Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8378

Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

          Details

          • Type: Task
          • Status: Closed
          • Priority: Normal
          • Resolution: Fixed
          • Affects Version/s: None
          • Fix Version/s: PUP 5.4.0
          • Component/s: None
          • Labels:
            None
          • Template:
          • Acceptance Criteria:
            Hide

            Puppet acceptance test pass against the redhat fips image in vmpooler.

            Show
            Puppet acceptance test pass against the redhat fips image in vmpooler.
          • Epic Link:
          • Sub-team:
          • Team:
            Platform Core
          • Story Points:
            2
          • Sprint:
            Platform Core KANBAN
          • Release Notes:
            New Feature
          • Release Notes Summary:
            Hide
            When running on a FIPS enabled host, puppet will change the default values for digest_algorithm and supported_checksum_types to use SHA256 instead of MD5, as the latter is not FIPS compliant. Puppet will also emit errors and gracefully exit if configured to use MD5 algorithms.
            Show
            When running on a FIPS enabled host, puppet will change the default values for digest_algorithm and supported_checksum_types to use SHA256 instead of MD5, as the latter is not FIPS compliant. Puppet will also emit errors and gracefully exit if configured to use MD5 algorithms.
          • QA Risk Assessment:
            Needs Assessment

            Description

            Puppet 5.4.0:
            N/A:
            Redhat7- FIPS mode:

            FIPS mode prohibits use of certain algorithms e.g. MD5 (as applicable to puppet currently) and any attempt to use them results in abrupt program termination or abort. While customers using Puppet agents on FIPS mode platforms should be aware of such limitations there might be un-intentional usages which will result in user un-friendly errors.
            We need to intercept any such prohibited usages at runtime and provide graceful error messages.
            Create a manifest with a file resource while setting its checksum attribute to md5 and attempt applying it on agent in fips mode.

            Expected: Provide a graceful error while disallowing the operation.

            Actual: Error "md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
            Aborted"

              Attachments

                Issue Links

                relates to

                Bug - A problem which impairs or prevents the functions of the product. PUP-4963 "puppet module build" fails on FIPS-enabled system

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Closed

                Task - A task that needs to be done. PUP-8141 Replace hardcoded use of md5 for FIPS compliance

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Closed

                  Activity

                    jsd-sla-details-panel

                      People

                      • Assignee:
                        eric.delaney Eric Delaney
                        Reporter:
                        jayant.sane Jayant Sane
                      • Votes:
                        0 Vote for this issue
                        Watchers:
                        4 Start watching this issue

                        Dates

                        • Created:
                          Updated:
                          Resolved: