Skip to content
  • Stan Hu's avatar
    Fix Maven packages not working on FIPS kernels · e65e8a1b
    Stan Hu authored
    On a FIPS kernel with a non-FIPS GitLab build, Maven package uploads
    previously would fail with 422 Unprocessible Entity errors. This
    occurred because Workhorse was generating an MD5 sum for the
    accelerated upload, but the Rails API rejects any use of MD5 in FIPS
    mode.
    
    Workhorse was generating an MD5 sum because its on check for FIPS
    involves more conditions:
    
    1. The binary has been compiled with the `fips` build tag.
    2. The platform is amd64 running on a Linux runtime.
    3. The kernel has FIPS enabled (e.g. `/proc/sys/crypto/fips_enabled` is 1).
    4. A system OpenSSL can be dynamically loaded via ldopen().
    
    On a standard GitLab installation, 1 is not true, so Workhorse
    believed it was working in a standard environment. However, GitLab
    Rails only checks whether the OpenSSL library is FIPS-enabled.
    
    To resolve this discrepancy, we now:
    
    1. Pass `UploadHashFunctions` to indicate which hashes should be used
       in the Workhorse `/authorize` response.
    2. Workhorse will use this list to determine which hashes to compute.
       If the list is empty, Workhorse will assume all hashes can be used.
    
    Relates to #380559
    
    Changelog: fixed
    e65e8a1b