Skip to content

feat(fips): do not allow scram sasl mechanism in fips mode #43062

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kruskall merged 3 commits into from
Mar 11, 2025
Merged

feat(fips): do not allow scram sasl mechanism in fips mode #43062

kruskall merged 3 commits into from
Mar 11, 2025

Conversation

@kruskall
Copy link
Member

@kruskall kruskall commented Mar 6, 2025

Proposed commit message

scram is using custom implementation of pbkdf2 which is not allowed in fips mode

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@kruskall
feat(fips): do not allow scram sasl mechanism in fips mode
3df707b 
scram is using custom implementation of pbkdf2 which is not allowed
in fips mode
@kruskall kruskall requested a review from a team as a code owner March 6, 2025 04:24
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Mar 6, 2025
@mergify
Copy link
Contributor

mergify bot commented Mar 6, 2025

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @kruskall? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@kruskall kruskall added backport-8.x Automated backport to the 8.x branch with mergify backport-8.18 Automated backport to the 8.18 branch backport-9.0 Automated backport to the 9.0 branch labels Mar 6, 2025
@simitt
Copy link
Contributor

simitt commented Mar 6, 2025

@kruskall how did you detect this issue? Any tooling that you used for it given that it is not stdlib implementation?

@kruskall
Copy link
Member Author

kruskall commented Mar 6, 2025

nope, just spotted the dependency since it was linked in the final binary

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Mar 7, 2025
@elasticmachine
Copy link
Contributor

elasticmachine commented Mar 7, 2025

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Mar 7, 2025
@kruskall kruskall removed the backport-8.18 Automated backport to the 8.18 branch label Mar 10, 2025
@pierrehilbert pierrehilbert requested a review from mauri870 March 11, 2025 16:01
mauri870
mauri870 approved these changes Mar 11, 2025
View reviewed changes
Copy link
Member

@mauri870 mauri870 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code-wise, it looks fine, but I'm not experienced with SASL and Kafka to provide a meaningful review. The history of this file is quite shallow, so I can't find any previous developers to ping.

@kruskall kruskall merged commit 9761c36 into elastic:main Mar 11, 2025
144 checks passed
@kruskall kruskall deleted the feat/fips-drop-scram branch March 11, 2025 16:36
mergify bot pushed a commit that referenced this pull request Mar 11, 2025
@kruskall @mergify
feat(fips): do not allow scram sasl mechanism in fips mode (#43062)
576c950 
* feat(fips): do not allow scram sasl mechanism in fips mode

scram is using custom implementation of pbkdf2 which is not allowed
in fips mode

* Update sasl_fips.go

* Update sasl_fips.go

(cherry picked from commit 9761c36)
@mergify mergify bot mentioned this pull request Mar 11, 2025
Merged
6 tasks
mergify bot pushed a commit that referenced this pull request Mar 11, 2025
@kruskall @mergify
feat(fips): do not allow scram sasl mechanism in fips mode (#43062)
c307a03 
* feat(fips): do not allow scram sasl mechanism in fips mode

scram is using custom implementation of pbkdf2 which is not allowed
in fips mode

* Update sasl_fips.go

* Update sasl_fips.go

(cherry picked from commit 9761c36)
@mergify mergify bot mentioned this pull request Mar 11, 2025
Merged
6 tasks
kruskall added a commit that referenced this pull request Mar 14, 2025
@mergify @kruskall
feat(fips): do not allow scram sasl mechanism in fips mode (#43062) (#…
9ab87b3 
…43204)

* feat(fips): do not allow scram sasl mechanism in fips mode

scram is using custom implementation of pbkdf2 which is not allowed
in fips mode

* Update sasl_fips.go

* Update sasl_fips.go

(cherry picked from commit 9761c36)

Co-authored-by: kruskall <[email protected]>
kruskall added a commit that referenced this pull request Mar 14, 2025
@mergify @kruskall
feat(fips): do not allow scram sasl mechanism in fips mode (#43062) (#…
e0e2d3e 
…43203)

* feat(fips): do not allow scram sasl mechanism in fips mode

scram is using custom implementation of pbkdf2 which is not allowed
in fips mode

* Update sasl_fips.go

* Update sasl_fips.go

(cherry picked from commit 9761c36)

Co-authored-by: kruskall <[email protected]>
@kruskall kruskall mentioned this pull request Mar 25, 2025
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simitt simitt simitt approved these changes

@mauri870 mauri870 mauri870 approved these changes

@khushijain21 khushijain21 Awaiting requested review from khushijain21 khushijain21 is a code owner automatically assigned from elastic/elastic-agent-data-plane

@VihasMakwana VihasMakwana Awaiting requested review from VihasMakwana VihasMakwana is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@kruskall kruskall

Labels

backport-8.x Automated backport to the 8.x branch with mergify backport-9.0 Automated backport to the 9.0 branch Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kruskall @simitt @elasticmachine @mauri870 @pierrehilbert