Jira (PUP-8469) fqdn_rand should use md5 on non-fips enabled hosts

3 views
Skip to first unread message

Josh Cooper (JIRA)

unread,
Feb 16, 2018, 2:52:02 PM2/16/18
to puppe...@googlegroups.com
Josh Cooper created an issue
 
Puppet / Bug PUP-8469
fqdn_rand should use md5 on non-fips enabled hosts
Issue Type: Bug Bug
Assignee: Unassigned
Created: 2018/02/16 11:51 AM
Priority: Normal Normal
Reporter: Josh Cooper

Puppet 5.4's fqdn_rand function produces a different value than earlier versions for the same set of inputs. 

$ bx puppet apply -e '$value = fqdn_rand(30); notice("$puppetversion: $value")'
 
Notice: Scope(Class[main]): 5.4.0: 22
 
Notice: Compiled catalog for r1nc1m63jxi6u3e.delivery.puppetlabs.net in environment production in 0.04 seconds


$ bx puppet apply -e '$value = fqdn_rand(30); notice("$puppetversion: $value")'
 
Notice: Scope(Class[main]): 5.3.5: 5
 
Notice: Compiled catalog for r1nc1m63jxi6u3e.delivery.puppetlabs.net in environment production in 0.03 seconds

This is a problem because the values are often written into service configuration files. When they change, services get notified and restart.

We should restore the previous fqdn_rand behavior of calculating its seed value using MD5 when running on a non-FIPS enabled master. FIPS enabled masters should continue using SHA256.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574)
Atlassian logo

Jayant Sane (JIRA)

unread,
Feb 16, 2018, 2:59:02 PM2/16/18
to puppe...@googlegroups.com
Jayant Sane assigned an issue to Jayant Sane
Change By: Jayant Sane
Assignee: Jayant Sane

Jayant Sane (JIRA)

unread,
Feb 20, 2018, 2:50:04 PM2/20/18
to puppe...@googlegroups.com

Josh Cooper (JIRA)

unread,
Feb 20, 2018, 3:22:03 PM2/20/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 5.5.0

Josh Cooper (JIRA)

unread,
Feb 20, 2018, 3:22:03 PM2/20/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Platform Core KANBAN

Josh Cooper (JIRA)

unread,
Feb 20, 2018, 3:22:03 PM2/20/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sub-team: Coremunity

Josh Cooper (JIRA)

unread,
Feb 20, 2018, 3:22:03 PM2/20/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Platform Core

Josh Cooper (JIRA)

unread,
Feb 26, 2018, 4:41:03 PM2/26/18
to puppe...@googlegroups.com

Eric Delaney (JIRA)

unread,
Mar 7, 2018, 10:46:03 AM3/7/18
to puppe...@googlegroups.com
Eric Delaney commented on Bug PUP-8469

Jayant Sane Could you add release notes if needed?
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Jayant Sane (JIRA)

unread,
Mar 7, 2018, 11:48:04 AM3/7/18
to puppe...@googlegroups.com
Jayant Sane updated an issue
 

It also restores the behavior of fqdn_rand to that in versions before 5.4.0 when running on non-fips enabled hosts.
Change By: Jayant Sane
Release Notes Summary: fqdn_rand uses SHA256 to compute seed/rand when running on FIPS enabled hosts which is a change from using MD5 on non-fips enabled hosts. So a given host will yield different fqdn_rand values when in fips mode and when not in fips mode.
Release Notes: New Feature

Eric Delaney (JIRA)

unread,
Mar 12, 2018, 5:11:04 PM3/12/18
to puppe...@googlegroups.com
Eric Delaney assigned an issue to Unassigned
Change By: Eric Delaney
Assignee: Jayant Sane

Kris Bosland (JIRA)

unread,
Mar 12, 2018, 7:12:03 PM3/12/18
to puppe...@googlegroups.com
Kris Bosland assigned an issue to Kris Bosland
Change By: Kris Bosland
Assignee: Kris Bosland

Kris Bosland (JIRA)

unread,
Mar 12, 2018, 7:40:04 PM3/12/18
to puppe...@googlegroups.com
Kris Bosland commented on Bug PUP-8469
 
Re: fqdn_rand should use md5 on non-fips enabled hosts

All current branches now give the same result (17 in my case):

4.10.x:

% bx puppet apply -e '$value = fqdn_rand(30); notice("$puppetversion: $value")' /Users/kris.bosland/work/puppet/.bundle/ruby/2.4.0/gems/CFPropertyList-2.2.8/lib/cfpropertylist/rbCFTypes.rb:24: warning: constant ::Fixnum is deprecated
 
Notice: Scope(Class[main]): 4.10.11: 17
 
Notice: Compiled catalog for x in environment production in 0.10 seconds
 
Notice: Applied catalog in 0.01 seconds

5.3.x:

% bx puppet apply -e '$value = fqdn_rand(30); notice("$puppetversion: $value")'
 
Notice: Scope(Class[main]): 5.3.6: 17
 
Notice: Compiled catalog for kris.bosland-c02kf9eafft1 in environment production in 0.04 seconds
 
Notice: Applied catalog in 0.01 seconds

5.5.x:

% bx puppet apply -e '$value = fqdn_rand(30); notice("$puppetversion: $value")'
 
Notice: Scope(Class[main]): 5.5.0: 17
 
Notice: Compiled catalog for x in environment production in 0.04 seconds
 
Notice: Applied catalog in 0.01 seconds

master:

% bx puppet apply -e '$value = fqdn_rand(30); notice("$puppetversion: $value")'
 
Notice: Scope(Class[main]): 6.0.0: 17
 
Notice: Compiled catalog for x in environment production in 0.04 seconds
 
Notice: Applied catalog in 0.01 seconds

 

John Duarte (JIRA)

unread,
Oct 21, 2019, 10:55:05 AM10/21/19
to puppe...@googlegroups.com
John Duarte updated an issue
 
Change By: John Duarte
QA Risk Assessment: Needs Assessment No Action
Reply all
Reply to author
Forward
0 new messages