Skip to content

Fix Maven packages not working on FIPS kernels

Stan Hu requested to merge sh-fix-issue-380559 into master

What does this MR do and why?

On a FIPS kernel with a non-FIPS GitLab build, Maven package uploads previously would fail with 422 Unprocessible Entity errors. This occurred because Workhorse was generating an MD5 sum for the accelerated upload, but the Rails API rejects any use of MD5 in FIPS mode.

Workhorse was generating an MD5 sum because its on check for FIPS involves more conditions (#380559 (comment 1167645351)):

  1. The binary has been compiled with the fips build tag.
  2. The platform is amd64 running on a Linux runtime.
  3. The kernel has FIPS enabled (e.g. /proc/sys/crypto/fips_enabled is 1).
  4. A system OpenSSL can be dynamically loaded via ldopen().

On a standard GitLab installation, 1 is not true, so Workhorse believed it was working in a standard environment. However, GitLab Rails only checks whether the OpenSSL library is FIPS-enabled.

To resolve this discrepancy, we now:

  1. Pass UploadHashFunctions to indicate which hashes should be used in the Workhorse /authorize response.
  2. Workhorse will use this list to determine which hashes to compute. If the list is empty, Workhorse will assume all hashes can be used.

Relates to #380559 (closed)

Relates to #380559 (closed)

How to set up and validate locally

  1. Use a FIPS-enabled kernel (https://docs.gitlab.com/ee/development/fips_compliance.html#setting-up-a-fips-enabled-development-environment).
  2. Install a standard GitLab EE installation.
  3. Clone https://gitlab.com/gitlab-com/support/toolbox/gitlab-smoke-tests/.
  4. Run a pipeline in the repository.
  5. Manually play maven-repository job.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Stan Hu

Merge request reports