Bug 814983 - yum install fails in FIPS mode
yum install fails in FIPS mode
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: yum (Show other bugs)
5.9
All Linux
high Severity high
: rc
: ---
Assigned To: James Antill
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-21 17:04 EDT by Miroslav Vadkerti
Modified: 2014-01-21 01:25 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-23 08:43:38 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
[PATCH] vlan: filter device events on bonds (5.17 KB, patch)
2012-07-20 15:59 EDT, Neil Horman
no flags Details | Diff

  None (edit)
Description Miroslav Vadkerti 2012-04-21 17:04:33 EDT
Description of problem:
yum install fails in FIPS mode (see reproducer)

# yum -y reinstall openssl
malloc: using debugging hooks
 	Loaded plugins: katello, product-id, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Setting up Reinstall Process
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
Aborted

Version-Release number of selected component (if applicable):
yum-3.2.22-39.el5
openssl-0.9.8e-22.el5_8.2

How reproducible:
100% on i386

Steps to Reproduce:
1. Install EL5.8
2. Remove prelink
# prelink -u -a
# yum -y 
3. Switch to FIPS
4. yum install anything
  
Actual results:
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
Aborted

Expected results:
No error and yum works

Additional info:
I assume this is a yum issue, but feel free to reassign to openssl in needed.
Tested onlu on i386 architecture. Tested also with older openssl, doesn't seem to be a regression in openssl (found while testing openssl ASYNC)
Comment 1 Karel Srot 2012-04-23 04:12:32 EDT
Just for reference the RHEL6 fixed bug is bug 541974.
Comment 2 James Antill 2012-04-23 08:43:38 EDT
 I'm sure this was discussed in previous bugs ... the problems are:

1. If the repos. you are using have MD5 checksumed metadata ... yum will need to call MD5.

2. It's possible there are still bugs where yum calls MD5 routines where it doesn't need to, esp. in RHEL-5.

2. OpenSSL MD5 calls abort() in FIPS mode ... even if the usage was not in a security context.
Comment 3 Neil Horman 2012-07-20 15:59:49 EDT
Created attachment 599453 [details]
[PATCH] vlan: filter device events on bonds


Since bond masters and slaves only have separate vlan groups now, the
vlan_device_event handler has to be taught to ignore network events from slave
devices when they're truly attached to the bond master.  We do this by looking
up the network device of a given vide on both the slave and its master.  if they
match, then we're processing an event for a physical device that we don't really
care about (since the masters events are realy what we're interested in.

This patch adds that comparison, and allows us to filter those slave events that
the vlan code should ignore.
---
 net/8021q/vlan.c |   64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 64 insertions(+), 0 deletions(-)
Comment 4 Neil Horman 2012-07-20 16:02:23 EDT
sorry, wrong bug, ignore last post

Note You need to log in before you can comment on or make changes to this bug.