Jira (PUP-4963) puppet module build fails on FIPS-enabled system
Title: Message Title Jared Jennings created an issue Puppet / PUP-4963 puppet module build fails on FIPS-enabled system Issue Type: Bug Affects Versions: PUP 3.7.4 Assignee: Unassigned Components: Modules Created: 2015/07/30 3:39 PM Environment: RHEL Workstation 6.6, configured for FIPS compliance. It appears you can trip this bug without the toil of complete compliance by setting OPENSSL_FORCE_FIPS_MODE=foo in your environment. Any value set for this variable turns on the behavior; to turn it off you must unset the variable. You should also be able to replicate the behavior on CentOS or Fedora. Labels: fips Priority: Normal Reporter: Jared Jennings
Jira (PUP-2511) Add parser function digest: uses digest_algorithm to hash, not strictly md5
Title: Message Title Jared Jennings commented on an issue Re: Add parser function digest: uses digest_algorithm to hash, not strictly md5 Re-filed pull request, https://github.com/puppetlabs/puppet/pull/2624 Add Comment Puppet / PUP-2511 Add parser function digest: uses digest_algorithm to hash, not strictly md5 Puppet has an md5 parser function, which returns the MD5 digest of its argument. On hosts configured for compliance with U.S. Federal Information Processing Standard (FIPS) 140-2, attempts to use the MD5 algorithm cause errors, because MD5 is no longer FIPS Approved. This patch adds a parser function called digest, which returns the digest of its arg... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1840) Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts
Title: Message Title Jared Jennings commented on an issue Re: Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts About the digest parser function, I've replaced gh-2453 with gh-2603 https://github.com/puppetlabs/puppet/pull/2603. Add Comment Puppet / PUP-1840 Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts I'm using Puppet in part to ensure [Federal Information Processing Standard 140-2](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) (FIPS 140-2) compliance on my network. Part of this compliance for the system underlying Puppet is to make sure that only [FIPS Approved](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) algo... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit
Jira (PUP-1840) Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts
Title: Message Title Jared Jennings commented on an issue Re: Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts Joseph Yaworski Wait, what, the interpreter dumps core?! That should already have been fixed in ruby-1.8.7.352-3.el6, years ago. But I have ruby-1.8.7.352-13.el6, and sure enough, it dumps core. That has to be fixed (again?) for Puppet to be able to detect at startup that it can't use MD5. Add Comment Puppet / PUP-1840 Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts I'm using Puppet in part to ensure [Federal Information Processing Standard 140-2](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) (FIPS 140-2) compliance on my network. Part of this compliance for the system underlying Puppet is to make sure that only [FIPS Approved](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) algo... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to
Jira (PUP-1840) Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts
Title: Message Title
Jared Jennings commented on an issue
Re: Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts
Joseph Yaworski, oho, the crash that was fixed in 2011 was when you do
ruby -ropenssl -e puts OpenSSL::Digest::MD5.new('hi').hexdigest
The crash I see now is when I do
ruby -rdigest -e puts Digest::MD5.new('hi').hexdigest
Filed vendor bug https://bugzilla.redhat.com/show_bug.cgi?id=1079042 and upstream bug https://bugs.ruby-lang.org/issues/9659.
Add Comment
Puppet / PUP-1840
Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts
I'm using Puppet in part to ensure [Federal Information Processing Standard 140-2](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) (FIPS 140-2) compliance on my network. Part of this compliance for the system underlying Puppet is to make sure that only [FIPS Approved](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) algo...
This message was sent by Atlassian JIRA
Jira (PUP-1840) Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts
Title: Message Title Jared Jennings commented on an issue Re: Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts I've redone the pull request against the current master branch of puppet, and, taking into consideration Adrien Thebo's concerns in https://github.com/puppetlabs/puppet/pull/1035, have split it into three pull requests. https://github.com/puppetlabs/puppet/pull/2451 adds the SHA-256 algorithm to Puppet::Util::Checksums. I think it is entirely uncontroversial. https://github.com/puppetlabs/puppet/pull/2452 makes the digest algorithm used for file checksums switchable, and doesn't deal with migration concerns, thus enabling users to shoot themselves in the foot. The digest_algorithm setting defaults to md5, as before, which someone said was dumb in the Redmine issue. https://github.com/puppetlabs/puppet/pull/2453 adds a digest function, by analogue with the md5 function presently available in the Puppet DSL. digest computes a checksum using the presently configured digest_algorithm. Add Comment Puppet / PUP-1840 Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts I'm using Puppet in part to ensure [Federal Information Processing Standard 140-2](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) (FIPS 140-2) compliance on my network. Part of this compliance for the system underlying Puppet is to make sure that only [FIPS Approved](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) algo...
Jira (PUP-1840) Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts
Title: Message Title Jared Jennings commented on an issue Re: Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts Adrien Thebo, it's a splendid idea to bucket with multiple algorithms. I see two problems. Whoever is concerned about migration will have some files already bucketed. Some tool would need to be made that could go through the whole file bucket directory and re-bucket all the files with a different algorithm. When bucketing files with multiple algorithms, which ones should be used? In the FIPS 140-2 regime, I always want to move from MD5 to SHA-256; but when I enter super-awesome-secret-mode I may want to move from SHA-256 to Skein. So let us assume a new `file_checksum_algorithms` (plural) setting, which names all the algorithms in play, with the one I'm trying to move toward listed first. The bucket is changed to store files using all algorithms named. When it is searching for a file, it looks using each algorithm in `file_checksum_algorithms`*, in order. Let us also assume the rebucketing tool exists. Given those things, if I want to migrate to a new file checksum algorithm, I do these things: I upgrade Puppet to the new version that contains all this code we're talking about, on all of my hosts. I contrive to set `file_checksum_algorithms = sha256, md5` in the puppet.conf on all of my hosts. The bucket begins storing files using both algorithms. ^*^Most files sought by the bucket at this stage are not found using SHA-256, but are found using MD5. On every host with a bucket, I run the re-bucketing tool. As it runs, files begin being found using SHA-256; files not yet re-bucketed are still found using MD5. Now every bucketed file can be found using SHA-256. I contrive to set `file_checksum_algorithms = sha256` on all of my hosts. Now I can safely configure the hosts for FIPS 140-2 compliance. Now, Luke Schierer, it would be great for Puppet to simply handle this. Perhaps we could hard-code the equivalent of `file_checksum_algorithms = sha256, md5` in the scenario above, then try an MD5 checksum at startup time, and if it fails, don't try to do it thereafter. Then when storing or retrieving a bucketed file, we use all algorithms available, coolest first. This would make the bucket slower on non-compliant systems, because multiple checksums are being calculated; and the addition of the fallback may add some obscure security loophole. You would
Jira (PUP-1840) Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts
Title: Message Title Jared Jennings commented on an issue Re: Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts I asked a while ago in the Redmine issue what the configuration setting should be called, and no one gave a passionate answer; I ended up calling it `digest_algorithm`. But I've seen the string `digest_algorithm` pop up in the SSL parts of the Puppet code. It needs to be clear that what we are configuring here is not the SSL bits, and the file resource and file bucket parts of Puppet call this thing a checksum not a digest, so now, if no one has an idea loudly, I think it should be called `file_checksum_algorithm`. I have not made this change in the code, though. Add Comment Puppet / PUP-1840 Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts I'm using Puppet in part to ensure [Federal Information Processing Standard 140-2](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) (FIPS 140-2) compliance on my network. Part of this compliance for the system underlying Puppet is to make sure that only [FIPS Approved](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) algo... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede)
