Bug 966058 - self-test fails when FIPS mode is enabled
self-test fails when FIPS mode is enabled
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: gnupg2 (Show other bugs)
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2013-05-22 07:45 EDT by Ondrej Moriš
Modified: 2014-02-14 09:46 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-02-14 09:46:29 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ondrej Moriš 2013-05-22 07:45:53 EDT
Description of problem:

Self-test of gnupg2 (also known as 'make check') fails when the rest of the system works in FIPS 140-2 approved mode (ie. when "FIPS mode is enabled").

Version-Release number of selected component (if applicable):


How reproducible:

100% (in FIPS mode)

Steps to Reproduce:

1. enable FIPS mode (https://access.redhat.com/site/solutions/137833)
2. build the source rpm package of gnupg2
3. execute self-test (make check in build directory)

Actual results:

make[4]: Entering directory `/root/rpmbuild/BUILD/gnupg-2.0.14/tests/openpgp'
gpg (GnuPG) 2.0.14
libgcrypt 1.4.5
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: .
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, AES, AES192, AES256
Hash: MD5, SHA1, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
PASS: version.test
FAIL: mds.test
PASS: decrypt.test
PASS: decrypt-dsa.test
MD5 SHA1 SHA256 SHA384 SHA512 SHA224 | PASS: sigs.test
FAIL: sigs-dsa.test
3DES AES AES192 AES256 | PASS: encrypt.test
3DES AES AES192 AES256 | PASS: encrypt-dsa.test
PASS: seat.test
PASS: clearsig.test
PASS: encryptp.test
PASS: detach.test
PASS: armsigs.test
PASS: armencrypt.test
PASS: armencryptp.test
PASS: signencrypt.test
FAIL: signencrypt-dsa.test
PASS: armsignencrypt.test
PASS: armdetach.test
PASS: armdetachm.test
PASS: detachm.test
PASS: genkey1024.test
3DES AES AES192 AES256 | PASS: conventional.test
3DES AES AES192 AES256 | PASS: conventional-mdc.test
PASS: multisig.test
PASS: verify.test
PASS: armor.test
PASS: import.test
3 of 28 tests failed
Please report to http://bugs.gnupg.org

Expected results:

All tests pass.

Additional info:

Comment 1 Ondrej Moriš 2013-05-22 07:48:23 EDT
Additional info:

This means that either self-test is not "FIPS-friendly" or that there are issues in gnugp2 itself.
Comment 2 RHEL Product and Program Management 2013-10-13 19:35:00 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 3 Tomas Mraz 2014-02-14 09:46:29 EST
It is not FIPS mode friendly. I do not think it is worth fixing it at this point given the resource constraints.

Note You need to log in before you can comment on or make changes to this bug.