RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 966529 - self-test fails when FIPS mode is enabled
Summary: self-test fails when FIPS mode is enabled
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openscap
Version: 6.4
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Šimon Lukašík
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On:
Blocks: 1163462
TreeView+ depends on / blocked
 
Reported: 2013-05-23 12:26 UTC by Ondrej Moriš
Modified: 2014-12-16 21:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1163462 (view as bug list)
Environment:
Last Closed: 2014-12-16 21:39:31 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Ondrej Moriš 2013-05-23 12:26:59 UTC 
Description of problem:

The following tests in the self-test (also known as 'make check') are not "FIPS" compatible:

* test_probes_filehash (tests/API/crypt/test_api_crypt.sh)
* test_crapi_mdigest   (tests/API/crypt/test_api_crypt.sh)
* test_probes_filehash (tests/probes/filehash/test_probes_filehash.sh)

The reason is that they use MD5 cryptography provided by libgcrypt which is not FIPS 140-2 approved and hence the library forbids them.

Version-Release number of selected component (if applicable):

openscap-0.9.3-1.el6

How reproducible:

100 %

Steps to Reproduce:

Notice that in order to reproduce this bug, you need not to have a machine in FIPS mode (with 1 in /proc/sys/crypto/fips_enabled). It is sufficient to turn libgcrypt into FIPS mode by creating /etc/gcrypt/fips_enabled.

1. touch /etc/gcrypt/fips_enabled
2. download and build the source rpm package
3. execute self test in the build directory

Actual results:

FAIL in FIPS mode

Expected results:

PASS in FIPS mode

Additional info:

One might detect FIPS mode of libgcrypt quite easily [1] in order to skip the problematic parts of aforementioned tests.

[1] http://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html
Comment 1 RHEL Program Management 2013-10-14 03:30:46 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 4 Jan Černý 2014-12-16 17:48:24 UTC 
These errors are only in test suite, OpenSCAP behaves correctly. 

I run tests/API/crypt/test_api_crypt.sh and I found that it fails when calling the md5 function from libgcrypt. 

When running tests/probes/filehash/test_probes_filehash.sh, the product also performs very correctly, because it generates this message in result:

<ind-sys:filehash_item id="1282811" status="error">
            <message level="error">Unable to compute md5 hash value of "/tmp/test_probes_filehash.tmp".</message>
            <ind-sys:path>/tmp</ind-sys:path>
            <ind-sys:filename>test_probes_filehash.tmp</ind-sys:filename>
            <ind-sys:md5></ind-sys:md5>
            <ind-sys:sha1>a1554335bec5c4f34e59d67e855ed1a8b8ff0465</ind-sys:sha1>
          </ind-sys:filehash_item>
Comment 5 Šimon Lukašík 2014-12-16 21:39:31 UTC 
Thank You Jan, for the analysis.

There is no problem with the OpenSCAP package in the FIPS mode, the problem is just with the test suite. The test suite has numerous requirements for the system it is running on. FIPS disabled is just one of those.

Closing as NOTABUG.
Note You need to log in before you can comment on or make changes to this bug.