Hi Bennet, I’m attaching a compressed tar file, chklc_fips.tgz, that is an attempt at creating a binary (chklc_fips) that uses its own local version of crypt. See the README file when you untar the archive. This is not officially supported in any way, and while it can read my license file in a non-FIPS environment, I cannot say if it will actually work for you.
- -rob On Apr 19, 2018, at 10:14 AM, Bennet Fauber <ben...@umich.edu<mailto:ben...@umich.edu>> wrote: Hi, Rob, The call to crypt() appears to be in FreeSurfer's license validation routine, since it is immediately after reading the license file. In the sense that FreeSurfer cannot run without some sort of license, and that license validation is using the native Unix crypt() function to validate, it's not quite OpenSource. I think someone at FreeSurfer would need to replace the single call to the crypt() function with some other function that isn't marked as 'insecure' to bypass this. I thought I saw something earlier on the mailing list about this, and that there was a workaround, but I am unable to locate it again. Any chance this could get passed to the developer who maintains the license validation code? Depending on the code and their willingness to share, we might be able to contribute an alternative for systems with the elevated security. This currently may not be a bit issue, but we are seeing increasing strictness on our end to comply with federal security guidelines, and it may not just be our Medical Center and local VA that are pushing these security measures. This is what it looks like when it succeeds. 11527 open("/sw/arcts/centos7/freesurfer/6.0.0/license.txt", O_RDONLY) = 3 11527 fstat(3, {st_mode=S_IFREG|0644, st_size=52, ...}) = 0 11527 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b4bcc176000 11527 read(3, "ben...@umich.edu<mailto:ben...@umich.edu>\n6925\n *CpU.rbF6"..., 8192) = 52 11527 read(3, "", 8192) = 0 11527 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4 11527 read(4, "0\n", 31) = 2 11527 close(4) = 0 11527 close(3) = 0 11527 munmap(0x2b4bcc176000, 8192) = 0 11527 getcwd("/home/bennet/tmp/freesurfer", 4096) = 28 11527 open("/home/bennet/tmp/freesurfer/sample-001.mgz", O_RDONLY) = 3 I do not believe that this is something that can be 'whitelisted', as this is set in the Linux kernel at boot time. Thanks, -- bennet On Thu, Apr 12, 2018 at 11:29 AM, Dicamillo, Robert <rdicami...@mgh.harvard.edu<mailto:rdicami...@mgh.harvard.edu>> wrote: Hello Bennet, Maybe someone else can chime in on this, as I have not worked on a system with FIPS, but perhaps there is a way for the FIPS administrator to white list all the Freesurfer binaries (and the license file), as security exempt. I know some Enterprise/business applications like Adobe’s Acrobat, etc., (closed source) are built with code to work on FIPS compliant systems, but I don’t see there is currently anything in Freesurfer (essentially open source), code that knows about cryptographic modules, digital signatures, etc. to work on a secure system. Even turning on SElinux for linux OS can be an issue for some programs. Another thing to inquire about is if the IT folks maintain any non-secure servers, , i.e., I would not assume that any application will just work in a secure environment. - rob > On Apr 12, 2018, at 10:51 AM, Bennet Fauber > <ben...@umich.edu<mailto:ben...@umich.edu>> wrote: > > It appears that FreeSurfer is not compatible with systems for which > FIPS level security is mandated. In our case, I am told this is part > of our data use agreement with the VA. > > We tried to run it, and I get the following stack trace showing what > appears to be license validation using the crypt() function, which is > blacklisted by the Linux kernel by the FIPS configuration. > > 28063 open("/opt/apps/freesurfer-6.0/freesurfer/license.txt", O_RDONLY) = 3 > 28063 fstat(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0 > 28063 mmap(NULL, 4096, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa319883000 > 28063 read(3, > "issc-sysad...@umich.edu<mailto:issc-sysad...@umich.edu>\n23098\n*C"..., > 4096) = 59 > 28063 read(3, "", 4096) = 0 > 28063 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4 > 28063 read(4, "1\n", 31) = 2 > 28063 close(4) = 0 > 28063 write(1, "ERROR: crypt() returned null wit"..., 46) = 46 > 28063 exit_group(1) > > Is there a workaround so we can run FreeSurfer FIPS-enabled systems? > > Appreciate your consideration of this question, > > -- bennet > > > > On Thu, Mar 29, 2018 at 5:05 PM, Bennet Fauber > <ben...@umich.edu<mailto:ben...@umich.edu>> wrote: >> I have a couple of users here who are reporting that on machines with >> FIPS enabled, which in turn disables certain cryptographic functions, >> FreeSurfer core dumps with a call to the crypt() function, which FIPS >> disables. >> >> Someone speculated based on output from strace that this is FreeSurfer >> possibly attempting to validate its license. >> >> Is this a known problem? Is there a solution? >> >> We have a university compliance office and possibly similar people >> from our local VA who are insisting that FIPS be enabled. >> >> If you need more information, please let me know and I will try to >> obtain it for you. >> >> Thanks, -- bennet > _______________________________________________ > Freesurfer mailing list > Freesurfer@nmr.mgh.harvard.edu<mailto:Freesurfer@nmr.mgh.harvard.edu> > https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer _______________________________________________ Freesurfer mailing list Freesurfer@nmr.mgh.harvard.edu<mailto:Freesurfer@nmr.mgh.harvard.edu> https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. _______________________________________________ Freesurfer mailing list Freesurfer@nmr.mgh.harvard.edu<mailto:Freesurfer@nmr.mgh.harvard.edu> https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer
chklc_fips.tgz
Description: chklc_fips.tgz
_______________________________________________ Freesurfer mailing list Freesurfer@nmr.mgh.harvard.edu https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.
