Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1238769 - Satellite 5.6: Upgrading past rhncfg-5.10.55-8 breaks rhncfg-client with FIPS enabled
Summary: Satellite 5.6: Upgrading past rhncfg-5.10.55-8 breaks rhncfg-client with FIPS...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Client
Version: 560
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Tomáš Kašpárek
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: sat560-triage
TreeView+ depends on / blocked
 
Reported: 2015-07-02 14:58 UTC by Michael Hood
Modified: 2015-12-10 13:22 UTC (History)
3 users (show)

Fixed In Version: rhncfg-5.10.74-9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-10 13:22:24 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2614 normal SHIPPED_LIVE Red Hat Network Tools rhncfg and koan bug fix update 2015-12-10 18:21:54 UTC

Description Michael Hood 2015-07-02 14:58:58 UTC
Description of problem:

On FIPS enabled systems, after upgrading past rhncfg-5.10.55-8, rhncfg-client stops working

Version-Release number of selected component (if applicable):

DSSH:[root@hpc9-io-01d ~]# rpm -qa|grep rhncf
rhncfg-client-5.10.74-7.el6sat.noarch
rhncfg-5.10.74-7.el6sat.noarch
rhncfg-management-5.10.74-7.el6sat.noarch
rhncfg-actions-5.10.74-7.el6sat.noarch

How reproducible:


Steps to Reproduce:
1.rhncfg-client verify on any update of rhncfg after rhncfg-5.10.55-8


Actual results:

After upgrade of package:
[root@hpc9-io-01d ~]# rhncfg-client verify
Using server name labsat.it.census.gov
Traceback (most recent call last):
  File "/usr/bin/rhncfg-client", line 38, in <module>
    sys.exit(Main().main() or 0)
  File "/usr/share/rhn/config_common/rhn_main.py", line 207, in main
    handler.run()
  File "/usr/share/rhn/config_client/rhncfgcli_verify.py", line 73, in run
    (src, file_info, dirs_created) = self.repository.get_file_info(file)
  File "/usr/share/rhn/config_client/rpc_cli_repository.py", line 91, in get_file_info
    temp_file, dirs_created = f.process(result, directory=dest_directory)
  File "/usr/share/rhn/config_common/file_utils.py", line 80, in process
    file_struct['checksum_type'], contents):
  File "/usr/share/rhn/config_common/utils.py", line 159, in getContentChecksum
    engine = hashlib.new(checksum_type)
  File "/usr/lib64/python2.6/hashlib.py", line 83, in __hash_new
    return _hashlib.new(name, string, usedforsecurity)
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips


Expected results:

Upgrading to SAT 5.7 would resolve the issue but AFWA (662708) is running SAT 5.6 on RHEL 5 in a classified environement. Upgrading to 5.7 is not possible in the near future. 


Additional info:

Comments from customer:

Mike,

I find that answer really frustrating.  In our environment, we have an operational satellite server in a classified environment that is running on top of RHEL5.  As a result, we can't simply upgrade it to Satellite 5.7 (since that requires RHEL6).  Making changes in that environment takes a lot of time and coordination - it won't be a fast process.  

I understand (and support) the migration to a FIPS-compliant environment.  However, I find this frustrating because I wouldn't expect Red Hat to break backwards compatibility within dot-releases of the OS.   On top of that, the suggested workaround of setting "usedforsecurity=False" within the hashlibs module is very hard to actual implement.  Using this technique would require us to modify a Red Hat-provided file.  This implies we then need to manage the file within our satellite server and manually re-push the file every time the python-libs RPM gets updated.  This would mean we would deploy a new RPM at version xyz, and then overwrite a single file with our baselined version from 3 versions back (or something like that).  That would potentially break all sorts of things!  Making a behavior-changing variable like this should be configurable within a config file, environment variable, or similar mechanism - not by hard-coding it inside of actual code.

In my opinion, it would not have been terribly hard for Red Hat to maintain backwards compatibility for the rhntools (rhncfg) packages. The rhncfg script should be able to tell what version of Satellite server it is talking to, and automatically set the usedforsecurity=False flag for any satellite server that is not capable of supporting FIPS (5.6 or below).  That seems like a simple if/then statement that would allow your RHEL6 clients to continue working as they did before, and allow customers like us that are transitioning into a fully-FIPS environment to do so without breaking functionality. 

All of my Red Hat products invovled here (RHEL5, RHEL6, Satellite 5.6) are fully supported and were working together properly, yet we experienced a big loss of functionality after upgrading.  This should not be, and I feel could have been avoided.

Comment 2 Tomáš Kašpárek 2015-08-25 14:31:21 UTC
The problem was caused by using md5 algorithm without saying system that it's not used for security purposes as getting md5 hash of the file is not by any mean security issue. This is fixed in following commit:

spacewalk.git(master): 189973baa6381a479208a5ca5f11de5470866b7d

Comment 6 Pavel Studeník 2015-11-04 15:21:47 UTC
Reproducer with rhncfg-5.10.74-8.el7sat.noarch

1 ) register system in FIPS mode to satellite 5.6

>> rhncfg-client verify
Using server name smqa-x3550m3-02.lab.eng.brq.redhat.com
Traceback (most recent call last):
  File "/usr/bin/rhncfg-client", line 38, in <module>
    sys.exit(Main().main() or 0)
  File "/usr/share/rhn/config_common/rhn_main.py", line 207, in main
    handler.run()
  File "/usr/share/rhn/config_client/rhncfgcli_verify.py", line 73, in run
    (src, file_info, dirs_created) = self.repository.get_file_info(file)
  File "/usr/share/rhn/config_client/rpc_cli_repository.py", line 91, in get_file_info
    temp_file, dirs_created = f.process(result, directory=dest_directory)
  File "/usr/share/rhn/config_common/file_utils.py", line 85, in process
    file_struct['checksum_type'], contents):
  File "/usr/share/rhn/config_common/utils.py", line 171, in getContentChecksum
    engine = hashlib.new(checksum_type)
  File "/usr/lib64/python2.7/hashlib.py", line 105, in __hash_new
    return _hashlib.new(name, string, usedforsecurity)
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

Comment 7 Pavel Studeník 2015-11-05 13:42:58 UTC
Verified with 

rhncfg-client-5.10.74-10.el6sat.noarch
rhncfg-client-5.10.74-10.el7sat.noarch

Comment 9 errata-xmlrpc 2015-12-10 13:22:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2614.html


Note You need to log in before you can comment on or make changes to this bug.