Bug 814983 - yum install fails in FIPS mode
Summary: yum install fails in FIPS mode
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: yum
Version: 5.9
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: James Antill
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-21 21:04 UTC by Miroslav Vadkerti
Modified: 2014-01-21 06:25 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-23 12:43:38 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
[PATCH] vlan: filter device events on bonds (5.17 KB, patch)
2012-07-20 19:59 UTC, Neil Horman
no flags Details | Diff

Description Miroslav Vadkerti 2012-04-21 21:04:33 UTC
Description of problem:
yum install fails in FIPS mode (see reproducer)

# yum -y reinstall openssl
malloc: using debugging hooks
 	Loaded plugins: katello, product-id, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Setting up Reinstall Process
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
Aborted

Version-Release number of selected component (if applicable):
yum-3.2.22-39.el5
openssl-0.9.8e-22.el5_8.2

How reproducible:
100% on i386

Steps to Reproduce:
1. Install EL5.8
2. Remove prelink
# prelink -u -a
# yum -y 
3. Switch to FIPS
4. yum install anything
  
Actual results:
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
Aborted

Expected results:
No error and yum works

Additional info:
I assume this is a yum issue, but feel free to reassign to openssl in needed.
Tested onlu on i386 architecture. Tested also with older openssl, doesn't seem to be a regression in openssl (found while testing openssl ASYNC)

Comment 1 Karel Srot 2012-04-23 08:12:32 UTC
Just for reference the RHEL6 fixed bug is bug 541974.

Comment 2 James Antill 2012-04-23 12:43:38 UTC
 I'm sure this was discussed in previous bugs ... the problems are:

1. If the repos. you are using have MD5 checksumed metadata ... yum will need to call MD5.

2. It's possible there are still bugs where yum calls MD5 routines where it doesn't need to, esp. in RHEL-5.

2. OpenSSL MD5 calls abort() in FIPS mode ... even if the usage was not in a security context.

Comment 3 Neil Horman 2012-07-20 19:59:49 UTC
Created attachment 599453 [details]
[PATCH] vlan: filter device events on bonds


Since bond masters and slaves only have separate vlan groups now, the
vlan_device_event handler has to be taught to ignore network events from slave
devices when they're truly attached to the bond master.  We do this by looking
up the network device of a given vide on both the slave and its master.  if they
match, then we're processing an event for a physical device that we don't really
care about (since the masters events are realy what we're interested in.

This patch adds that comparison, and allows us to filter those slave events that
the vlan code should ignore.
---
 net/8021q/vlan.c |   64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 64 insertions(+), 0 deletions(-)

Comment 4 Neil Horman 2012-07-20 20:02:23 UTC
sorry, wrong bug, ignore last post


Note You need to log in before you can comment on or make changes to this bug.