (IP: 104.16.219.84) Downloading main.cvd [100%] ERROR: Verification: Can't allocate memory Querying main.0.105.0.0.6810DB54.ping.clamav.net Can't query main.0.105.0.0.6810DB54.ping.clamav.net Trying again in 5 secs... Querying current.cvd.clamav.net TTL: 5 Software version from DNS: 0.102.0 Retrieving http://database.clamav.net/main.cvd Trying to download http://database.clamav.net/main.cvd (IP: 104.16.219.84) Downloading main.cvd [100%] ERROR: Verification: Can't allocate memory Querying main.0.105.0.0.6810DB54.ping.clamav.net Can't query main.0.105.0.0.6810DB54.ping.clamav.net Trying again in 5 secs... Querying current.cvd.clamav.net TTL: 5 Software version from DNS: 0.102.0 Retrieving http://database.clamav.net/main.cvd Trying to download http://database.clamav.net/main.cvd (IP: 104.16.218.84) Downloading main.cvd [100%] ERROR: Verification: Can't allocate memory Querying main.0.105.0.0.6810DA54.ping.clamav.net Can't query main.0.105.0.0.6810DA54.ping.clamav.net Giving up on database.clamav.net... Update failed. Your network may be down or none of the mirrors listed in /etc/freshclam.conf is working. Check https://www.clamav.net/documents/official-mirror-faq for possible reasons. No cvd files are found in /var/lib/clamav Expected results: [root@localhost clamav]# freshclam -v Current working dir is /var/lib/clamav ClamAV update process started at Mon Oct 28 21:32:40 2019 Using IPv6 aware code Max retries == 3 Querying current.cvd.clamav.net TTL: 5 Software version from DNS: 0.102.0 Retrieving http://database.clamav.net/main.cvd Trying to download http://database.clamav.net/main.cvd (IP: 104.16.218.84) Downloading main.cvd [100%] Loading signatures from main.cvd Properly loaded 4566249 signatures from new main.cvd main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Querying main.58.105.1.0.6810DA54.ping.clamav.net Can't query main.58.105.1.0.6810DA54.ping.clamav.net Retrieving http://database.clamav.net/daily.cvd Trying to download http://database.clamav.net/daily.cvd (IP: 104.16.218.84) Downloading daily.cvd [100%] Loading signatures from daily.cvd Properly loaded 1960147 signatures from new daily.cvd daily.cvd updated (version: 25616, sigs: 1960147, f-level: 63, builder: raynman) Querying daily.25616.105.1.0.6810DA54.ping.clamav.net Can't query daily.25616.105.1.0.6810DA54.ping.clamav.net Retrieving http://database.clamav.net/bytecode.cvd Trying to download http://database.clamav.net/bytecode.cvd (IP: 104.16.218.84) Downloading bytecode.cvd [100%] Loading signatures from bytecode.cvd Properly loaded 94 signatures from new bytecode.cvd bytecode.cvd updated (version: 331, sigs: 94, f-level: 63, builder: anvilleg) Querying bytecode.331.105.1.0.6810DA54.ping.clamav.net Can't query bytecode.331.105.1.0.6810DA54.ping.clamav.net Database updated (6526490 signatures) from database.clamav.net (IP: 104.16.218.84) main, daily, and bytecode cvds are found in /var/lib/clamav Additional info: Run fips-mode-setup --disable Reboot Expected results are observed.
what is FIPS mode ?
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
Actually, I would argue it is running as expected in FIPS mode :). MD5 is not an allowed hash algorithm by FIPS, but since it is what clamav uses to verify the cvd files it fails. This is going to need to be addressed upstream. Please file a bug there: https://bugzilla.clamav.net/
Specifically: cl_hash_init (alg=0x7ffff7b4e9cb "md5") at crypto.c:1154 1154 { (gdb) 1158 md = EVP_get_digestbyname(alg); (gdb) 1159 if (!(md)) (gdb) 1174 return NULL; So EVP_get_digestbyname("md5") returns NULL.
Orion - agree with the fact that FIPS is doing what it's supposed to do. Thank you for the code snippet. For future proofing, sha256 is recommended. Filed the upstream bug: https://bugzilla.clamav.net/show_bug.cgi?id=12424 Marked security restricted - asked for it to be public.
I'm not authorized to access bug #12424. if you are the owner , you may make the bug public IIRC .
Not when flagged with security, and for good reason. If someone discloses to security what could potentially could become a zero-day, you don't go blasting that out public. Smart move there, so the security team will remove the private flag.
For refence https://build.opensuse.org/package/view_file/home:alveus:main/clamav/clamav-fips.patch?expand=1 --- libclamav/crypto.c.orig +++ libclamav/crypto.c @@ -145,6 +145,9 @@ int cl_initialize_crypto(void) ERR_load_crypto_strings(); #endif + /* avoid fips issues */ + EVP_add_digest(EVP_md5()); + return 0; }
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.