Red Hat Bugzilla – Bug 966529
self-test fails when FIPS mode is enabled
Last modified: 2014-12-16 16:39:31 EST
Description of problem:
The following tests in the self-test (also known as 'make check') are not "FIPS" compatible:
* test_probes_filehash (tests/API/crypt/test_api_crypt.sh)
* test_crapi_mdigest (tests/API/crypt/test_api_crypt.sh)
* test_probes_filehash (tests/probes/filehash/test_probes_filehash.sh)
The reason is that they use MD5 cryptography provided by libgcrypt which is not FIPS 140-2 approved and hence the library forbids them.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Notice that in order to reproduce this bug, you need not to have a machine in FIPS mode (with 1 in /proc/sys/crypto/fips_enabled). It is sufficient to turn libgcrypt into FIPS mode by creating /etc/gcrypt/fips_enabled.
1. touch /etc/gcrypt/fips_enabled
2. download and build the source rpm package
3. execute self test in the build directory
FAIL in FIPS mode
PASS in FIPS mode
One might detect FIPS mode of libgcrypt quite easily  in order to skip the problematic parts of aforementioned tests.
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
These errors are only in test suite, OpenSCAP behaves correctly.
I run tests/API/crypt/test_api_crypt.sh and I found that it fails when calling the md5 function from libgcrypt.
When running tests/probes/filehash/test_probes_filehash.sh, the product also performs very correctly, because it generates this message in result:
<ind-sys:filehash_item id="1282811" status="error">
<message level="error">Unable to compute md5 hash value of "/tmp/test_probes_filehash.tmp".</message>
Thank You Jan, for the analysis.
There is no problem with the OpenSCAP package in the FIPS mode, the problem is just with the test suite. The test suite has numerous requirements for the system it is running on. FIPS disabled is just one of those.
Closing as NOTABUG.