tripleo

MD5 is a blacklisted crypto in FIPS enabled Kernels

Bug #1641556 reported by Luke Hinds
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Incomplete
Medium
Unassigned
tripleo victoria-3 "tripleo victoria"

Bug Description

When enabling a FIPS Kernel, MD5 hashing operations are blocked:

os-collect-config: Traceback (most recent call last):
os-collect-config: File "/usr/bin/os-collect-config", line 10, in <module>
os-collect-config: sys.exit(__main__())
os-collect-config: File "/usr/lib/python2.7/site-packages/os_collect_config/collect.py", line 255, in __main__
os-collect-config: config_hash = getfilehash(config_files)
os-collect-config: File "/usr/lib/python2.7/site-packages/os_collect_config/collect.py", line 217, in getfilehash
os-collect-config: m = hashlib.md5()
os-collect-config: ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

MD5 is blocked, as it is susceptible to collision attacks.

Luke Hinds (lhinds)
Changed in tripleo:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Luke Hinds (lhinds) wrote :

Note this bug has a wider impact, as it means any use of MD5 throughout OpenStack will be blocked.

Changed in tripleo:
assignee: nobody → Luke Hinds (lhinds)
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: none → ocata-3
Luke Hinds (lhinds)
Changed in tripleo:
milestone: ocata-3 → none
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: none → pike-1
Revision history for this message
Yolanda Robla (yolanda.robla) wrote :

Not only python is affected. I flagged md5 in python, to continue the deployment, but then got problems with puppet dependencies:

puppet module install stm/debconf
Notice: Preparing to install into /etc/puppet/modules ...
Notice: Downloading from https://forgeapi.puppetlabs.com ...
md5_dgst.c(80): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
Aborted

That's a dependency from the saz/timezone module

Revision history for this message
Yolanda Robla (yolanda.robla) wrote :
Download full text (8.0 KiB)

Following there is a dependency tree from the controller, with the failed modules:

[root@overcloud-controller-0 timezone]# puppet module list --tree
Warning: Module 'openstack-swift' (v10.1.0) fails to meet some dependencies:
  'openstack-glance' (v10.2.0) requires 'openstack-swift' (>=10.2.0 <11.0.0)
Warning: Module 'openstack-vswitch' (v6.1.0) fails to meet some dependencies:
  'openstack-neutron' (v10.2.0) requires 'openstack-vswitch' (>=6.2.0 <7.0.0)
Warning: Module 'puppet-corosync' (v5.0.0) fails to meet some dependencies:
  'openstack-openstack_extras' (v10.2.0) requires 'puppet-corosync' (>=0.1.0 <2.0.2)
Warning: Module 'puppetlabs-apache' (v1.11.0) fails to meet some dependencies:
  'thejandroman-kibana3' (v0.0.4) requires 'puppetlabs-apache' (>=0.10.0 <=1.6.0)
Warning: Module 'puppetlabs-tomcat' (v1.6.1) fails to meet some dependencies:
  'midonet-midonet' (v2015.6.9) requires 'puppetlabs-tomcat' (>=1.2.0 <1.5.0)
Warning: Module 'puppetlabs-vcsrepo' (v1.5.0) fails to meet some dependencies:
  'thejandroman-kibana3' (v0.0.4) requires 'puppetlabs-vcsrepo' (>=0.1.0 <=1.3.1)
Warning: Module 'puppetlabs-xinetd' (v2.0.0) fails to meet some dependencies:
  'openstack-ironic' (v10.2.0) requires 'puppetlabs-xinetd' (>=1.5.0 <2.0.0)
Warning: Module 'saz-memcached' (v3.0.1) fails to meet some dependencies:
  'openstack-horizon' (v10.2.0) requires 'saz-memcached' (>=2.0.2 <3.0.0)
  'openstack-swift' (v10.1.0) requires 'saz-memcached' (>=2.0.2 <3.0.0)
Warning: Missing dependency 'camptocamp-archive':
  'dfarrell07-opendaylight' (v3.7.2) requires 'camptocamp-archive' (v0.x)
Warning: Missing dependency 'camptocamp-systemd':
  'puppet-kafka' (v2.2.1-rc0) requires 'camptocamp-systemd' (>= 0.4.0 < 2.0.0)
Warning: Missing dependency 'ceritsc-yum':
  'elasticsearch-elasticsearch' (v0.15.1) requires 'ceritsc-yum' (>= 0.9.6)
Warning: Missing dependency 'joshuabaird-puppet-ipaclient':
  'openstack-nova' (v10.2.0) requires 'joshuabaird-puppet-ipaclient' (>=2.5.1)
Warning: Missing dependency 'lwf-remote_file':
  'sensu-sensu' (v2.2.0) requires 'lwf-remote_file' (>= 1.0.0 <2.0.0)
Warning: Missing dependency 'midonet-cassandra':
  'midonet-midonet' (v2015.6.9) requires 'midonet-cassandra' (>=1.0.0)
Warning: Missing dependency 'puppet-archive':
  'puppet-kafka' (v2.2.1-rc0) requires 'puppet-archive' (>= 1.0.0)
  'deric-zookeeper' (v0.7.1) requires 'puppet-archive' (>= 0.4.4 < 2.0.0)
Warning: Missing dependency 'puppet-staging':
  'puppetlabs-mysql' (v3.10.0) requires 'puppet-staging' (>= 1.0.1 < 3.0.0)
  'puppetlabs-rabbitmq' (v5.6.0) requires 'puppet-staging' (>=0.3.1 <2.0.0)
  'puppetlabs-tomcat' (v1.6.1) requires 'puppet-staging' (>= 0.4.1 < 2.0.0)
Warning: Missing dependency 'puppetlabs-apt':
  'locp-cassandra' (v2.2.1) requires 'puppetlabs-apt' (>= 2.0.0 < 3.0.0)
  'openstack-ceph' (v2.2.1) requires 'puppetlabs-apt' (>=2.0.0 <3.0.0)
  'elasticsearch-elasticsearch' (v0.15.1) requires 'puppetlabs-apt' (>= 2.0.0 < 3.0.0)
  'konstantin-fluentd' (v0.8.0) requires 'puppetlabs-apt' (v2.x)
  'midonet-midonet' (v2015.6.9) requires 'puppetlabs-apt' (>=1.7.0 <2.0.0)
  'puppetlabs-mongodb' (v0.17.0) requires 'puppetlabs-apt' (>= 2.1.0 <3.0.0)
  'openstack-openstack_...

Read more...

Emilien Macchi (emilienm)
no longer affects: puppet-tripleo
Revision history for this message
Yolanda Robla (yolanda.robla) wrote :

Actually debugging it more deeply, the problem seems to be with puppet module install. Any module that comes pulled as dependency and installed with the cli, fails.
Documentation says to set digest_algorithm to sha256 in puppet.conf, but even setting that there is the same failure:

md5_dgst.c(80): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!

Revision history for this message
Yolanda Robla (yolanda.robla) wrote :

https://tickets.puppetlabs.com/browse/PUP-4963

Revision history for this message
Yolanda Robla (yolanda.robla) wrote :

puppet module failures work if we upgrade to puppet 4.8

Revision history for this message
Alan Pevec (apevec) wrote :

Test build of puppet 4.8.2 for RDO: http://cbs.centos.org/koji/buildinfo?buildID=15305

Emilien Macchi (emilienm)
Changed in tripleo:
milestone: pike-1 → pike-2
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: pike-2 → pike-3
Revision history for this message
Emilien Macchi (emilienm) wrote :

There are no currently open reviews on this bug, changing the status back to the previous state and unassigning. If there are active reviews related to this bug, please include links in comments.

Changed in tripleo:
assignee: Luke Hinds (lhinds) → nobody
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: pike-3 → pike-rc1
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: pike-rc1 → queens-1
Revision history for this message
Alex Schultz (alex-schultz) wrote :

Given that we've upgrades to 4.8.2, is this still a problem?

Changed in tripleo:
status: Triaged → Incomplete
Revision history for this message
Luke Hinds (lhinds) wrote :

Are we still using os_collect_config?

I can see hashlib.md5 in there still:

https://github.com/openstack/os-collect-config/blob/master/os_collect_config/collect.py#L231

If os_collect_config is depreciated, then we can close..if not could we swap out the md5 in getfilehash() for sha256sum, or would this break backwards compat / upgrade situations?

Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: queens-1 → queens-2
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: queens-2 → queens-3
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: queens-3 → queens-rc1
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: queens-rc1 → rocky-1
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: rocky-1 → rocky-2
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: rocky-2 → rocky-3
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: rocky-3 → rocky-rc1
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: rocky-rc1 → stein-1
Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in tripleo:
milestone: stein-1 → stein-2
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: stein-2 → stein-3
Revision history for this message
Juan Antonio Osorio Robles (juan-osorio-robles) wrote :

Luke, what's the expectation on this bug? are we ready to audit the code and all our dependencies to search for md5 usage?

Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: stein-3 → train-1
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-1 → train-2
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-2 → train-3
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-3 → ussuri-1
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: ussuri-1 → ussuri-2
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-2 → ussuri-3
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-3 → ussuri-rc3
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-rc3 → victoria-1
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: victoria-1 → victoria-3
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.