Ctest fails on clamav-1.4.1 on Linux in FIPS mode due to md5 hash of zip file : solution in comment 1

[AlanCDavis-APG]

Describe the bug

Building 1.4.1 on aarch64 RHEL 8.10 in FIPS mode, python 3.11 fails clamscan and clamscan_valgrind due to MD5 being deprecated in FIPS mode.

How to reproduce the problem

as root: fips-mode-setup --enable ; reboot
Doc here:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/switching-rhel-to-fips-mode_security-hardening#federal-information-processing-standards-140-and-fips-mode_switching-rhel-to-fips-mode

Follow build instructions : https://docs.clamav.net/manual/Installing/Installing-from-source-Unix.html

Output of ctest

82% tests passed, 2 tests failed out of 11

Total Test time (real) = 531.97 sec

The following tests FAILED:
4 - clamscan (Failed)
5 - clamscan_valgrind (Failed)
Errors while running CTest

Example failing code

            # Generate hash of the zipped file.
            # Since we generated the zip in python, we don't know the hash in a\
dvance.
>           hash_md5 = hashlib.md5()
E           ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled\
 for FIPS

/home/automation/clamav/clamav-1.4.1/unit_tests/clamscan/fp_check_test.py:65: V\
alueError

Proposed resolution

Use SHA256 hash for zip file validation

Attachments

LastTest.log

[AlanCDavis-APG]

Changed to sha256 and all tests pass in FIPS mode
diff -c output attached

Diff:

arches-dev-arm-01:automation > diff  ../clamscan.dist/fp_check_test.py fp_check_test.py
65c65
<         hash_md5 = hashlib.md5()
---
>         hash_sha256 = hashlib.sha256()
68,69c68,69
<                 hash_md5.update(chunk)
<         hash_md5 = hash_md5.hexdigest()
---
>                 hash_sha256.update(chunk)
>         hash_sha256 = hash_sha256.hexdigest()
73c73
<             hash=hash_md5,
---
>             hash=hash_sha256,
78c78
<             hash=hash_md5))
---
>             hash=hash_sha256))

New ctest output

arches-dev-arm-01:automation > ctest
Test project /home/automation/clamav/clamav-1.4.1/build
Start 1: libclamav
1/11 Test #1: libclamav ........................ Passed 8.48 sec
Start 2: libclamav_valgrind
0 2/11 Test #2: libclamav_valgrind ............... Passed 117.46 sec
Start 3: libclamav_rust
3/11 Test #3: libclamav_rust ................... Passed 0.17 sec
Start 4: clamscan
4/11 Test #4: clamscan ......................... Passed 7.71 sec
Start 5: clamscan_valgrind
5/11 Test #5: clamscan_valgrind ................ Passed 228.94 sec
Start 6: clamd
6/11 Test #6: clamd ............................ Passed 25.26 sec
Start 7: clamd_valgrind
7/11 Test #7: clamd_valgrind ................... Passed 86.64 sec
Start 8: freshclam
8/11 Test #8: freshclam ........................ Passed 6.70 sec
Start 9: freshclam_valgrind
9/11 Test #9: freshclam_valgrind ............... Passed 56.59 sec
Start 10: sigtool
10/11 Test #10: sigtool .......................... Passed 0.95 sec
Start 11: sigtool_valgrind
11/11 Test #11: sigtool_valgrind ................. Passed 19.22 sec

100% tests passed, 0 tests failed out of 11

Total Test time (real) = 558.12 sec

fp_check_test.py.patch.txt

[micahsnyder]

Thanks for sharing this. I wasn't aware that the python hashlib.md5() function had issues in FIPS mode. I also confirmed that switching it to use sha256 for the fp signature feature test passes the tests. I'll incorporate your changes in this work as I aim to resolve FIPS compatibility issues with CVD digital signature verification #1417

[AlanCDavis-APG]

Thanks for the response. FIPS mode disables MD5 and RC4 encryption/hashes. The build also fails valgrind when the RedHat systemd-devel libraries are installed and the ENABLE_SYSTEMD option is set. This is, again, on RH 8.10 aarch64 native build. I haven't tried to build it on either Intel or AMD. I haven't gone back to a failing build to get it documented and a bug report submitted, yet.

…

On Thu, Dec 19, 2024 at 9:42 PM Micah Snyder ***@***.***> wrote: Thanks for sharing this. I wasn't aware that the python hashlib.md5() function had issues in FIPS mode. I also confirmed that switching it to use sha256 for the fp signature feature test passes the tests. I'll incorporate your changes in this work as I aim to resolve FIPS compatibility issues with CVD digital signature verification #1417 <#1417> — Reply to this email directly, view it on GitHub <#1411 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BL5AKSZEQ2HACU4DI6NOZCD2GN72JAVCNFSM6AAAAABSOZ3WO6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNJWGE2TENJXG4> . You are receiving this because you authored the thread.Message ID: ***@***.***>

-- Alan Davis Principal System Administrator Apogee Research LLC Office : 571.384.8941 x26 Cell : 410.701.0518