Bug 966529 - self-test fails when FIPS mode is enabled
self-test fails when FIPS mode is enabled
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openscap (Show other bugs)
6.4
Unspecified Linux
unspecified Severity low
: rc
: ---
Assigned To: Šimon Lukašík
Ondrej Moriš
:
Depends On:
Blocks: 1163462
  Show dependency treegraph
 
Reported: 2013-05-23 08:26 EDT by Ondrej Moriš
Modified: 2014-12-16 16:39 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1163462 (view as bug list)
Environment:
Last Closed: 2014-12-16 16:39:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ondrej Moriš 2013-05-23 08:26:59 EDT
Description of problem:

The following tests in the self-test (also known as 'make check') are not "FIPS" compatible:

* test_probes_filehash (tests/API/crypt/test_api_crypt.sh)
* test_crapi_mdigest   (tests/API/crypt/test_api_crypt.sh)
* test_probes_filehash (tests/probes/filehash/test_probes_filehash.sh)

The reason is that they use MD5 cryptography provided by libgcrypt which is not FIPS 140-2 approved and hence the library forbids them.

Version-Release number of selected component (if applicable):

openscap-0.9.3-1.el6

How reproducible:

100 %

Steps to Reproduce:

Notice that in order to reproduce this bug, you need not to have a machine in FIPS mode (with 1 in /proc/sys/crypto/fips_enabled). It is sufficient to turn libgcrypt into FIPS mode by creating /etc/gcrypt/fips_enabled.

1. touch /etc/gcrypt/fips_enabled
2. download and build the source rpm package
3. execute self test in the build directory

Actual results:

FAIL in FIPS mode

Expected results:

PASS in FIPS mode

Additional info:

One might detect FIPS mode of libgcrypt quite easily [1] in order to skip the problematic parts of aforementioned tests.

[1] http://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html
Comment 1 RHEL Product and Program Management 2013-10-13 23:30:46 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 4 Jan Černý 2014-12-16 12:48:24 EST
These errors are only in test suite, OpenSCAP behaves correctly. 

I run tests/API/crypt/test_api_crypt.sh and I found that it fails when calling the md5 function from libgcrypt. 

When running tests/probes/filehash/test_probes_filehash.sh, the product also performs very correctly, because it generates this message in result:

<ind-sys:filehash_item id="1282811" status="error">
            <message level="error">Unable to compute md5 hash value of "/tmp/test_probes_filehash.tmp".</message>
            <ind-sys:path>/tmp</ind-sys:path>
            <ind-sys:filename>test_probes_filehash.tmp</ind-sys:filename>
            <ind-sys:md5></ind-sys:md5>
            <ind-sys:sha1>a1554335bec5c4f34e59d67e855ed1a8b8ff0465</ind-sys:sha1>
          </ind-sys:filehash_item>
Comment 5 Šimon Lukašík 2014-12-16 16:39:31 EST
Thank You Jan, for the analysis.

There is no problem with the OpenSCAP package in the FIPS mode, the problem is just with the test suite. The test suite has numerous requirements for the system it is running on. FIPS disabled is just one of those.

Closing as NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.