kopf icon indicating copy to clipboard operation
kopf copied to clipboard

Published 20 hours ago verified publisher icon nolar

FIPS 140-2 systems non-functional

Open bravecorvus opened this issue 5 months ago • 0 comments

Long story short

More or less the same problem layed out in this bug report on aim

This PR tries to solve the issue https://github.com/aimhubio/aim/issues/3143.

Using Aim on a FIPS compatible server, RHEL 9 FIPS enabled server in our case results in error due to lack of flexibility in the FIPS compatible version of blake2 hash algorithm used in aim currently.

Post further investigation we found out that on our FIPS servers the hashlib library used openssl version of the constructors for blake2 which doesn't provide digest_size argument which is used in Aim to customize the size of hash digest to 8 bytes.

In this patch we introduce use of a FIPS compatible hashing algorithm shake_256 which supports variable lengths digests and is available in FIPS mode under the SHA3 algorithms. Currently the code is written to keep using blake2 in normal execution mode but if FIPS mode is detected it switches to shake_256.

Kopf version

1.31.2 (Via Oracle mysql-operator)

Kubernetes version

v1.30.3-rancher1-1

Python version

3.9.19

Code

No response

Logs

File "/usr/lib/mysqlsh/python-packages/kopf/_cogs/configs/conventions.py", line 184, in make_suffix
    digest = hashlib.blake2b(key.encode('utf-8'), digest_size=4).digest()
TypeError: 'digest_size' is an invalid keyword argument for openssl_blake2b()

Additional information

No response

bravecorvus avatar Sep 14 '24 00:09 bravecorvus