Unable to init in FIPS mode

[sam-karateman]

I am helping to manage a Unix system that is running in FIPS mode, and we are unable to initialize Tripwire with our current policy file. I thought the issue was with the MD5 hash check, but I still receive this error even after removing any reference to the check in our policy:

[root tripwire]# tripwire --init -v
Open Source Tripwire(R) 2.4.3.7.0 built for x86_64-redhat-linux-gnu

Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc.  Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Opening configuration file: /etc/tripwire/tw.cfg
This file is encrypted.

Opening key file: /etc/tripwire/site.key
Opening key file: /etc/tripwire/<host>-local.key
Please enter your local passphrase: 
Opening key file: /etc/tripwire/site.key
Opening policy file: /etc/tripwire/tw.pol
This file is encrypted.
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Processing:  /
--- Generating information for: /
--- Generating information for: /.autorelabel
md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
Software interrupt forced exit: Abort
Software interrupt forced exit: Segmentation Fault

So far I've been unable to locate any other solutions, so I'm hoping someone here can point me in the right direction. Thanks in advance.

[brc0x1]

Hi Sam, your best bet in the short term would be to configure with "--disable-openssl", which uses the hash impls in the 'core' subdirectory instead and doesn't link against OpenSSL. As a better solution, I'm going to check whether FIPS mode is detectable at configuration time, and if so, maybe disable MD5 (and probably HAVAL) support if FIPS is enabled. If I can't figure that out, plan B would be to add a "--disable-md5" or "--enable-fips" configure option to do this manually.

I don't think I've ever actually built OST against OpenSSL-FIPS. Did you need to do anything special to build or link it, or did that all just work transparently?

[brc0x1]

Re: Better solutions, I realized that checking for FIPS mode at configuration time isn't the right approach, since FIPS can be toggled on or off after building OST. Instead I think I need to exclude MD5 at runtime based on the value of OpenSSL's FIPS_mode(). So that's what I'm looking at now.

[sam-karateman]

Unfortunately I was not part of the team when the software was installed, but traditionally I believe we simply installed the package from yum/dnf and didn't build it manually. I will need to check with the team to see if it would be possible to rebuild from scratch instead. I appreciate you taking the time to look at this.