search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.47k stars 707 forks source link

Ctest fails on clamav-1.4.1 on Linux in FIPS mode due to md5 hash of zip file #1411

Open AlanCDavis-APG opened 19 hours ago

AlanCDavis-APG commented 19 hours ago

Describe the bug

Building 1.4.1 on aarch64 RHEL 8.10 in FIPS mode, python 3.11 fails clamscan and clamscan_valgrind due to MD5 being deprecated in FIPS mode.

How to reproduce the problem

as root: fips-mode-setup --enable ; reboot Doc here: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/switching-rhel-to-fips-mode_security-hardening#federal-information-processing-standards-140-and-fips-mode_switching-rhel-to-fips-mode

Follow build instructions : https://docs.clamav.net/manual/Installing/Installing-from-source-Unix.html

Output of ctest

82% tests passed, 2 tests failed out of 11

Total Test time (real) = 531.97 sec

The following tests FAILED: 4 - clamscan (Failed) 5 - clamscan_valgrind (Failed) Errors while running CTest

Example failing code


            # Generate hash of the zipped file.
            # Since we generated the zip in python, we don't know the hash in a\
dvance.
>           hash_md5 = hashlib.md5()
E           ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled\
 for FIPS

/home/automation/clamav/clamav-1.4.1/unit_tests/clamscan/fp_check_test.py:65: V\
alueError

Proposed resolution

Use SHA256 hash for zip file validation

Attachments

LastTest.log