Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8141

Replace hardcoded use of md5 for FIPS compliance

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 5.4.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      Hide

      All puppet flows, except any module flows, should work in a mixed environment:
      Current puppet agents (not running in FIPS) w/ and FIPS agents. Specifically:

      • Master's global digest_algorithm can be default md5
      • FIPS versions of agents should be provisioned using file resource with different source attributes of http, puppet and from within a module.
      • If possible case of upgrading existing agent to FIPS version
      Show
      All puppet flows, except any module flows, should work in a mixed environment: Current puppet agents (not running in FIPS) w/ and FIPS agents. Specifically: Master's global digest_algorithm can be default md5 FIPS versions of agents should be provisioned using file resource with different source attributes of http, puppet and from within a module. If possible case of upgrading existing agent to FIPS version
    • Team:
      Platform Core
    • Story Points:
      4
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      When puppet is running on a FIPS enabled platform, it will modify its default digest_algorithm and supported_checksum_types settings to exclude MD5, as that is not a FIPS compliant algorithm. By default puppet will use SHA256 when managing file resources, including filebucketing. It will also affect the values returned by the `fqdn_rand` function. Some puppet module tool actions, e.g. install, are unsupported when FIPS is enabled due module tools reliance on MD5.
      Show
      When puppet is running on a FIPS enabled platform, it will modify its default digest_algorithm and supported_checksum_types settings to exclude MD5, as that is not a FIPS compliant algorithm. By default puppet will use SHA256 when managing file resources, including filebucketing. It will also affect the values returned by the `fqdn_rand` function. Some puppet module tool actions, e.g. install, are unsupported when FIPS is enabled due module tools reliance on MD5.
    • QA Risk Assessment:
      No Action

      Description

      There are a couple of instances where MD5 is being hard coded in puppet. FIPS compliant versions of agents need to use one of the FIPS approved algorithms instead.
      Following places need to be changed:
      1. Agents processing file resources specifying http as their source need to be able to accept checksums computed using hash alg other than md5.
      2. fqdn_rand
      3. Files synched to agents via the plugin-sync mechanism are checksummed using md5. That needs to be overridden to use a FIPS approved alg.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              jayant.sane Jayant Sane
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support