Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8378

Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 5.4.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      Hide

      Puppet acceptance test pass against the redhat fips image in vmpooler.

      Show
      Puppet acceptance test pass against the redhat fips image in vmpooler.
    • Epic Link:
    • Sub-team:
    • Team:
      Platform Core
    • Story Points:
      2
    • Sprint:
      Platform Core KANBAN
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      When running on a FIPS enabled host, puppet will change the default values for digest_algorithm and supported_checksum_types to use SHA256 instead of MD5, as the latter is not FIPS compliant. Puppet will also emit errors and gracefully exit if configured to use MD5 algorithms.
      Show
      When running on a FIPS enabled host, puppet will change the default values for digest_algorithm and supported_checksum_types to use SHA256 instead of MD5, as the latter is not FIPS compliant. Puppet will also emit errors and gracefully exit if configured to use MD5 algorithms.
    • QA Risk Assessment:
      No Action

      Description

      Puppet 5.4.0:
      N/A:
      Redhat7- FIPS mode:

      FIPS mode prohibits use of certain algorithms e.g. MD5 (as applicable to puppet currently) and any attempt to use them results in abrupt program termination or abort. While customers using Puppet agents on FIPS mode platforms should be aware of such limitations there might be un-intentional usages which will result in user un-friendly errors.
      We need to intercept any such prohibited usages at runtime and provide graceful error messages.
      Create a manifest with a file resource while setting its checksum attribute to md5 and attempt applying it on agent in fips mode.

      Expected: Provide a graceful error while disallowing the operation.

      Actual: Error "md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
      Aborted"

        Attachments

          Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. PUP-4963 "puppet module build" fails on FIPS-enabled system

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Task - A task that needs to be done. PUP-8141 Replace hardcoded use of md5 for FIPS compliance

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

            Activity

              People

              Assignee:
              eric.delaney Eric Delaney
              Reporter:
              jayant.sane Jayant Sane
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support