Skip to content
This repository has been archived by the owner on Apr 14, 2021. It is now read-only.

Bundler disabling Compact Index on all FIPS-supported OpenSSL installations #5433

Closed
wjordan opened this issue Feb 14, 2017 · 2 comments
Closed

Bundler disabling Compact Index on all FIPS-supported OpenSSL installations #5433

wjordan opened this issue Feb 14, 2017 · 2 comments
Labels
type: bug report

Comments

@wjordan
Copy link
Contributor

wjordan commented Feb 14, 2017

Since #5222, Bundler is disabling Compact Index on any system where OpenSSL is compiled with support for FIPS mode, regardless of whether or not FIPS mode is currently enabled on the process (e.g., by setting OpenSSL.fips_mode = true in Ruby).

Compare the following:

FIPS mode supported but not enabled:

$ ruby -ropenssl -rdigest/md5 -e "p OpenSSL::OPENSSL_FIPS; p Digest::MD5.hexdigest('foo')"
true
"acbd18db4cc2f85cedef654fccc4a4d8"

FIPS mode supported and enabled:

$ ruby -ropenssl -rdigest/md5 -e "p OpenSSL::OPENSSL_FIPS; OpenSSL.fips_mode = true; p Digest::MD5.hexdigest('foo')"
true
md5_dgst.c(83): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
Aborted

This bug is affecting current versions of Amazon Linux, which have OpenSSL 1.0.1k-fips installed by default.
@segiddins
Copy link
Member

A PR with a fix for this would be much appreciated!

@wjordan wjordan mentioned this issue Feb 16, 2017
Merged
@wjordan
Copy link
Contributor Author

wjordan commented Feb 16, 2017

PR #5440 is the best I can do to extend #5222's detection-based approach to the underlying FIPS compatibility issue (#4989), but I don't think it's a good approach. I think a better fix for this issue is to revert #5222 and come up with a better solution to support FIPS.

@wjordan wjordan mentioned this issue Feb 16, 2017
Closed
bundlerbot added a commit that referenced this issue Feb 18, 2017
@bundlerbot
Auto merge of #5440 - wjordan:fips_enabled_compact_index, r=indirect
13f4cc1 
Enable compact index when OpenSSL FIPS mode is enabled but not active

Fixes #5433. Since there is no easy accessor in Ruby to detect whether or not FIPS mode is currently active, the best approach I could come up with is to `fork` a separate process and attempt to generate a build MD5 object as a test of whether MD5 module is currently available.

Because `fork` approach won't work on some platforms (JRuby, Windows etc), `md5_supported?` returns `false` on any platforms where FIPS mode is enabled and `Process.respond_to?(:fork)` is `false`.

I've added a spec that simulates behavior when OpenSSL FIPS mode is active - an error message is output to STDERR and the process is killed with the `ABRT` signal.
segiddins pushed a commit that referenced this issue Feb 22, 2017
@bundlerbot @segiddins
Auto merge of #5440 - wjordan:fips_enabled_compact_index, r=indirect
e09565b 
Enable compact index when OpenSSL FIPS mode is enabled but not active

Fixes #5433. Since there is no easy accessor in Ruby to detect whether or not FIPS mode is currently active, the best approach I could come up with is to `fork` a separate process and attempt to generate a build MD5 object as a test of whether MD5 module is currently available.

Because `fork` approach won't work on some platforms (JRuby, Windows etc), `md5_supported?` returns `false` on any platforms where FIPS mode is enabled and `Process.respond_to?(:fork)` is `false`.

I've added a spec that simulates behavior when OpenSSL FIPS mode is active - an error message is output to STDERR and the process is killed with the `ABRT` signal.

(cherry picked from commit 13f4cc1)
@patrickwilkes patrickwilkes mentioned this issue Sep 14, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type: bug report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wjordan @segiddins