Issue #8120 has been updated by jared jennings.
Daniel Pittman wrote: > (Also, wouldn't it be nice if the FIPS version of OpenSSL wouldn't just > terminate the application? Oh, well. It is more secure.) That's a good point. [OpenSSL FIPS User Guide](http://www.openssl.org/docs/fips/UserGuide.pdf), sec. 2.6.2: "By design, the OpenSSL API attempts to disable non-FIPS algorithms, when in FIPS mode, at the EVP [envelope, I believe] level and via most low level function calls. Failure to check the return code from low level functions could result in unexpected behavior..." The SIGSEGV I saw came when a null function pointer was called. That function pointer was in a structure describing the hash algorithm in use, which had been returned from an OpenSSL get_me_the_algorithm("MD5") kind of call. The SIGABRT I saw went like this: <pre> digest.c(149): OpenSSL internal error, assertion failed: Digest init previous FIPS forbidden algorithm error ignored Aborted </pre> So it seems that application termination could be averted, by improving Ruby's openssl module. My ruby-talk searches have turned up only one person mentioning FIPS compliance, who was never answered, so there's room for improvement here. I guess I'll bring this up on ruby-talk. ---------------------------------------- Feature #8120: Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts https://projects.puppetlabs.com/issues/8120 Author: jared jennings Status: Unreviewed Priority: Normal Assignee: Nigel Kersten Category: security Target version: Affected Puppet version: Keywords: Branch: I'm using Puppet in part to ensure [Federal Information Processing Standard 140-2](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) (FIPS 140-2) compliance on my network. Part of this compliance for the system underlying Puppet is to make sure that only [FIPS Approved](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) algorithms are used. OpenSSL does this by ensuring that any attempts to run an unapproved algorithm result in either a SIGSEGV or a SIGABRT. MD5 has been broken enough that it is no longer a FIPS Approved algorithm. The consequence for Puppet is that, if it tries to use MD5 on a FIPS-compliant system, it will crash. Here is where I have seen Puppet crash for this reason: 1. the puppet/util/checksums.rb, used by File resources; 2. the puppet/parser/functions/md5.rb, implementation of the md5 DSL function; 3. certificate signature in puppet/ssl/certificate_request.rb; 4. certificate fingerprinting in puppet/ssl/base.rb; 5. outside Puppet, in the session ID code in openssl/ssl-internal.rb, class OpenSSL::SSLServer, due to using WEBrick. It was easy enough to replace MD5 with SHA256 in all those places - and, in case 4, it appears I may not have needed to change the code; but the DSL function is still called md5, and MD5 is still named in some of the messages. My changes lack the refinement necessary to be useful to others. What I think I need is to be able to say, in one place like puppet.conf, "use SHA256, not MD5," and algorithms and messages alike will change. I think the `md5` DSL function would need to be replaced with a `digest` function which uses the configured algorithm, and there should also be a way in the DSL to find out which digest is being used, like a `digestname` function. Then, in some years when SHA2 is decertified, I can tell Puppet, "use SHA3, not SHA2," instead of filing an issue like this one and doing code changes. (I don't know what migration issues this scenario may pose.) [How can I make Red Hat Enterprise Linux 5 FIPS 140-2 compliant?](https://access.redhat.com/kb/docs/DOC-39230) (Red Hat login required) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
