Hi,
We're running into a problem running CFEngine on Red Hat linux under FIPS, using the rpm packages downloaded from
https://cfengine.com/downloads/cfengine-community/The same problem doesn't appear to be present in the rpm packages as downloaded from the yum repo described there.
Tested with redhat and rocky linux, versions 8, 9 and with cfengine-community versions 3.18.x, 3.21.6, 3.24.1
## baseline test
When the OS is booted without FIPS enabled there is no problem.
```
$ sysctl crypto.fips_enabled
crypto.fips_enabled = 0
$ /var/cfengine/bin/cf-promises -df /var/cfengine/share/CoreBase/masterfiles/
update.cf | grep -i hash
debug: Hashed policy file /var/cfengine/share/CoreBase/masterfiles/
update.cf to MD5=f917539c79f1d88570fc95c37656d9bb
debug: Hashed policy file /var/cfengine/share/CoreBase/masterfiles/cfe_internal/update/
lib.cf to MD5=e1fb6c176ffcfce0b9bda14f95d2c683
```
## failure under FIPS
When the OS is booted with FIPS enabled, all hashes return 00000000000000000000000000000000
```
$ sysctl crypto.fips_enabled
crypto.fips_enabled = 1
$ /var/cfengine/bin/cf-promises -df /var/cfengine/share/CoreBase/masterfiles/
update.cf | grep -i hash
debug: Hashed policy file /var/cfengine/share/CoreBase/masterfiles/
update.cf to MD5=00000000000000000000000000000000
debug: Hashed policy file /var/cfengine/share/CoreBase/masterfiles/cfe_internal/update/
lib.cf to MD5=00000000000000000000000000000000
verbose: Skipping loading of duplicate (detected by hash) policy file /var/cfengine/share/CoreBase/masterfiles/cfe_internal/update/
lib.cf```
I would guess this is due to the MD5 hashing function being disabled under FIPS. But when the same test is run using the same version installed from the yum repo, the problem is not seen.
Is it possible for us to override the default digest used? Or is there something else we can do to fix the default behaviour?
Any help would be appreciated.
Thank you,
----------
Alex Malowany
Computer Systems Administrator
Scientific Computing
Diamond Light Source Ltd.