Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-4963

"puppet module build" fails on FIPS-enabled system

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 3.7.4
    • Fix Version/s: PUP 5.4.0
    • Component/s: Modules
    • Labels:
    • Environment:
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Puppet will now gracefully exit when running the puppet module tool on a FIPS-enabled system as MD5 checksums are not allowed.

      Description

      When I try to run puppet module build . to package up my module, the following messages happen:

      md5_dgst.c(78): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
      Aborted (core dumped)
      

      And it doesn't make the tar.gz I wanted it to.

      The Ruby code that causes the crash is the checksum method of the Puppet::ModuleTool::Checksums module, in lib/puppet/module_tool/checksums.rb. I looked in the source of 3.7.4, in my oldest copy of Puppet (2.7.something), and in the trunk on GitHub, and found in all places that the module_tool/checksums.rb solely uses MD5, which does not work in FIPS mode.

      In the case of Puppet itself (PUP-1840), the fix for the failure of MD5 under FIPS mode was to let FIPS users dictate the digest algorithm to be used at their own site. This issue, in contrast, appears to be a matter of the definition of a Puppet module, and therefore necessarily global. Does the definition of checksums.json allow solely for MD5 checksums?

      Aside: My Ruby interpreter (1.8.7.374-4.el6_6), like all Ruby interpreters, has the bug reported at https://bugs.ruby-lang.org/issues/9659, which makes the Ruby interpreter crash when Digest::MD5 is used in FIPS mode, instead of raising an exception. You may note that the issue has languished, even though a patch has been provided. If anyone else, who worked for a company that uses Ruby a lot, were to want this rough edge of Ruby filed off, they may want to tell the Ruby folks.

      To get the Ruby backtrace, I ran `puppet module build` inside gdb, and used the trick from http://weblog.jamisbuck.org/2006/9/22/inspecting-a-live-ruby-process to get the Ruby backtrace. On a 64-bit system, I had to use "long" instead of "int", 16 instead of 8, and 24 instead of 12.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  jayant.sane Jayant Sane
                  Reporter:
                  jared.jennings.ctr Jared Jennings
                  QA Contact:
                  Eric Thompson
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: