Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ctest fails on clamav-1.4.1 on Linux in FIPS mode due to md5 hash of zip file : solution in comment 1 #1411

Open
AlanCDavis-APG opened this issue Nov 25, 2024 · 3 comments · May be fixed by #1417
Assignees

Comments

@AlanCDavis-APG
Copy link

Describe the bug

Building 1.4.1 on aarch64 RHEL 8.10 in FIPS mode, python 3.11 fails clamscan and clamscan_valgrind due to MD5 being deprecated in FIPS mode.

How to reproduce the problem

as root: fips-mode-setup --enable ; reboot
Doc here:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/switching-rhel-to-fips-mode_security-hardening#federal-information-processing-standards-140-and-fips-mode_switching-rhel-to-fips-mode

Follow build instructions : https://docs.clamav.net/manual/Installing/Installing-from-source-Unix.html

Output of ctest

82% tests passed, 2 tests failed out of 11

Total Test time (real) = 531.97 sec

The following tests FAILED:
4 - clamscan (Failed)
5 - clamscan_valgrind (Failed)
Errors while running CTest

Example failing code


            # Generate hash of the zipped file.
            # Since we generated the zip in python, we don't know the hash in a\
dvance.
>           hash_md5 = hashlib.md5()
E           ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled\
 for FIPS

/home/automation/clamav/clamav-1.4.1/unit_tests/clamscan/fp_check_test.py:65: V\
alueError

Proposed resolution

Use SHA256 hash for zip file validation

Attachments

LastTest.log

@AlanCDavis-APG
Copy link
Author

Changed to sha256 and all tests pass in FIPS mode
diff -c output attached

Diff:

arches-dev-arm-01:automation > diff  ../clamscan.dist/fp_check_test.py fp_check_test.py
65c65
<         hash_md5 = hashlib.md5()
---
>         hash_sha256 = hashlib.sha256()
68,69c68,69
<                 hash_md5.update(chunk)
<         hash_md5 = hash_md5.hexdigest()
---
>                 hash_sha256.update(chunk)
>         hash_sha256 = hash_sha256.hexdigest()
73c73
<             hash=hash_md5,
---
>             hash=hash_sha256,
78c78
<             hash=hash_md5))
---
>             hash=hash_sha256))

New ctest output

arches-dev-arm-01:automation > ctest
Test project /home/automation/clamav/clamav-1.4.1/build
Start 1: libclamav
1/11 Test #1: libclamav ........................ Passed 8.48 sec
Start 2: libclamav_valgrind
0 2/11 Test #2: libclamav_valgrind ............... Passed 117.46 sec
Start 3: libclamav_rust
3/11 Test #3: libclamav_rust ................... Passed 0.17 sec
Start 4: clamscan
4/11 Test #4: clamscan ......................... Passed 7.71 sec
Start 5: clamscan_valgrind
5/11 Test #5: clamscan_valgrind ................ Passed 228.94 sec
Start 6: clamd
6/11 Test #6: clamd ............................ Passed 25.26 sec
Start 7: clamd_valgrind
7/11 Test #7: clamd_valgrind ................... Passed 86.64 sec
Start 8: freshclam
8/11 Test #8: freshclam ........................ Passed 6.70 sec
Start 9: freshclam_valgrind
9/11 Test #9: freshclam_valgrind ............... Passed 56.59 sec
Start 10: sigtool
10/11 Test #10: sigtool .......................... Passed 0.95 sec
Start 11: sigtool_valgrind
11/11 Test #11: sigtool_valgrind ................. Passed 19.22 sec

100% tests passed, 0 tests failed out of 11

Total Test time (real) = 558.12 sec

fp_check_test.py.patch.txt

@AlanCDavis-APG AlanCDavis-APG changed the title Ctest fails on clamav-1.4.1 on Linux in FIPS mode due to md5 hash of zip file Ctest fails on clamav-1.4.1 on Linux in FIPS mode due to md5 hash of zip file : solution in comment 1 Nov 26, 2024
@rsundriyal rsundriyal self-assigned this Nov 26, 2024
@micahsnyder
Copy link
Contributor

Thanks for sharing this. I wasn't aware that the python hashlib.md5() function had issues in FIPS mode. I also confirmed that switching it to use sha256 for the fp signature feature test passes the tests. I'll incorporate your changes in this work as I aim to resolve FIPS compatibility issues with CVD digital signature verification #1417

@AlanCDavis-APG
Copy link
Author

AlanCDavis-APG commented Dec 20, 2024 via email

@micahsnyder micahsnyder linked a pull request Jan 2, 2025 that will close this issue
micahsnyder added a commit to micahsnyder/clamav-micah that referenced this issue Jan 2, 2025
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.

Fixes: Cisco-Talos#564

Add a Rust implementation for parsing, verifying, and unpacking CVD
files.

Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
  `-D CVD_CERTS_DIRECTORY=PATH`

New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
  `--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
  `CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
  `CVDCertsDirectory PATH`

Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.

Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.

libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
  Resolves: Cisco-Talos#1304
- Add two new API's to the public clamav.h header:
  ```c
  extern cl_error_t cl_cvdverify_ex(const char *file,
                                    const char *certs_directory);

  extern cl_error_t cl_cvdunpack_ex(const char *file,
                                    const char *dir,
                                    bool dont_verify,
                                    const char *certs_directory);
  ```
  The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
  You may set this option with `cl_engine_set_str` and get it
  with `cl_engine_get_str`, to override the compiled in default
  CVD certs directory.

libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).

Add sigtool sign/verify tests and test certs.

Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.

Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: Cisco-Talos#1411
micahsnyder added a commit to micahsnyder/clamav-micah that referenced this issue Jan 14, 2025
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.

Fixes: Cisco-Talos#564

Add a Rust implementation for parsing, verifying, and unpacking CVD
files.

Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
  `-D CVD_CERTS_DIRECTORY=PATH`

New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
  `--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
  `CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
  `CVDCertsDirectory PATH`

Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.

Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.

libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
  Resolves: Cisco-Talos#1304
- Add two new API's to the public clamav.h header:
  ```c
  extern cl_error_t cl_cvdverify_ex(const char *file,
                                    const char *certs_directory);

  extern cl_error_t cl_cvdunpack_ex(const char *file,
                                    const char *dir,
                                    bool dont_verify,
                                    const char *certs_directory);
  ```
  The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
  You may set this option with `cl_engine_set_str` and get it
  with `cl_engine_get_str`, to override the compiled in default
  CVD certs directory.

libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).

Add sigtool sign/verify tests and test certs.

Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.

Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: Cisco-Talos#1411
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants