Bug #1656
App doesn't support FIPS mode
100%
History
Updated by #2
Updated by Luke Murphey over 7 years ago
Before you start Splunk Enterprise for the first time, edit $SPLUNK_HOME/etc/splunk-launch.conf to add the following line: SPLUNK_FIPS=1
#3
Updated by Luke Murphey over 7 years ago
Might want to have a unit test for this
#4
Updated by Luke Murphey over 7 years ago
Unit tests passed when running locally. Will try on the CI environment now.
#5
Updated by Luke Murphey over 7 years ago
CI unit tests pass. I might need to improve test coverage to include looking for the hashes.
#6
Updated by Luke Murphey over 7 years ago
I'm seeing an error when I run the app:
fips_md.c OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored Aborted (core dumped)
What is odd is that the unit test don't detect this because running "splunk cmd python" doesn't run Python in FIPS mode. The following works on a FIPS Splunk instance:
import hashlib
hashlib.md5("test").hexdigest()
Neither hashlib.algorithms_available nor hashlib.algorithms_guaranteed indicate that MD5 is not available even in the code running with OpenSSL in FIPS mode.
#7
Updated by Luke Murphey over 7 years ago
Ok, it looks like it is set in an environment variable.
import os
print os.environ.get('SPLUNK_FIPS', '0')
#8
Updated by Luke Murphey over 7 years ago
I tried running the unit tests with the environment variable set. It didn't work. As far as I can tell there is no way to run the units tests in FIPS mode.
#9
Updated by Luke Murphey over 7 years ago
https://bugs.python.org/file17970/py3k-hashlib-fips-issue9216.patch
Might be able to use this code to determine if OpenSSL is in FIPS mode too.
#10
Updated by Luke Murphey over 7 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100