Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3006.x] Enable fips supported algorithms #66589

Merged
merged 28 commits into from
Jun 19, 2024
Merged

[3006.x] Enable fips supported algorithms #66589

merged 28 commits into from
Jun 19, 2024

Conversation

dwoz
Copy link
Contributor

@dwoz dwoz commented May 23, 2024
edited
Loading

What does this PR do?

Prevent the use of non-fips approved algorithms when fips is enabled.

  • Migrate salt/crypt.py to cryptography which validates the use of FIPS algorithms
  • Add configuration for master and minion to use FIPS approved algorithms

What issues does this PR fix or reference?

Fixes: #66579

Previous Behavior

Crypto libraries PyCrypto, PyCryptodome, and M2Crypto would not properly enforce FIPS complaint algorithms are used. There was no way to use FIPS compliant aglorithms.

New Behavior

Python cryptography properly enforces only FIPS compliant libraries are used when the FIPS provder is enabled. Salt masters and minions are able to be configured to use FIPS compliant libraries.

Merge requirements satisfied?

[NOTICE] Bug fixes or features added to Salt require tests.

@dwoz dwoz requested a review from a team as a code owner May 23, 2024 22:09
@dwoz dwoz requested review from twangboy and removed request for a team May 23, 2024 22:09
@salt-project-bot-prod-environment salt-project-bot-prod-environment bot changed the title Enable fips supported algorithms [3006.x] Enable fips supported algorithms May 23, 2024
@dwoz dwoz changed the title [3006.x] Enable fips supported algorithms [wip] Enable fips supported algorithms May 23, 2024
@dwoz dwoz changed the title [wip] Enable fips supported algorithms [wip] [3006.x] Enable fips supported algorithms May 23, 2024
dwoz added 3 commits June 5, 2024 15:40
@dwoz
Helpful log messages for when things go wrong
d391bd7 
Provide helpful log messages on the master and minions if a minion uses
signing or encryption that is not suppoted by the master.
@dwoz
Clean up cruft and add comment
6aa6465
@dwoz
Remove un-needed print statments
09908fc
@dwoz dwoz changed the title [wip] [3006.x] Enable fips supported algorithms [3006.x] Enable fips supported algorithms Jun 5, 2024
@dwoz dwoz requested review from s0undt3ch and twangboy June 5, 2024 23:19
@dwoz dwoz dismissed stale reviews from s0undt3ch and twangboy June 5, 2024 23:20

Fixed issues

@dwoz dwoz merged commit ecd9205 into saltstack:3006.x Jun 19, 2024
278 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmurphy18 dmurphy18 dmurphy18 left review comments

@twangboy twangboy twangboy approved these changes

@s0undt3ch s0undt3ch Awaiting requested review from s0undt3ch

Assignees
No one assigned
Labels
test:full Run the full test suite
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dwoz @s0undt3ch @twangboy @dmurphy18