Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIPS 140-2 systems non-functional #1124

Open
bravecorvus opened this issue Sep 14, 2024 · 2 comments
Open

FIPS 140-2 systems non-functional #1124

bravecorvus opened this issue Sep 14, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@bravecorvus
Copy link

Long story short

More or less the same problem layed out in this bug report on aim

This PR tries to solve the issue aimhubio/aim#3143.

Using Aim on a FIPS compatible server, RHEL 9 FIPS enabled server in our case results in error due to lack of flexibility in the FIPS compatible version of blake2 hash algorithm used in aim currently.

Post further investigation we found out that on our FIPS servers the hashlib library used openssl version of the constructors for blake2 which doesn't provide digest_size argument which is used in Aim to customize the size of hash digest to 8 bytes.

In this patch we introduce use of a FIPS compatible hashing algorithm shake_256 which supports variable lengths digests and is available in FIPS mode under the SHA3 algorithms.
Currently the code is written to keep using blake2 in normal execution mode but if FIPS mode is detected it switches to shake_256.

Kopf version

1.31.2 (Via Oracle mysql-operator)

Kubernetes version

v1.30.3-rancher1-1

Python version

3.9.19

Code

No response

Logs

File "/usr/lib/mysqlsh/python-packages/kopf/_cogs/configs/conventions.py", line 184, in make_suffix
    digest = hashlib.blake2b(key.encode('utf-8'), digest_size=4).digest()
TypeError: 'digest_size' is an invalid keyword argument for openssl_blake2b()

Additional information

No response

@bravecorvus bravecorvus added the bug Something isn't working label Sep 14, 2024
@mpdwulit
Copy link

What does this function do
def make_suffix(self, key: str) -> str:
digest = hashlib.blake2b(key.encode('utf-8'), digest_size=4).digest()
alnums = base64.b64encode(digest, altchars=b'-.').decode('ascii')
return f'-{alnums}'.rstrip('=-.')

@nolar
Copy link
Owner

nolar commented Dec 19, 2024

K8s has a limit on the length of the annotation names (afair, 64 characters). If the key happens to be longer, this thing replaces the ending part with a hash, so that the key is stable anyway, readable in most cases, but fits the limit.

Also, not all characters are allowed, so it replaces the typical base64 special characters with some allowed ones.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants