New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chef not honouring FIPS requirement #8009

Open
frezbo opened this Issue Dec 3, 2018 · 8 comments

Comments

Projects
None yet
3 participants
@frezbo

frezbo commented Dec 3, 2018

Description

https://github.com/chef/chef/blob/master/chef-config/lib/chef-config/config.rb#L1132 is not a proper FIPS fix. Ruby compiled with OpenSSL FIPS and OpenSSL.fips_mode already being true would fail a call to OpenSSL::Digest::MD5.new. Eg:

[ec2-user@ip-10-17-142-203 berkshelf]$ irb
2.4.4 :001 > require 'digest'
 => true 
2.4.4 :002 > Digest::MD5.new
md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
Aborted

Chef Version

[ec2-user@ip-10-17-142-203 ~]$ chef -v
Chef Development Kit Version: 3.3.23
chef-client version: 14.5.33
delivery version: master (6862f27aba89109a9630f0b6c6798efec56b4efe)
berks version: 7.0.6
kitchen version: 1.23.2
inspec version: 2.2.112
[ec2-user@ip-10-17-142-203 ~]$ 

Platform Version

[ec2-user@ip-10-17-142-203 ~]$ cat /etc/*-release
NAME="Red Hat Enterprise Linux Server"
VERSION="7.6 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.6"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.6 (Maipo)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.6:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.6
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.6"
Red Hat Enterprise Linux Server release 7.6 (Maipo)
Red Hat Enterprise Linux Server release 7.6 (Maipo)
[ec2-user@ip-10-17-142-203 ~]$ uname -a
Linux ip-10-17-142-203.ec2.internal 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 15 17:36:42 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[ec2-user@ip-10-17-142-203 ~]$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
@frezbo

This comment has been minimized.

frezbo commented Dec 3, 2018

Anything more I can do to help?

@lamont-granquist

This comment has been minimized.

Contributor

lamont-granquist commented Dec 3, 2018

that seems to date back to https://blog.chef.io/2016/03/16/fips-support-now-generally-available-in-chef-client-12-8/ at least to wit:

"A current exception for Chef is the use of MD5 hashes to uniquely identify files stored on the Chef Server. MD5 is used only to generate unique hash IDs for files, and is not used for any cryptographic purpose. Nevertheless, Chef is investigating the effort required to replace this implementation with a FIPS-compatible algorithm."

@lamont-granquist

This comment has been minimized.

Contributor

lamont-granquist commented Dec 3, 2018

bigger issue here is that the chef-server doesn't seem to support anything other than md5 checksums -- unless that feature has been merged by the server team but the chef-side of the code was dropped and never completed -- tagging @jaym and @stevendanna to see if they know what happened there.

@lamont-granquist

This comment has been minimized.

Contributor

lamont-granquist commented Dec 3, 2018

@frezbo does knife cookbook upload (or download) also have the same error?

@stevendanna

This comment has been minimized.

Member

stevendanna commented Dec 5, 2018

I will need to do some archeology. I know in the past we were still using MD5 in FIPS mode in Chef Server via a non-openssl implementation.

@lamont-granquist

This comment has been minimized.

Contributor

lamont-granquist commented Dec 7, 2018

Oh @stevendanna i already did the archaeology. We do, and patch up so that it uses ruby's internal Digest::MD5 class. The current working theory is that some distros ship ruby built where that just points at openssl, so fips enabled openssl just barfs. It shouldn't affect omnibus builds though.

@frezbo

This comment has been minimized.

frezbo commented Dec 8, 2018

@lamont-granquist I will close this and track further in berkshelf/berkshelf#1802.

@frezbo frezbo closed this Dec 8, 2018

@frezbo frezbo reopened this Dec 8, 2018

@frezbo frezbo closed this Dec 8, 2018

@frezbo frezbo reopened this Dec 8, 2018

@frezbo

This comment has been minimized.

frezbo commented Dec 8, 2018

Oops. I meant to close berkshelf/berkshelf#1802.

Can we track this as an RFC? @robbkidd @lamont-granquist

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment