Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace MD5 with SHA256+ #848

Closed
matt-domsch-sp opened this issue May 29, 2024 · 2 comments · Fixed by #853
Closed

Replace MD5 with SHA256+ #848

matt-domsch-sp opened this issue May 29, 2024 · 2 comments · Fixed by #853

Comments

@matt-domsch-sp
Copy link

matt-domsch-sp commented May 29, 2024

Is your feature request related to a problem? Please describe.

digest = OpenSSL::Digest::MD5.hexdigest(dump_json(digestable_hash.sort))
uses OpenSSL MD5 digest algorithm. MD5 is disallowed under FIPS 140-2 and later (e.g. 140-3), so systems operating in FIPS mode do not have access to the OpenSSL MD5 digest algorithm. Given that FIPS 140-2 is required in many environments, and that MD5 use is discouraged anymore regardless, another digest algorithm would be appropriate to use.

Describe the solution you'd like
Replace use of MD5 with a FIPS 140-2 or -3 permitted algorithm, such as in the SHA2 or SHA3 family.

This does raise the question of forward compatibility - upgrading a system previously using MD5 digests to a system using a SHA2+ digest, with transactions in flight. This may call for a major version bump, and an operational requirement to drain all previous unique job records. I'm open to a less invasive solution that doesn't involve the use of MD5 except perhaps in a brief transition period.

Describe alternatives you've considered
Disabling FIPS mode is not an option for my use case.
Re-enabling MD5 while in FIPS mode invalidates any FIPS certification.

We intend to monkey-patch lock_digest.rb create_digest() effectively as follows:

    def create_digest
-      digest = OpenSSL::Digest::MD5.hexdigest(dump_json(digestable_hash.sort))
+      digest = OpenSSL::Digest.new("SHA3-256", dump_json(digestable_hash.sort)).hexdigest
       "#{lock_prefix}:#{digest}"
     end

Additional context
Failures at runtime when FIPS mode is enabled on a RHEL 9.4 Universal Base Image OS with FIPS mode enabled look like:

OpenSSL::Digest::DigestError,
  | Digest initialization failed: initialization error

/usr/local/lib/ruby/3.3.0/openssl/digest.rb:31:in `initialize'
/usr/local/lib/ruby/3.3.0/openssl/digest.rb:31:in `block (3 levels) in <class:Digest>'
/usr/local/lib/ruby/3.3.0/openssl/digest.rb:38:in `new'
/usr/local/lib/ruby/3.3.0/openssl/digest.rb:38:in `block (3 levels) in <class:Digest>'
/usr/src/app/seczetta_identity_suite/vendor/bundle/ruby/3.3.0/gems/sidekiq-unique-jobs-7.1.33/lib/sidekiq_unique_jobs/lock_digest.rb:54:in `create_digest'
/usr/src/app/seczetta_identity_suite/vendor/bundle/ruby/3.3.0/gems/sidekiq-unique-jobs-7.1.33/lib/sidekiq_unique_jobs/lock_digest.rb:48:in `lock_digest'
/usr/src/app/seczetta_identity_suite/vendor/bundle/ruby/3.3.0/gems/sidekiq-unique-jobs-7.1.33/lib/sidekiq_unique_jobs/lock_digest.rb:22:in `call'
/usr/src/app/seczetta_identity_suite/vendor/bundle/ruby/3.3.0/gems/sidekiq-unique-jobs-7.1.33/lib/sidekiq_unique_jobs/job.rb:52:in `add_lock_digest'
/usr/src/app/seczetta_identity_suite/vendor/bundle/ruby/3.3.0/gems/sidekiq-unique-jobs-7.1.33/lib/sidekiq_unique_jobs/job.rb:25:in `add_digest'
/usr/src/app/seczetta_identity_suite/vendor/bundle/ruby/3.3.0/gems/sidekiq-unique-jobs-7.1.33/lib/sidekiq_unique_jobs/job.rb:17:in `prepare'
/usr/src/app/seczetta_identity_suite/vendor/bundle/ruby/3.3.0/gems/sidekiq-unique-jobs-7.1.33/lib/sidekiq_unique_jobs/middleware.rb:38:in `call'
...
@ravindrae
Copy link

Facing the same issue when trying to run the application on RHEL 8 with FIPS enabled. Since FIPS does not allow non-FIPS digest algorithms like MD5, this has caused some challenges.

Cannot disable FIPS as security concern

2024-07-17 15:18:14 +0000, tid=39040 ERROR: Couldn't execute scheduled job! from  
Wed, Jul 17 2024 8:48:14 pm
2024-07-17 15:18:14 +0000, tid=39040 ERROR: Digest initialization failed: disabled for FIPS from  
Wed, Jul 17 2024 8:48:14 pm
2024-07-17 15:18:14 +0000, tid=39040 INFO: Finished JobClass duration_ms=1 error=#<OpenSSL::Digest::DigestError: Digest initialization failed: disabled for FIPS> from  

@matt-domsch-sp, I noticed that you mentioned a monkey-patched version of create_digest. Could you please share more details on how you managed to handle the old transactions that used MD5 digests? Any guidance or examples would be greatly appreciated.

Thanks in advance

@matt-domsch-sp
Copy link
Author

In my case we made the transition while the application was otherwise naturally idle, and did not attempt to solve for both algorithms being present simultaneously. I recognize that may not be possible for all users of this library.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants