Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Normal
-
Resolution: Fixed
-
Affects Version/s: PUP 3.7.4
-
Fix Version/s: PUP 5.4.0
-
Component/s: Modules
-
Labels:
-
Environment:
RHEL Workstation 6.6, configured for FIPS compliance.
It appears you can trip this bug without the toil of complete compliance by setting OPENSSL_FORCE_FIPS_MODE=foo in your environment. Any value set for this variable turns on the behavior; to turn it off you must unset the variable. You should also be able to replicate the behavior on CentOS or Fedora.
RHEL Workstation 6.6, configured for FIPS compliance. It appears you can trip this bug without the toil of complete compliance by setting OPENSSL_FORCE_FIPS_MODE=foo in your environment. Any value set for this variable turns on the behavior; to turn it off you must unset the variable. You should also be able to replicate the behavior on CentOS or Fedora.
-
Template:
-
Epic Link:
-
Sub-team:
-
Team:Platform Core
-
Sprint:Platform Core KANBAN
-
Release Notes:Bug Fix
-
Release Notes Summary:Puppet will now gracefully exit when running the puppet module tool on a FIPS-enabled system as MD5 checksums are not allowed.
Description
When I try to run puppet module build . to package up my module, the following messages happen:
md5_dgst.c(78): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
|
Aborted (core dumped)
|
And it doesn't make the tar.gz I wanted it to.
The Ruby code that causes the crash
is the checksum method of the Puppet::ModuleTool::Checksums module, in lib/puppet/module_tool/checksums.rb. I looked in the source of 3.7.4, in my oldest copy of Puppet (2.7.something), and in the trunk on GitHub, and found in all places that the module_tool/checksums.rb solely uses MD5, which does not work in FIPS mode.
In the case of Puppet itself (PUP-1840), the fix for the failure of MD5 under FIPS mode was to let FIPS users dictate the digest algorithm to be used at their own site. This issue, in contrast, appears to be a matter of the definition of a Puppet module, and therefore necessarily global. Does the definition of checksums.json allow solely for MD5 checksums?
Aside: My Ruby interpreter (1.8.7.374-4.el6_6), like all Ruby interpreters, has the bug reported at https://bugs.ruby-lang.org/issues/9659, which makes the Ruby interpreter crash when Digest::MD5 is used in FIPS mode, instead of raising an exception. You may note that the issue has languished, even though a patch has been provided. If anyone else, who worked for a company that uses Ruby a lot, were to want this rough edge of Ruby filed off, they may want to tell the Ruby folks.
To get the Ruby backtrace, I ran `puppet module build` inside gdb, and used the trick from http://weblog.jamisbuck.org/2006/9/22/inspecting-a-live-ruby-process to get the Ruby backtrace. On a 64-bit system, I had to use "long" instead of "int", 16 instead of 8, and 24 instead of 12.
Attachments
Issue Links
- relates to
-
PUP-8378 Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages
-
- Closed
-
-
FORGE-20 Site and tool should support signing or hashing module files
-
- Reopened
-
-
-
- Closed
-
