Bug 689387 - Sosreport crashes when generating md5 sum in FIPS mode
Sosreport crashes when generating md5 sum in FIPS mode
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sos (Show other bugs)
6.1
All Linux
medium Severity medium
: rc
: ---
Assigned To: Bryn M. Reeves
BaseOS QE - Apps
:
Depends On:
Blocks: 682670 BaseOS-FIPS-Tracker 689963
  Show dependency treegraph
 
Reported: 2011-03-21 06:15 EDT by David Kutálek
Modified: 2011-05-19 10:27 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When FIPS (Federal Information Processing Standard) compliance mode was active on the system, the sosreport program terminated with a traceback during generation of the MD5 checksum. As a consequence, no MD5 checksum was generated and no information about the name of the generated report was given, even though the report archive was generated correctly. This bug has been fixed, MD5 checksums are now generated in non-FIPS compliant mode (for compatibility with prior release) and SHA-2 checksums are generated in FIPS compliant mode.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-19 10:27:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Kutálek 2011-03-21 06:15:14 EDT
Description of problem:

In FIPS mode, sosreport always crashes during generation of md5sum. Report archive itself is generated correctly, but because of crash there is no md5sum and no info what is the name of generated report.

Version-Release number of selected component (if applicable):

sos-2.2-6.el6.noarch

How reproducible:

Always in FIPS mode

Steps to Reproduce:
1. On FIPS enabled machine, run sosreport
2.
3.
  
Actual results:

# sosreport --batch --tmp-dir=./

sosreport (version 2.2)

This utility will collect some detailed  information about the
hardware and setup of your Red Hat Enterprise Linux system.
The information is collected and an archive is  packaged under
/tmp, which you can send to a support representative.
Red Hat Enterprise Linux will use this information for diagnostic purposes ONLY
and it will be considered confidential information.

This process may take a while to complete.
No changes will be made to your system.


  Running plugins. Please wait ...

  Completed [52/52] ...      
Creating compressed archive...
Traceback (most recent call last):
  File "/usr/sbin/sosreport", line 23, in <module>
    sosreport(sys.argv[1:])
  File "/usr/lib/python2.6/site-packages/sos/sosreport.py", line 843, in sosreport
    GlobalVars.policy.displayResults()
  File "/usr/lib/python2.6/site-packages/sos/policyredhat.py", line 316, in displayResults
    self.report_md5 = md5(fp.read()).hexdigest()
ValueError: error:060800A0:digital envelope routines:EVP_DigestInit_ex:unknown cipher

# ls -l

total 1144
-rw-------. 1 root root 1167824 Mar 21 06:05 sosreport-qa@redhat.com-20110321060542.tar.xz


Expected results:

No crash, md5sum created if possible. If not (because of FIPS), create some other hash, or at least inform user that it was not produced because of its unavailability. No traceback should be produced.

Additional info:
Comment 1 Bryn M. Reeves 2011-03-21 08:48:33 EDT
Odd. Nothing changed here recently - is it just that this hasn't been tested before?

Anyway, thanks for the headsup - looking into this now.
Comment 2 Pierre Carrier 2011-03-21 09:36:41 EDT
Cannot reproduce with openssl 1.0.0-4.el6_0.2 on my system. Did I miss something?

# export OPENSSL_FIPS=1; openssl version; mkdir sos; sosreport --batch --tmp-dir=./sos/
OpenSSL 1.0.0-fips 29 Mar 2010

sosreport (version 2.2)
[...]
Your sosreport has been generated and saved in:
  /root/sos/sosreport-rhn-support-pcarrier-20110321133428-9911.tar.xz

The md5sum is: c7a121bd0acf6ccf55d0ab0befec9911

Please send this file to your support representative.
Comment 3 David Kutálek 2011-03-21 10:44:13 EDT
To find out whether is your system FIPS enabled, run:

cat /proc/sys/crypto/fips_enabled

I am not sure what is official and correct way how to enable it on RHEL6, though.
Comment 15 Bryn M. Reeves 2011-04-07 07:26:20 EDT
We have a problem with hashlib in FIPS mode:

# sosreport
Traceback (most recent call last):
  File "/usr/sbin/sosreport", line 18, in <module>
    from sos.sosreport import sosreport, doExitCode
  File "/usr/lib/python2.6/site-packages/sos/sosreport.py", line 40, in <module>
    import sos.policyredhat
  File "/usr/lib/python2.6/site-packages/sos/policyredhat.py", line 27, in <module>
    import hashlib
  File "/usr/lib64/python2.6/hashlib.py", line 101, in <module>
    f(usedforsecurity=False)
ValueError: error:2D07D06A:FIPS routines:EVP_DigestInit_ex:fips selftest failed

Looking into this now.. may affect other packages that use python hashlib when run with FIPS.
Comment 16 Bryn M. Reeves 2011-04-07 07:45:21 EDT
My openssl was out of date (1.0.0-4.el6) - -7 and -8 had a bunch of opensssl FIPS fixes.
Comment 18 Tomas Capek 2011-05-18 10:49:49 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When FIPS (Federal Information Processing Standard) compliance mode was active on the system, the sosreport program terminated with a traceback during generation of the MD5 checksum. As a consequence, no MD5 checksum was generated and no information about the name of the generated report was given, even though the report archive was generated correctly. This bug has been fixed, MD5 checksums are now generated in non-FIPS compliant mode (for compatibility with prior release) and SHA-2 checksums are generated in FIPS compliant mode.
Comment 19 errata-xmlrpc 2011-05-19 10:27:56 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0773.html

Note You need to log in before you can comment on or make changes to this bug.