Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8378

Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

    Details

    • Type: Task
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 5.4.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      Hide

      Puppet acceptance test pass against the redhat fips image in vmpooler.

      Show
      Puppet acceptance test pass against the redhat fips image in vmpooler.
    • Team:
      Platform Core
    • Sub-team:
    • Story Points:
      2
    • Sprint:
      Platform Core KANBAN
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      When running on a FIPS enabled host, puppet will change the default values for digest_algorithm and supported_checksum_types to use SHA256 instead of MD5, as the latter is not FIPS compliant. Puppet will also emit errors and gracefully exit if configured to use MD5 algorithms.
      Show
      When running on a FIPS enabled host, puppet will change the default values for digest_algorithm and supported_checksum_types to use SHA256 instead of MD5, as the latter is not FIPS compliant. Puppet will also emit errors and gracefully exit if configured to use MD5 algorithms.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet 5.4.0:
      N/A:
      Redhat7- FIPS mode:

      FIPS mode prohibits use of certain algorithms e.g. MD5 (as applicable to puppet currently) and any attempt to use them results in abrupt program termination or abort. While customers using Puppet agents on FIPS mode platforms should be aware of such limitations there might be un-intentional usages which will result in user un-friendly errors.
      We need to intercept any such prohibited usages at runtime and provide graceful error messages.
      Create a manifest with a file resource while setting its checksum attribute to md5 and attempt applying it on agent in fips mode.

      Expected: Provide a graceful error while disallowing the operation.

      Actual: Error "md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
      Aborted"

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  eric.delaney Eric Delaney
                  Reporter:
                  jayant.sane Jayant Sane
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: