[PUP-4963] "puppet module build" fails on FIPS-enabled system Created: 2015/07/30  Updated: 2018/02/15  Resolved: 2018/01/29

Status: Closed
Project: Puppet
Component/s: Modules
Affects Version/s: PUP 3.7.4
Fix Version/s: PUP 5.4.0

Type: Bug Priority: Normal
Reporter: Jared Jennings Assignee: Jayant Sane
Resolution: Fixed Votes: 0
Labels: fips, help_wanted
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

RHEL Workstation 6.6, configured for FIPS compliance.

It appears you can trip this bug without the toil of complete compliance by setting OPENSSL_FORCE_FIPS_MODE=foo in your environment. Any value set for this variable turns on the behavior; to turn it off you must unset the variable. You should also be able to replicate the behavior on CentOS or Fedora.


Issue Links:
Relates
relates to PUP-8378 Intercept use of any prohibited algor... Closed
relates to FORGE-20 Site and tool should support signing ... Reopened
relates to PUP-1840 Let user change hashing algorithm, to... Closed
Template: PUP Bug Template
Epic Link: FIPS-Enabled Puppet
Team: Platform Core
Sub-team: Coremunity
Sprint: Platform Core KANBAN
Release Notes: Bug Fix
Release Notes Summary: Puppet will now gracefully exit when running the puppet module tool on a FIPS-enabled system as MD5 checksums are not allowed.
QA Contact: Eric Thompson

 Description   

When I try to run puppet module build . to package up my module, the following messages happen:

md5_dgst.c(78): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
Aborted (core dumped)

And it doesn't make the tar.gz I wanted it to.

The Ruby code that causes the crash is the checksum method of the Puppet::ModuleTool::Checksums module, in lib/puppet/module_tool/checksums.rb. I looked in the source of 3.7.4, in my oldest copy of Puppet (2.7.something), and in the trunk on GitHub, and found in all places that the module_tool/checksums.rb solely uses MD5, which does not work in FIPS mode.

In the case of Puppet itself (PUP-1840), the fix for the failure of MD5 under FIPS mode was to let FIPS users dictate the digest algorithm to be used at their own site. This issue, in contrast, appears to be a matter of the definition of a Puppet module, and therefore necessarily global. Does the definition of checksums.json allow solely for MD5 checksums?

Aside: My Ruby interpreter (1.8.7.374-4.el6_6), like all Ruby interpreters, has the bug reported at https://bugs.ruby-lang.org/issues/9659, which makes the Ruby interpreter crash when Digest::MD5 is used in FIPS mode, instead of raising an exception. You may note that the issue has languished, even though a patch has been provided. If anyone else, who worked for a company that uses Ruby a lot, were to want this rough edge of Ruby filed off, they may want to tell the Ruby folks.

To get the Ruby backtrace, I ran `puppet module build` inside gdb, and used the trick from http://weblog.jamisbuck.org/2006/9/22/inspecting-a-live-ruby-process to get the Ruby backtrace. On a 64-bit system, I had to use "long" instead of "int", 16 instead of 8, and 24 instead of 12.



 Comments   
Comment by Ben Ford [ 2017/01/18 ]

puppet module install also fails in Puppet 3.8. Is this ticket still an issue on current Puppet?

[root@test-dib centos]# puppet module install --debug --verbose jfryman-selinux
Notice: Preparing to install into /etc/puppet/modules ...
Notice: Downloading from https://forgeapi.puppetlabs.com ...
Info: Resolving dependencies ...
Info: Preparing to install ...
md5_dgst.c(80): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
Abortado

Comment by Josh Cooper [ 2017/11/21 ]

ping Lindsey Smith, relates to PUP-7546

Comment by Josh Cooper [ 2018/01/18 ]

Merged to master in https://github.com/puppetlabs/puppet/commit/3f151a24e337d104c39a9cbf812821e4ac7915e4

Generated at Thu Apr 18 07:32:42 PDT 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.