786145 – missing /proc/sys/crypto/fips_enabled in 3.0.9 causes openssh errors

Bug 786145 - missing /proc/sys/crypto/fips_enabled in 3.0.9 causes openssh errors

Summary: missing /proc/sys/crypto/fips_enabled in 3.0.9 causes openssh errors

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	realtime-kernel
Sub Component:
Version:	2.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	2.1.4
Target Release:	---
Assignee:	John Kacur
QA Contact:	David Sommerseth
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	814689
TreeView+	depends on / blocked

Reported:	2012-01-31 15:28 UTC by evcz
Modified:	2016-05-22 23:34 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	When the CONFIG_CRYPTO_FIPS configuration option was disabled, some services such as sshd and ipsec, while working properly, returned warning messages regarding this missing option during start up. With this update, CONFIG_CRYPTO_FIPS has been enabled and no warning messages are now returned in the described scenario.
Clone Of:
Clones:	814689 (view as bug list)
Environment:
Last Closed:	2012-02-23 20:24:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:0333	0	normal	SHIPPED_LIVE	Important: kernel-rt security and bug fix update	2012-02-24 01:21:35 UTC

Description evcz 2012-01-31 15:28:35 UTC

Description of problem:
While using 3.0.9-rt26.46.el6rt.x86_64 issuing a:

service sshd restart

reports some errors due to missing "fps_enabled"

Version-Release number of selected component (if applicable):
openssh-5.3p1-70.el6.x86_64
kernel-rt-3.0.9-rt26.46.el6rt.x86_64

How reproducible:
issuing service sshd restart

Steps to Reproduce:
1. install 3.0.9-rt26.46.el6rt.x86_64
2. do a: "service sshd restart"
  
Actual results:
[root@silver ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
cat: /proc/sys/crypto/fips_enabled: No such file or directory
/etc/init.d/sshd: line 50: [: too many arguments
Starting sshd:                                             [  OK  ]


Expected results:
[root@silver ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]


Additional info:
on kernel-rt-2.6.33.9-rt31.75.el6rt it is working ok

Comment 1 evcz 2012-01-31 15:32:30 UTC

just tried on

openssh-5.3p1-70.el6_2.2.x86_64

and can confirm the same behaviour

Comment 2 John Kacur 2012-01-31 17:31:52 UTC

to get CRYPTO_FIPS, we need to disable CRYPTO_MANAGER_DISABLE_TESTS

Comment 3 Clark Williams 2012-01-31 20:25:19 UTC

John,

I just did that as well as turned on a few CRYPTO_* configs that we were missing.

Comment 4 Clark Williams 2012-02-01 02:31:35 UTC

Configs now in dist-git fix this issue (turned on CONFIG_CRYPTO_FIPS). Tested with scratch kernel built by lgoncalv

Comment 9 Luis Claudio R. Goncalves 2012-02-13 15:36:28 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: the config option CONFIG_CRYPTO_FIPS is disabled. 
Consequence: some services such as sshd and ipsec complain about the lacking config during start up, but work fine.
Fix: the config option has been enabled.
Result: no more complaints when starting the services.

Comment 11 Tomas Capek 2012-02-22 16:10:15 UTC

    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1 @@
-Cause: the config option CONFIG_CRYPTO_FIPS is disabled. 
+When the CONFIG_CRYPTO_FIPS configuration option was disabled, some services such as sshd and ipsec, while working properly, returned warning messages regarding this missing option during start up. With this update, CONFIG_CRYPTO_FIPS has been enabled and no warning messages are now returned in the described scenario.-Consequence: some services such as sshd and ipsec complain about the lacking config during start up, but work fine.
-Fix: the config option has been enabled.
-Result: no more complaints when starting the services.

Comment 12 errata-xmlrpc 2012-02-23 20:24:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0333.html

Note You need to log in before you can comment on or make changes to this bug.