1460671 – [WALA] Fail to run Extension in FIPS mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1460671 - [WALA] Fail to run Extension in FIPS mode

Summary: [WALA] Fail to run Extension in FIPS mode

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	WALinuxAgent
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Vitaly Kuznetsov
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1451172 1461243
TreeView+	depends on / blocked

Reported:	2017-06-12 11:35 UTC by Yuxin Sun
Modified:	2021-06-10 12:25 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1461243 (view as bug list)
Environment:
Last Closed:	2018-01-25 11:50:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	Azure WALinuxAgent issues 760	0	None	closed	[2.2.12] Fail to run Extension in FIPS mode	2021-01-21 22:39:00 UTC

Description Yuxin Sun 2017-06-12 11:35:13 UTC

Description of problem:
If install Extension, wala will run openssl pkcs12 to generate certificate, which goes wrong in FIPS mode.

Version-Release number of selected component (if applicable):
WALinuxAgent-2.2.12-1

RHEL Version:
RHEL-7.4

How reproducible:
100%

Steps to Reproduce:
1. Prepare a VM in Azure. Enable FIPS follow the document: https://access.redhat.com/solutions/137833
    1). yum install dracut-fips
    2). mv -v /boot/initramfs-$(uname -r).img{,.bak}
         dracut
    3). grubby --update-kernel=$(grubby --default-kernel) --args=fips=1
         uuid=$(findmnt -no uuid /boot)
         [[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid}
    4). reboot
2. Run "reset remote access" to install an Extension into the VM. There's no error logs in waagent.log
3. Set "OS.EnableFIPS=y" in /etc/waagent.conf. Restart waagent service
4. Check if the extension works. Check /var/log/waagent.log

Actual results:
The extension doesn't work. The waagent -run-exthandler process keeps restarting.

There're error logs in waagent.log:
2017/06/09 18:41:23.406056 WARNING Server preferred version:2015-04-05
2017/06/09 18:41:28.146195 ERROR Command: '/usr/bin/openssl cms -decrypt -in /var/lib/waagent/Certificates.p7m -inkey /var/lib/waagent/TransportPrivate.pem -recip /var/lib/waagent/TransportCert.pem | /usr/bin/openssl pkcs12 -nodes -password pass: -out /var/lib/waagent/Certificates.pem'
2017/06/09 18:41:28.184821 ERROR Return code: 1
2017/06/09 18:41:28.195972 ERROR Result: MAC verified OK
Error outputting keys and certificates
140308542494624:error:060740A0:digital envelope routines:EVP_PBE_CipherInit:unknown cipher:evp_pbe.c:181:
140308542494624:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:87:
140308542494624:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:

2017/06/09 18:41:28.306785 ERROR Failed to run 'run-exthandlers': Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/azurelinuxagent/agent.py", line 147, in main
    agent.run_exthandlers()
  File "/usr/lib/python2.7/site-packages/azurelinuxagent/agent.py", line 117, in run_exthandlers
    update_handler.run()
  File "/usr/lib/python2.7/site-packages/azurelinuxagent/ga/update.py", line 236, in run
    get_monitor_handler().run()
  File "/usr/lib/python2.7/site-packages/azurelinuxagent/ga/monitor.py", line 96, in run
    self.init_sysinfo()
  File "/usr/lib/python2.7/site-packages/azurelinuxagent/ga/monitor.py", line 121, in init_sysinfo
    protocol = self.protocol_util.get_protocol()
  File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/util.py", line 261, in get_protocol
    self.protocol = self._detect_protocol(protocols)
  File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/util.py", line 183, in _detect_protocol
    return self._detect_wire_protocol()
  File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/util.py", line 152, in _detect_wire_protocol
    protocol.detect()
  File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 99, in detect
    self.client.update_goal_state(forced=True)
  File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 729, in update_goal_state
    self.update_certs(goal_state)
  File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 688, in update_certs
    self.certs = Certificates(self, xml_text)
  File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 1147, in __init__
    self.parse(xml_text)
  File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 1218, in parse
    thumbprint = thumbprints[pubkey]
KeyError: u'-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAocW4DnlCqiI8MrQAj8ec\nZACpCKUwPCPg3vDYGLdwqvKs9H9bMxy1cXzgGFnPgfG/azfyzB3kbDlW+I9DMLq9\nw2ntdRdDn2esLlToWymQcQjs0FesvJhppgJSe0hOlUCBBgmWqFC1Lfom+SGDnxeR\nkc6z42ExX4VPRvNKeU7yZwoOqpTZmy2FXNxVe3db0nB87ZRRy15gXjHICFPMG4HV\nsPI/xDttaqTLlzmmGVh36oxE8WVCNiTarTOTNfA4udNmk07Xw2Y3lrms28jr2AKj\ngxpI+IUraN8reLUVNmkumeNwEl0ttdv6ngltkGCoNh+3lKVpnugahB+GCQ5hamCe\nGQIDAQAB\n-----END PUBLIC KEY-----\n'

Expected results:
The extension can work well in FIPS mode.

Additional info:
1. I ran this command manually and it also didn't work.
   1). export OPENSSL_FIPS=1
   2). Run command:
# /usr/bin/openssl cms -decrypt -in /var/lib/waagent/Certificates.p7m -inkey /var/lib/waagent/TransportPrivate.pem -recip /var/lib/waagent/TransportCert.pem | /usr/bin/openssl pkcs12 -nodes -password pass: -out /var/lib/waagent/Certificates.pem
3. Output:
MAC verified OK
Error outputting keys and certificates
140520158844832:error:060740A0:digital envelope
routines:EVP_PBE_CipherInit:unknown cipher:evp_pbe.c:181:
140520158844832:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor
cipherinit error:p12_decr.c:87:
140520158844832:error:2306A075:PKCS12
routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:

2. It also impact the VM provisioning if authenticate with ssh key in FIPS mode.

Comment 3 Yuxin Sun 2017-06-19 09:08:30 UTC

Here's the response from Tomas Mraz:

"unfortunately this cannot work in the FIPS mode because the algorithm by which the PKCS12 data is encrypted is not approved and thus unsupported in the FIPS mode. The algorithm used is extremely weak - pbeWithSHA1And40BitRC2-CBC - this means the encryption is 40 bit RC2. The only FIPS approved encryption algorithms are AES and TDES3."

It seems that this is not supported in FIPS mode. We're waiting for the MSFT developers to help to confirm it.

Comment 4 Yuxin Sun 2018-01-25 11:50:47 UTC

From upstream, it seems that WALA cannot support FIPS mode. Close this issue.

Note You need to log in before you can comment on or make changes to this bug.