Actions
Bug #52900
closedsegfault on FIPS enabled server as result of EVP_md5 disabled in openssl
% Done:
100%
Source:
Q/A
Tags:
backport_processed
Backport:
pacific octopus
Regression:
No
Severity:
2 - major
Reviewed:
Description
reproduces in a vstart environment on
$ cat /etc/redhat-release Red Hat Enterprise Linux release 8.4 (Ootpa)
with fips enabled:
$ sudo fips-mode-setup --enable $ sudo systemctl reboot $ sysctl crypto.fips_enabled crypto.fips_enabled = 1
with the following flow:
./bin/radosgw-admin realm create --rgw-realm=gold ./bin/radosgw-admin zonegroup create --master --rgw-realm=gold --rgw-zonegroup=us --endpoints=http://127.0.0.1:8000 ./bin/radosgw-admin zone create --master --endpoints=http://127.0.0.1:8000 --rgw-realm=gold --rgw-zonegroup=us --rgw-zone=us-east # segfaults every time: ./bin/radosgw-admin period update --commit --rgw-realm=gold --rgw-zonegroup=us --rgw-zone=us-east ... -6> 2021-10-11T09:36:12.361+0000 7fa039ffb700 10 monclient: _finish_command 4 = mon:22 unparseable JSON {"prefix": "osd pool set", "pool": "us-east.rgw.meta", "var": "recovery_priority": "5"} -5> 2021-10-11T09:36:12.361+0000 7fa102870c00 5 note: GC not initialized -4> 2021-10-11T09:36:12.362+0000 7fa102870c00 5 asok(0x55d0eaef2350) register_command sync trace show hook 0x55d0eaf148e0 -3> 2021-10-11T09:36:12.362+0000 7fa102870c00 5 asok(0x55d0eaef2350) register_command sync trace history hook 0x55d0eaf148e0 -2> 2021-10-11T09:36:12.362+0000 7fa102870c00 5 asok(0x55d0eaef2350) register_command sync trace active hook 0x55d0eaf148e0 -1> 2021-10-11T09:36:12.362+0000 7fa102870c00 5 asok(0x55d0eaef2350) register_command sync trace active_short hook 0x55d0eaf148e0 0> 2021-10-11T09:36:12.367+0000 7fa102870c00 -1 *** Caught signal (Segmentation fault) ** in thread 7fa102870c00 thread_name:radosgw-admin ceph version 16.2.0-325-g0e34bb74700 (0e34bb74700060ebfaa22d99b7d2cdc037b28a57) pacific (stable) 1: /lib64/libpthread.so.0(+0x12b20) [0x7fa0f7b1fb20] NOTE: a copy of the executable, or `objdump -rdS <executable>` is needed to interpret this.
callstack in gdb:
multi-thre Thread 0x7ffff7fd82 In: ceph::crypto::ssl::OpenSSLDigest::Update L201 PC: 0x7ffff4db8cac (gdb) bt #0 0x0000000000000000 in ?? () #1 0x00007ffff4db8cac in ceph::crypto::ssl::OpenSSLDigest::Update (this=0x7ffffffd80c0, input=0x2ba2f70 "a122d7e2-650d-4488-b232-2fb1782e1342", length=36) at ../src/common/ceph_crypto.cc:201 #2 0x0000000001f95e9f in gen_short_zone_id (zone_id="a122d7e2-650d-4488-b232-2fb1782e1342") at ../src/rgw/rgw_zone.cc:1908 #3 0x0000000001f8b18a in RGWPeriodMap::update (this=0x7ffffffd9008, zonegroup=..., cct=0x29dd4c0) at ../src/rgw/rgw_zone.cc:1948 #4 0x0000000001f8c9ce in RGWPeriod::update (this=0x7ffffffd8fa8, dpp=0x2948d88 <dpp()::global_dpp>, y=...) at ../src/rgw/rgw_zone.cc:1383 #5 0x00000000012b02e3 in update_period (realm_id="", realm_name="gold", period_id="", period_epoch="", commit=true, remote="", url="", opt_region=std::optional<std::string> [no contained value], access="", secret="", formatter=0x2b8e750, force=false) at ../src/rgw/rgw_admin.cc:1776 #6 0x0000000001287f0f in main (argc=7, argv=0x7fffffffdec8) at ../src/rgw/rgw_admin.cc:5933 (gdb) f 1 #1 0x00007ffff4db8cac in ceph::crypto::ssl::OpenSSLDigest::Update (this=0x7ffffffd80c0, input=0x2ba2f70 "a122d7e2-650d-4488-b232-2fb1782e1342", length=36) at ../src/common/ceph_crypto.cc:201
src/rgw/rgw_zone.cc is using 'EVP_md5' which is forbidden in FIPS
... static uint32_t gen_short_zone_id(const std::string zone_id) { unsigned char md5[CEPH_CRYPTO_MD5_DIGESTSIZE]; MD5 hash; ...
Actions