Skip to content

Tests fail in fips mode because of default hashing algorithm #66819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jkakavas opened this issue Dec 25, 2020 · 2 comments
Closed

Tests fail in fips mode because of default hashing algorithm #66819

jkakavas opened this issue Dec 25, 2020 · 2 comments
Assignees
@tvernum
Labels
:Security/FIPS Running ES in FIPS 140-2 mode Team:Security Meta label for security team >test-failure Triaged test failures from CI

Comments

@jkakavas
Copy link
Member

Build scan:

https://gradle-enterprise.elastic.co/s/bdqsrnib6twrc/failure#1
Repro line:

Reproduces locally?: Aye

Applicable branches:
7.x , 7.11
Failure history:

Failure excerpt:

Testclusters fail to start because in fips.gradle we set xpack.security.fips_mode.enabled: true but the default hashing algorithm in 7.x is bcrypt. This wasn't observed in master as there we have changed the default algorithm to be pbkdf2.

We can solve this by setting the hashing algorithm in fips.gradle to be either pbkdf2 or pbkdf2_stretch
@jkakavas jkakavas added >test-failure Triaged test failures from CI :Security/Security Security issues without another label labels Dec 25, 2020
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Dec 25, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@tvernum tvernum self-assigned this Dec 29, 2020
@tvernum tvernum added :Security/FIPS Running ES in FIPS 140-2 mode and removed :Security/Security Security issues without another label labels Dec 29, 2020
tvernum added a commit to tvernum/elasticsearch that referenced this issue Dec 29, 2020
@tvernum
In FIPS/TestClusters, set hasher to pbkdf2_stretch
89d049e 
When running tests in FIPS mode, automatically set the password hasher
to pbkdf2_stretch rather than relying on the default (which is
bcrypt).

This is only relevant to the 7.x series, as this setting has a FIPS
specific default when run in FIPS mode on 8.0+

Resolves: elastic#66819
@tvernum tvernum mentioned this issue Dec 29, 2020
Merged
tvernum added a commit that referenced this issue Dec 29, 2020
@tvernum
In FIPS/TestClusters, set hasher to pbkdf2_stretch (#66841)
5bd2f13 
When running tests in FIPS mode, automatically set the password hasher
to pbkdf2_stretch rather than relying on the default (which is
bcrypt).

This is only relevant to the 7.x series, as this setting has a FIPS
specific default when run in FIPS mode on 8.0+

Resolves: #66819
@tvernum
Copy link
Contributor

tvernum commented Dec 29, 2020

Resolved in #66841

@tvernum tvernum closed this as completed Dec 29, 2020
tvernum added a commit to tvernum/elasticsearch that referenced this issue Dec 29, 2020
@tvernum
In FIPS/TestClusters, set hasher to pbkdf2_stretch
665f69a 
When running tests in FIPS mode, automatically set the password hasher
to pbkdf2_stretch rather than relying on the default (which is
bcrypt).

This is only relevant to the 7.x series, as this setting has a FIPS
specific default when run in FIPS mode on 8.0+

Resolves: elastic#66819
Backport of: elastic#66841
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tvernum tvernum

Labels
:Security/FIPS Running ES in FIPS 140-2 mode Team:Security Meta label for security team >test-failure Triaged test failures from CI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tvernum @jkakavas @elasticmachine