-
Notifications
You must be signed in to change notification settings - Fork 717
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ctest fails on clamav-1.4.1 on Linux in FIPS mode due to md5 hash of zip file : solution in comment 1 #1411
Comments
Changed to sha256 and all tests pass in FIPS mode Diff:
New ctest output
|
Thanks for sharing this. I wasn't aware that the python hashlib.md5() function had issues in FIPS mode. I also confirmed that switching it to use sha256 for the fp signature feature test passes the tests. I'll incorporate your changes in this work as I aim to resolve FIPS compatibility issues with CVD digital signature verification #1417 |
Thanks for the response.
FIPS mode disables MD5 and RC4 encryption/hashes.
The build also fails valgrind when the RedHat systemd-devel libraries are
installed and the ENABLE_SYSTEMD option is set.
This is, again, on RH 8.10 aarch64 native build. I haven't tried to build
it on either Intel or AMD.
I haven't gone back to a failing build to get it documented and a bug
report submitted, yet.
…On Thu, Dec 19, 2024 at 9:42 PM Micah Snyder ***@***.***> wrote:
Thanks for sharing this. I wasn't aware that the python hashlib.md5()
function had issues in FIPS mode. I also confirmed that switching it to use
sha256 for the fp signature feature test passes the tests. I'll incorporate
your changes in this work as I aim to resolve FIPS compatibility issues
with CVD digital signature verification #1417
<#1417>
—
Reply to this email directly, view it on GitHub
<#1411 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BL5AKSZEQ2HACU4DI6NOZCD2GN72JAVCNFSM6AAAAABSOZ3WO6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNJWGE2TENJXG4>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
--
Alan Davis
Principal System Administrator
Apogee Research LLC
Office : 571.384.8941 x26
Cell : 410.701.0518
|
Add X509 certificate chain based signing with PKCS7-PEM external signatures distributed alongside CVD's in a custom .cvd.sign format. This new signing and verification mechanism is primarily in support of FIPS compliance. Fixes: Cisco-Talos#564 Add a Rust implementation for parsing, verifying, and unpacking CVD files. Now installs a 'certs' directory in the app config directory (e.g. <prefix>/etc/certs). The install location is configurable. The CMake option to configure the CVD certs directory is: `-D CVD_CERTS_DIRECTORY=PATH` New options to set an alternative CVD certs directory: - Commandline for freshclam, clamd, clamscan, and sigtool is: `--cvdcertsdir PATH` - Env variable for freshclam, clamd, clamscan, and sigtool is: `CVD_CERTS_DIR` - Config option for freshclam and clamd is: `CVDCertsDirectory PATH` Sigtool: - Add sign/verify commands. - Also verify CDIFF external digital signatures when applying CDIFFs. - Place commonly used commands at the top of --help string. - Fix up manpage. Freshclam: - Will try to download .sign files to verify CVDs and CDIFFs. - Fix an issue where making a CLD would only include the CFG file for daily and not if patching any other database. libclamav.so: - Bump version to 13:0:1 (aka 12.1.0). - Also remove libclamav.map versioning. Resolves: Cisco-Talos#1304 - Add two new API's to the public clamav.h header: ```c extern cl_error_t cl_cvdverify_ex(const char *file, const char *certs_directory); extern cl_error_t cl_cvdunpack_ex(const char *file, const char *dir, bool dont_verify, const char *certs_directory); ``` The original `cl_cvdverify` and `cl_cvdunpack` are deprecated. - Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`. You may set this option with `cl_engine_set_str` and get it with `cl_engine_get_str`, to override the compiled in default CVD certs directory. libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0). Add sigtool sign/verify tests and test certs. Make it so downloadFile doesn't throw a warning if the server doesn't have the .sign file. Replace use of md5-based FP signatures in the unit tests with sha256-based FP signatures because the md5 implementation used by Python may be disabled in FIPS mode. Fixes: Cisco-Talos#1411
Add X509 certificate chain based signing with PKCS7-PEM external signatures distributed alongside CVD's in a custom .cvd.sign format. This new signing and verification mechanism is primarily in support of FIPS compliance. Fixes: Cisco-Talos#564 Add a Rust implementation for parsing, verifying, and unpacking CVD files. Now installs a 'certs' directory in the app config directory (e.g. <prefix>/etc/certs). The install location is configurable. The CMake option to configure the CVD certs directory is: `-D CVD_CERTS_DIRECTORY=PATH` New options to set an alternative CVD certs directory: - Commandline for freshclam, clamd, clamscan, and sigtool is: `--cvdcertsdir PATH` - Env variable for freshclam, clamd, clamscan, and sigtool is: `CVD_CERTS_DIR` - Config option for freshclam and clamd is: `CVDCertsDirectory PATH` Sigtool: - Add sign/verify commands. - Also verify CDIFF external digital signatures when applying CDIFFs. - Place commonly used commands at the top of --help string. - Fix up manpage. Freshclam: - Will try to download .sign files to verify CVDs and CDIFFs. - Fix an issue where making a CLD would only include the CFG file for daily and not if patching any other database. libclamav.so: - Bump version to 13:0:1 (aka 12.1.0). - Also remove libclamav.map versioning. Resolves: Cisco-Talos#1304 - Add two new API's to the public clamav.h header: ```c extern cl_error_t cl_cvdverify_ex(const char *file, const char *certs_directory); extern cl_error_t cl_cvdunpack_ex(const char *file, const char *dir, bool dont_verify, const char *certs_directory); ``` The original `cl_cvdverify` and `cl_cvdunpack` are deprecated. - Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`. You may set this option with `cl_engine_set_str` and get it with `cl_engine_get_str`, to override the compiled in default CVD certs directory. libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0). Add sigtool sign/verify tests and test certs. Make it so downloadFile doesn't throw a warning if the server doesn't have the .sign file. Replace use of md5-based FP signatures in the unit tests with sha256-based FP signatures because the md5 implementation used by Python may be disabled in FIPS mode. Fixes: Cisco-Talos#1411
Describe the bug
Building 1.4.1 on aarch64 RHEL 8.10 in FIPS mode, python 3.11 fails clamscan and clamscan_valgrind due to MD5 being deprecated in FIPS mode.
How to reproduce the problem
as root: fips-mode-setup --enable ; reboot
Doc here:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/switching-rhel-to-fips-mode_security-hardening#federal-information-processing-standards-140-and-fips-mode_switching-rhel-to-fips-mode
Follow build instructions : https://docs.clamav.net/manual/Installing/Installing-from-source-Unix.html
Output of ctest
Example failing code
Proposed resolution
Use SHA256 hash for zip file validation
Attachments
LastTest.log
The text was updated successfully, but these errors were encountered: