Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1929818 - pulp3: Patch Satellite to continue supporting md5 content in FIPS mode
Summary: pulp3: Patch Satellite to continue supporting md5 content in FIPS mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Pulp
Version: Nightly
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: 6.10.0
Assignee: satellite6-bugs
QA Contact: Lai
URL:
Whiteboard:
Depends On: 1982695 1995175
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-17 17:34 UTC by David Davis
Modified: 2021-11-16 14:10 UTC (History)
9 users (show)

Fixed In Version: python-pulpcore-3.11.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-16 14:10:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:10:23 UTC

Description David Davis 2021-02-17 17:34:47 UTC 
Description of problem:

Upstream pulp is dropping support for md5 in FIPS mode in Pulp 3. Upstream Katello also will not enable md5 in FIPS environments.

Downstream will need to carry a patch that allows MD5 in FIPS environments by specifying the `usedforsecurity=False` option when calling md5 from the Pulp code. This needs to be tested. Note that users can disable use of md5 in Satellite by setting ALLOWED_CONTENT_CHECKSUMS in their pulp config.

Steps to Reproduce:
1. Install Satellite on a box with FIPS mode enabled 
2. Create a product repo that uses md5 checksums for content (e.g. https://fixtures.pulpproject.org/rpm-with-md5/)
3. Sync it
4. Confirm that sync worked. 
Bonus: install a package from the repo.
Comment 5 David Davis 2021-03-25 12:43:34 UTC 
Here's an rpm repo with md5 checksums that would be worth testing: https://fixtures.pulpproject.org/rpm-with-md5/
Comment 7 Stephen Wadeley 2021-04-13 16:42:32 UTC 
(In reply to David Davis from comment #5)
> Here's an rpm repo with md5 checksums that would be worth testing:
> https://fixtures.pulpproject.org/rpm-with-md5/

Hello David

Can you please confirm, is it the Repo that is signed, i.e. its meta data, or the RPMs themselves? The name of the repo, rpm-with-md5, makes me think its the RPMs that are signed with MD5.
I downloaded bear RPM

/]$ rpm -Kv --nosignature bear-4.1-1.noarch.rpm bear-4.1-1.noarch.rpm: Header SHA1 digest: OK MD5 digest: OK

looks like its the RPMs 

Thank you
Comment 8 David Davis 2021-04-13 16:54:13 UTC 
It's actually the checksums in the metadata itself (see repomd.xml and primary.xml). Pulp uses these checksums to verify the repomd files and rpms when syncing content into Pulp.
Comment 9 Stephen Wadeley 2021-04-13 18:44:08 UTC 
(In reply to David Davis from comment #8)
> It's actually the checksums in the metadata itself (see repomd.xml and
> primary.xml). Pulp uses these checksums to verify the repomd files and rpms
> when syncing content into Pulp.

I see it now:

<open-checksum type="md5">

https://fixtures.pulpproject.org/rpm-with-md5/repodata/repomd.xml


Thank you
Comment 10 Tanya Tereshchenko 2021-06-07 11:02:24 UTC 
The patches which should be included are specified here: https://hackmd.io/@pulp/Pulp3-FIPS-matrix#What-about-37
Comment 11 Tanya Tereshchenko 2021-06-07 11:06:11 UTC 
Correct link to the patches: https://hackmd.io/@pulp/Pulp3-FIPS-matrix#Patches
Comment 17 Grant Gainey 2021-08-18 14:56:15 UTC 
As noted in a FIPS call we just had, Peter has uncovered a FIPS-compliance-problem in the new tasking system that is getting its own BZ, and will need to be addressed before any testing can happen on **this** bug. (Summary: blake2 is Not Allowed in FIPS mode)
Comment 23 Lai 2021-10-05 18:52:58 UTC 
Steps to test:

1. Install Satellite on a box with FIPS mode enabled 
2. Create a product repo that uses md5 checksums for content (e.g. https://fixtures.pulpproject.org/rpm-with-md5/)
3. Sync it
4. Confirm that sync worked. 
Bonus: install a package from the repo.

Expected:
syncing should be successful

Actual:
syncing is successful

I also was able to successful install a package after syncing.

Verified on 6.10_21 with python3-pulpcore-3.14.7-1.el7pc.noarch
Comment 26 errata-xmlrpc 2021-11-16 14:10:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702
Note You need to log in before you can comment on or make changes to this bug.