Project

General

Profile

Bug #1656

App doesn't support FIPS mode

Added by Luke Murphey over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Start date:
12/17/2016
Due date:
% Done:

100%

History

#2 Updated by Luke Murphey over 3 years ago

http://docs.splunk.com/Documentation/Splunk/6.5.1/Security/AboutusingSSLtoolsinWindowsandLinux#About_FIPS

Before you start Splunk Enterprise for the first time, edit $SPLUNK_HOME/etc/splunk-launch.conf to add the following line:

SPLUNK_FIPS=1

#3 Updated by Luke Murphey over 3 years ago

Might want to have a unit test for this

#4 Updated by Luke Murphey over 3 years ago

Unit tests passed when running locally. Will try on the CI environment now.

#5 Updated by Luke Murphey over 3 years ago

CI unit tests pass. I might need to improve test coverage to include looking for the hashes.

#6 Updated by Luke Murphey over 3 years ago

I'm seeing an error when I run the app:

fips_md.c OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored Aborted (core dumped)

What is odd is that the unit test don't detect this because running "splunk cmd python" doesn't run Python in FIPS mode. The following works on a FIPS Splunk instance:

import hashlib
hashlib.md5("test").hexdigest()

Neither hashlib.algorithms_available nor hashlib.algorithms_guaranteed indicate that MD5 is not available even in the code running with OpenSSL in FIPS mode.

#7 Updated by Luke Murphey over 3 years ago

Ok, it looks like it is set in an environment variable.

import os
print os.environ.get('SPLUNK_FIPS', '0')

#8 Updated by Luke Murphey over 3 years ago

I tried running the unit tests with the environment variable set. It didn't work. As far as I can tell there is no way to run the units tests in FIPS mode.

#9 Updated by Luke Murphey over 3 years ago

https://bugs.python.org/file17970/py3k-hashlib-fips-issue9216.patch

Might be able to use this code to determine if OpenSSL is in FIPS mode too.

#10 Updated by Luke Murphey over 3 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF