1217058 – [Build 34.1] FIPS Mode: failed to import RPM keys suddenly

Bug 1217058 - [Build 34.1] FIPS Mode: failed to import RPM keys suddenly

Summary: [Build 34.1] FIPS Mode: failed to import RPM keys suddenly

Status:	VERIFIED FIXED
Duplicates (5):	1217059 1217060 1217061 1217062 1217063 (view as bug list)

Alias:	None

Product:	PUBLIC SUSE Linux Enterprise Server 15 SP6
Classification:	openSUSE
Component:	Security Certifications (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P1 - Urgent Severity: Critical
Target Milestone:	---
Assignee:	Otto Hollmann
QA Contact:

URL:	https://openqa.suse.de/tests/12774034...
Whiteboard:	FIPS
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-13 07:25 UTC by Joaquín Rivera
Modified:	2023-11-28 05:47 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	openQA
Services Priority:
Business Priority:
Blocker:	Yes
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joaquín Rivera 2023-11-13 07:25:57 UTC

## Observation

openQA test in scenario sle-15-SP6-Online-x86_64-fips_env_ecryptfs@64bit fails in
[ecryptfs](https://openqa.suse.de/tests/12774034/modules/ecryptfs/steps/12)

libecryptfs1-111-2.31.x86_64: install failed impeding testing all encrypt ciphers of ecryptfs.

Logs are attached in Logs and Assets tab in openQA:
https://openqa.suse.de/tests/12774034#downloads

Comment 1 Marcus Meissner 2023-11-13 08:19:43 UTC

After installing FIPS packages, zypp no longer can import keys for some reason.


2023-11-07 05:34:54 <5> susetest(1864) [zypp-core] Exception.cc(log):186                                                                                     
KeyRing.cc(importKey):759 THROW:    Failed to import key.                                                                                                    
2023-11-07 05:34:54 <5> susetest(1864) [zypp-core] Exception.cc(log):186                                                                                     
RpmDb.cc(syncTrustedKeys):659 CAUGHT:   Failed to import key.                                                                                                
2023-11-07 05:34:55 <5> susetest(1864) [zypp-core] Exception.cc(log):186                                                                                     
RpmDb.cc(doInstallPackage):1814 THROW:    Subprocess failed. Error: RPM failed:                                                                              
Command exited with status 1.

Comment 2 Marcus Meissner 2023-11-13 08:21:05 UTC

*** Bug 1217059 has been marked as a duplicate of this bug. ***

Comment 3 Marcus Meissner 2023-11-13 08:21:17 UTC

*** Bug 1217060 has been marked as a duplicate of this bug. ***

Comment 4 Marcus Meissner 2023-11-13 08:21:29 UTC

*** Bug 1217061 has been marked as a duplicate of this bug. ***

Comment 5 Marcus Meissner 2023-11-13 08:21:50 UTC

*** Bug 1217062 has been marked as a duplicate of this bug. ***

Comment 6 Marcus Meissner 2023-11-13 08:25:03 UTC

*** Bug 1217063 has been marked as a duplicate of this bug. ***

Comment 7 Marcus Meissner 2023-11-13 08:26:05 UTC

Nov 07 05:34:40.197749 susetest zypper[1644]: Libgcrypt error: integrity check failed: Checksum error
Nov 07 05:34:40.198102 susetest zypper[1644]: Libgcrypt notice: state transition Self-Test => Error

Comment 8 Marcus Meissner 2023-11-13 08:34:23 UTC

I think the generated HMAC of libgcrypt cannot be verified.

Blocks any fips testing -> P1

Comment 10 Otto Hollmann 2023-11-15 17:56:13 UTC

Indeed, the HMAC is incorrect and doesn't match libgcrypt.so.20.

It's interesting that libgcrypt utility hmac256 produces the same output as openssl. However even if I update the HMAC file with correct value it's still failing.

Comment 11 Marcus Meissner 2023-11-16 13:27:44 UTC

i think the RPM build strips the library and so breaks the checksum, as it does not block that strippng.

you could block stripping, or you regenerate the checksum in the spec file AFTER stripping like previously.

Comment 12 Marcus Meissner 2023-11-20 17:33:16 UTC

Otto?

Comment 13 Otto Hollmann 2023-11-20 22:09:20 UTC

Sorry, we had public holiday on Friday.

I found that libgcrypt is no longer using hmac file .libgcrypt.so.20.hmac that we are still shipping (so I think we should remove it).

Since commit 3c89aad4a the hmac checksum is inserted directly as a section into library.

Unfortunately my attempts to disable stripping were unsuccessful. I will continue tomorrow.

Comment 14 Marcus Meissner 2023-11-21 08:08:11 UTC

did you try:

export NO_BRP_STRIP_DEBUG=true

in %install ? 

alternatively we could regenerate the checksum and overwrite the one in ELF,

Comment 15 Otto Hollmann 2023-11-21 11:09:07 UTC

No, it didn't help
But I found a way how to re-define macro __spec_install_post and re-calculate the HMAC checksum after RPM build strips the library. Now it works well.

Also I removed .libgcrypt.so.20.hmac file as it's no longer needed.

Please review it
> https://build.suse.de/request/show/313300

Comment 16 Marcus Meissner 2023-11-21 11:33:15 UTC

proposed patch looks good to me.

Comment 17 Otto Hollmann 2023-11-23 14:10:57 UTC

Thank you Marcus

Submitted:
> SLE15-SP6        https://build.suse.de/request/show/313300 
> ALP:Source:1.0   https://build.suse.de/request/show/313570
> openSUSE:Factory https://build.opensuse.org/request/show/1127966

Comment 18 Marcus Meissner 2023-11-27 16:24:44 UTC

fixed If I read openqa correctly.

Comment 19 Joaquín Rivera 2023-11-28 05:47:00 UTC

Verified fixed:
https://openqa.suse.de/tests/12894643