Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-1840

Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts

    XMLWordPrintable

Details

    • New Feature
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • PUP 3.6.0
    • None
    • 3
    • Week 2014-4-02 to 2014-4-09, Week 2014-4-09 to 2014-4-16, Week 2014-4-23 to 2014-4-30, Week 2014-4-16 to 2014-4-23, Week 2014-4-30 to 2014-5-7

    Description

      I'm using Puppet in part to ensure [Federal Information Processing Standard 140-2](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) (FIPS 140-2) compliance on my network. Part of this compliance for the system underlying Puppet is to make sure that only [FIPS Approved](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) algorithms are used. OpenSSL does this by ensuring that any attempts to run an unapproved algorithm result in either a SIGSEGV or a SIGABRT. MD5 has been broken enough that it is no longer a FIPS Approved algorithm.

      The consequence for Puppet is that, if it tries to use MD5 on a FIPS-compliant system, it will crash. Here is where I have seen Puppet crash for this reason:

      1. the puppet/util/checksums.rb, used by File resources;
      2. the puppet/parser/functions/md5.rb, implementation of the md5 DSL function;
      3. certificate signature in puppet/ssl/certificate_request.rb;
      4. certificate fingerprinting in puppet/ssl/base.rb;
      5. outside Puppet, in the session ID code in openssl/ssl-internal.rb, class OpenSSL::SSLServer, due to using WEBrick.

      It was easy enough to replace MD5 with SHA256 in all those places - and, in case 4, it appears I may not have needed to change the code; but the DSL function is still called md5, and MD5 is still named in some of the messages. My changes lack the refinement necessary to be useful to others.

      What I think I need is to be able to say, in one place like puppet.conf, "use SHA256, not MD5," and algorithms and messages alike will change. I think the `md5` DSL function would need to be replaced with a `digest` function which uses the configured algorithm, and there should also be a way in the DSL to find out which digest is being used, like a `digestname` function.

      Then, in some years when SHA2 is decertified, I can tell Puppet, "use SHA3, not SHA2," instead of filing an issue like this one and doing code changes. (I don't know what migration issues this scenario may pose.)

      [How can I make Red Hat Enterprise Linux 5 FIPS 140-2 compliant?](https://access.redhat.com/kb/docs/DOC-39230) (Red Hat login required)

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. ENTERPRISE-65 PE not currently functional on systems that lack MD5 functions in OpenSSL

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. PUP-2427 Pluginsync will download every file every time if digest_algorithms do not agree

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. PUP-4963 "puppet module build" fails on FIPS-enabled system

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. PUP-2511 Add parser function digest: uses digest_algorithm to hash, not strictly md5

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. PUP-2420 CRLs should be signed with SHA256 when available

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. PUP-2423 Filebucket server should warn, not fail, if checksum type is not supported

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          [Puppet Labs Redmine] Redmine (#6663) puppet.conf says keylength defaults to 1024 -- should be 2048

          [Puppet Labs Redmine] Redmine (#13435) CSRs should be signed with SHA1, not MD5

          [Puppet Labs Redmine] Redmine (#17295) Puppet not honouring --digest

          [Puppet Labs Redmine] Redmine (#21029) Allow control over the digest used to create CA certificates

          [Puppet Labs Redmine] Redmine (#21257) Add a configuration option for the digest algorithm used by the CA to sign certificates

          clones

          [Puppet Labs Redmine] Redmine (#8120) Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts

          links to

          Web Link GH PR #2451

          Web Link GH PR #2452 (Part 2)

          Web Link GH PR #2453 (Part 3)

          Web Link Puppet PR/2537 (supersedes GH-2452)

          Activity

            People

              Unassigned Unassigned
              redmine.exporter redmine.exporter
              Votes:
              3 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support