+++ This bug was initially created as a clone of Bug #553137 +++ Created attachment 382173 [details] Attachment contains bug info including the console log of the bug verification Description of problem: When FIPS is enabled (in kernel or even only by creating /etc/gcrypt/fips_enabled file) aide fails to initialize the database producing the error: [root@dell-pe1420-01 aide-tst]# aide -c /tmp/aide-tst/aide.conf -i libgcrypt selftest: binary (0): No such file or directory gcrypt_md_open failed Version-Release number of selected component (if applicable): aide-0.13.1-6.el5 aide-0.13.1-4.el5 How reproducible: always Steps to Reproduce: 1. # touch /etc/gcrypt/fips_enabled 2. prepare simple aide.conf file which uses only FIPS "supported" cryptography (no md5 etc.), you may use the file below as a template 3. initialize aide database # aide -c PATH_TO_YOUR_CONF_FILE/aide.conf -i Actual results: .qa.[root@ia64-5s-m1 aide-test]# aide -c /tmp/aide-test/aide.conf -i libgcrypt selftest: binary (0): Invalid argument gcrypt_md_open failed Expected results: proper initialization of aide database Additional info: Please see the attachment for console log of the bug verification # --------------------- # sample aide.conf file for the test # --------------------- @@define DBDIR /tmp/aide-test/db @@define LOGDIR /tmp/aide-test/log # The location of the database to be read. database=file:@@{DBDIR}/aide.db.gz # The location of the database to be written. database_out=file:@@{DBDIR}/aide.db.new.gz database_new=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database gzip_dbout=yes # Default. verbose=5 report_url=file:@@{LOGDIR}/aide.log report_url=stdout NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 # files to watch /etc/passwd NORMAL --- Additional comment from pm-rhel on 2010-08-09 15:05:07 EDT --- This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. --- Additional comment from jared.jennings.ctr.mil on 2011-06-06 16:45:01 EDT --- I've seen what I think is this same issue, under RHEL6.1, and reported it as BZ711216, with debugging results. --- Additional comment from jared.jennings.ctr.mil on 2011-06-06 16:49:48 EDT --- Oops, I should have said, Bug #711216. --- Additional comment from pm-rhel on 2011-06-07 03:38:16 EDT --- This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. --- Additional comment from pm-rhel on 2011-09-22 20:38:14 EDT --- This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. --- Additional comment from smijolovic on 2011-10-05 00:00:04 EDT --- Looks like your fix in aide-0.13.1-15.el6.src.rpm was the only one that I could find that worked in FIPS mode. I ran rpmbuild on it for el5 and it compiled with no errors. Initialization and and check tested working with sha512 checksums. Working src rpm here: http://ftp.redhat.de/pub/redhat/rhel/beta/6.0/source/SRPMS/ --- Additional comment from smijolovic on 2012-01-10 17:05:07 EST --- I should provide more context for clarity. At this point I have only been able to get aes256 and aes512 to work with the mhash libraries while the kernel is in FIPS mode. The mhash libraries are not part of the RHEL distribution and there are no plans to include them have them FIPS validated by Red Hat. I have been trying to compile them from source to use libgcrypt but I am striking out. --- Additional comment from smijolovic on 2012-01-10 17:10:59 EST --- correction: should be sha256, sha512..not aes.
Hi Chris, what is the purpose of this bug? It is filed for RHEL5 such as the original bug 553137.
Closing this bug as duplicate to 553137 *** This bug has been marked as a duplicate of bug 553137 ***