salt: [BUG] v3005 fails openssl FIPS self test

Description Packaging problem with v3005 - lacks the .hmac files which openssl uses to test itself when fips=1

Setup only relevant setup is kernel cmdline of fips=1

Steps to Reproduce the behavior Boot Linux with FIPS enabled and run salt-call test.ping

Expected behavior Return true

Screenshots

[root@rhel8 run]# salt-call test.ping
crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)

Versions Report

salt --versions-report

Salt Version:
          Salt: 3005

Dependency Versions:
          cffi: 1.14.6
      cherrypy: unknown
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.0
       libgit2: Not Installed
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.9.8
        pygit2: Not Installed
        Python: 3.9.13 (main, Aug 23 2022, 18:33:26)
  python-gnupg: 0.4.8
        PyYAML: 5.4.1
         PyZMQ: 23.2.0
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4

System Versions:
          dist: rhel 8.6 Ootpa
        locale: utf-8
       machine: x86_64
       release: 4.18.0-372.19.1.el8_6.x86_64
        system: Linux
       version: Red Hat Enterprise Linux 8.6 Ootpa

Additional context I calculated the hmac of the supplied files as a workaround as such:

openssl sha256 -r -hmac orboDeJITITejsirpADONivirpUkvarP libssl.so.1.1 | cut -d' ' -f1 > /opt/saltstack/salt/run/.libssl.so.1.1.hmac
openssl sha256 -r -hmac orboDeJITITejsirpADONivirpUkvarP libcrypto.so.1.1 | cut -d' ' -f1 > /opt/saltstack/salt/run/.libcrypto.so.1.1.hmac

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 18 (14 by maintainers)

Most upvoted comments

@neutronscott Still working on resolving this, but efforts have come to nought. However in the mean time, as a work-around, until this is resolved you could use the regular packaging for Centos 8 Stream, which does work with FIPS mode enabled.

[root@Unknown test_c8]# fips-mode-setup --check
FIPS mode is enabled.
[root@Unknown test_c8]# salt-call --local test.versions
local:
    Salt Version:
              Salt: 3005
     
    Dependency Versions:
              cffi: Not Installed
          cherrypy: Not Installed
          dateutil: 2.6.1
         docker-py: Not Installed
             gitdb: Not Installed
         gitpython: Not Installed
            Jinja2: 2.10.1
           libgit2: Not Installed
          M2Crypto: 0.35.2
              Mako: Not Installed
           msgpack: 0.6.2
      msgpack-pure: Not Installed
      mysql-python: Not Installed
         pycparser: Not Installed
          pycrypto: Not Installed
      pycryptodome: Not Installed
            pygit2: Not Installed
            Python: 3.6.8 (default, Jun 23 2022, 19:01:59)
      python-gnupg: Not Installed
            PyYAML: 3.12
             PyZMQ: 20.0.0
             smmap: Not Installed
           timelib: Not Installed
           Tornado: 4.5.3
               ZMQ: 4.3.4
     
    System Versions:
              dist: centos 8 
            locale: UTF-8
           machine: x86_64
           release: 4.18.0-408.el8.x86_64
            system: Linux
           version: CentOS Stream 8

It can be installed using the following commands:

sudo rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/3005/SALTSTACK-GPG-KEY.pub
curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/3005.repo | sudo tee /etc/yum.repos.d/salt.repo

dmurphy18 on Sep 14, 2022