Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to init in FIPS mode #49

Open
sam-karateman opened this issue Dec 22, 2021 · 3 comments
Open

Unable to init in FIPS mode #49

sam-karateman opened this issue Dec 22, 2021 · 3 comments

Comments

@sam-karateman
Copy link

I am helping to manage a Unix system that is running in FIPS mode, and we are unable to initialize Tripwire with our current policy file. I thought the issue was with the MD5 hash check, but I still receive this error even after removing any reference to the check in our policy:

[root tripwire]# tripwire --init -v
Open Source Tripwire(R) 2.4.3.7.0 built for x86_64-redhat-linux-gnu

Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc.  Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Opening configuration file: /etc/tripwire/tw.cfg
This file is encrypted.

Opening key file: /etc/tripwire/site.key
Opening key file: /etc/tripwire/<host>-local.key
Please enter your local passphrase: 
Opening key file: /etc/tripwire/site.key
Opening policy file: /etc/tripwire/tw.pol
This file is encrypted.
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Processing:  /
--- Generating information for: /
--- Generating information for: /.autorelabel
md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
Software interrupt forced exit: Abort
Software interrupt forced exit: Segmentation Fault

So far I've been unable to locate any other solutions, so I'm hoping someone here can point me in the right direction. Thanks in advance.
@brc0x1
Copy link
Member

brc0x1 commented Dec 27, 2021

Hi Sam, your best bet in the short term would be to configure with "--disable-openssl", which uses the hash impls in the 'core' subdirectory instead and doesn't link against OpenSSL. As a better solution, I'm going to check whether FIPS mode is detectable at configuration time, and if so, maybe disable MD5 (and probably HAVAL) support if FIPS is enabled. If I can't figure that out, plan B would be to add a "--disable-md5" or "--enable-fips" configure option to do this manually.

I don't think I've ever actually built OST against OpenSSL-FIPS. Did you need to do anything special to build or link it, or did that all just work transparently?

@brc0x1
Copy link
Member

brc0x1 commented Dec 29, 2021

Re: Better solutions, I realized that checking for FIPS mode at configuration time isn't the right approach, since FIPS can be toggled on or off after building OST. Instead I think I need to exclude MD5 at runtime based on the value of OpenSSL's FIPS_mode(). So that's what I'm looking at now.

@sam-karateman
Copy link
Author

Unfortunately I was not part of the team when the software was installed, but traditionally I believe we simply installed the package from yum/dnf and didn't build it manually. I will need to check with the team to see if it would be possible to rebuild from scratch instead. I appreciate you taking the time to look at this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brc0x1 @sam-karateman