RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 689387 - Sosreport crashes when generating md5 sum in FIPS mode
Summary: Sosreport crashes when generating md5 sum in FIPS mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sos
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Bryn M. Reeves
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Depends On:
Blocks: 682670 689963 BaseOS-FIPS-Tracker
TreeView+ depends on / blocked
 
Reported: 2011-03-21 10:15 UTC by David Kutálek
Modified: 2011-05-19 14:27 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When FIPS (Federal Information Processing Standard) compliance mode was active on the system, the sosreport program terminated with a traceback during generation of the MD5 checksum. As a consequence, no MD5 checksum was generated and no information about the name of the generated report was given, even though the report archive was generated correctly. This bug has been fixed, MD5 checksums are now generated in non-FIPS compliant mode (for compatibility with prior release) and SHA-2 checksums are generated in FIPS compliant mode.
Clone Of:
Environment:
Last Closed: 2011-05-19 14:27:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0773 0 normal SHIPPED_LIVE sos bug fix and enhancement update 2011-05-18 18:08:30 UTC

Description David Kutálek 2011-03-21 10:15:14 UTC 
Description of problem:

In FIPS mode, sosreport always crashes during generation of md5sum. Report archive itself is generated correctly, but because of crash there is no md5sum and no info what is the name of generated report.

Version-Release number of selected component (if applicable):

sos-2.2-6.el6.noarch

How reproducible:

Always in FIPS mode

Steps to Reproduce:
1. On FIPS enabled machine, run sosreport
2.
3.
  
Actual results:

# sosreport --batch --tmp-dir=./

sosreport (version 2.2)

This utility will collect some detailed  information about the
hardware and setup of your Red Hat Enterprise Linux system.
The information is collected and an archive is  packaged under
/tmp, which you can send to a support representative.
Red Hat Enterprise Linux will use this information for diagnostic purposes ONLY
and it will be considered confidential information.

This process may take a while to complete.
No changes will be made to your system.


  Running plugins. Please wait ...

  Completed [52/52] ...      
Creating compressed archive...
Traceback (most recent call last):
  File "/usr/sbin/sosreport", line 23, in <module>
    sosreport(sys.argv[1:])
  File "/usr/lib/python2.6/site-packages/sos/sosreport.py", line 843, in sosreport
    GlobalVars.policy.displayResults()
  File "/usr/lib/python2.6/site-packages/sos/policyredhat.py", line 316, in displayResults
    self.report_md5 = md5(fp.read()).hexdigest()
ValueError: error:060800A0:digital envelope routines:EVP_DigestInit_ex:unknown cipher

# ls -l

total 1144
-rw-------. 1 root root 1167824 Mar 21 06:05 sosreport-qa.tar.xz


Expected results:

No crash, md5sum created if possible. If not (because of FIPS), create some other hash, or at least inform user that it was not produced because of its unavailability. No traceback should be produced.

Additional info:
Comment 1 Bryn M. Reeves 2011-03-21 12:48:33 UTC 
Odd. Nothing changed here recently - is it just that this hasn't been tested before?

Anyway, thanks for the headsup - looking into this now.
Comment 2 Pierre Carrier 2011-03-21 13:36:41 UTC 
Cannot reproduce with openssl 1.0.0-4.el6_0.2 on my system. Did I miss something?

# export OPENSSL_FIPS=1; openssl version; mkdir sos; sosreport --batch --tmp-dir=./sos/
OpenSSL 1.0.0-fips 29 Mar 2010

sosreport (version 2.2)
[...]
Your sosreport has been generated and saved in:
  /root/sos/sosreport-rhn-support-pcarrier-20110321133428-9911.tar.xz

The md5sum is: c7a121bd0acf6ccf55d0ab0befec9911

Please send this file to your support representative.
Comment 3 David Kutálek 2011-03-21 14:44:13 UTC 
To find out whether is your system FIPS enabled, run:

cat /proc/sys/crypto/fips_enabled

I am not sure what is official and correct way how to enable it on RHEL6, though.
Comment 15 Bryn M. Reeves 2011-04-07 11:26:20 UTC 
We have a problem with hashlib in FIPS mode:

# sosreport
Traceback (most recent call last):
  File "/usr/sbin/sosreport", line 18, in <module>
    from sos.sosreport import sosreport, doExitCode
  File "/usr/lib/python2.6/site-packages/sos/sosreport.py", line 40, in <module>
    import sos.policyredhat
  File "/usr/lib/python2.6/site-packages/sos/policyredhat.py", line 27, in <module>
    import hashlib
  File "/usr/lib64/python2.6/hashlib.py", line 101, in <module>
    f(usedforsecurity=False)
ValueError: error:2D07D06A:FIPS routines:EVP_DigestInit_ex:fips selftest failed

Looking into this now.. may affect other packages that use python hashlib when run with FIPS.
Comment 16 Bryn M. Reeves 2011-04-07 11:45:21 UTC 
My openssl was out of date (1.0.0-4.el6) - -7 and -8 had a bunch of opensssl FIPS fixes.
Comment 18 Tomas Capek 2011-05-18 14:49:49 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When FIPS (Federal Information Processing Standard) compliance mode was active on the system, the sosreport program terminated with a traceback during generation of the MD5 checksum. As a consequence, no MD5 checksum was generated and no information about the name of the generated report was given, even though the report archive was generated correctly. This bug has been fixed, MD5 checksums are now generated in non-FIPS compliant mode (for compatibility with prior release) and SHA-2 checksums are generated in FIPS compliant mode.
Comment 19 errata-xmlrpc 2011-05-19 14:27:56 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0773.html
Note You need to log in before you can comment on or make changes to this bug.