feat(security): add FIPS mode detection and replace non-FIPS crypto primitives#341
Draft
alexsander-souza wants to merge 1 commit into
Draft
feat(security): add FIPS mode detection and replace non-FIPS crypto primitives#341alexsander-souza wants to merge 1 commit into
alexsander-souza wants to merge 1 commit into
Conversation
Collaborator
|
Check where you would like a Mattermost message to be sent to when CI completes and this PR is merged
|
primitives Introduce maascommon.fips module with host FIPS mode detection via /proc/sys/crypto/fips_enabled, FIPS-approved SSH algorithm configs, and SSH key validation helpers. Replace Fernet (AES-CBC + HMAC-SHA256 construction) with AES-256-GCM for pre-shared key encryption in provisioningserver.security, as AES-GCM is directly FIPS 140-3 approved. Update all consumers (beaconing, RPC region/cluster services). Add FIPS policy enforcement for certificate key generation (reject DSA, enforce minimum RSA 2048-bit keys). Replace PostgreSQL md5() in BMC unique index with sha256() via Alembic migration, since md5() is blocked under FIPS mode. Mark non-security SHA-1 usages with usedforsecurity=False (API doc hashing, WebSocket accept, test factory) and remove MD5 password hasher from Django development settings when FIPS is active. Add FIPS structured-log event constants for consistent observability.
7f58721 to
16b7262
Compare
r00ta
reviewed
Jun 12, 2026
| "django.contrib.auth.hashers.PBKDF2PasswordHasher", | ||
| ) | ||
| PASSWORD_HASHERS = tuple( | ||
| h for h in _base_hashers if not (is_fips_enabled() and "MD5" in h) |
Contributor
There was a problem hiding this comment.
I assume we don't support moving an environment initialized without fips to an env with fips enabled. Correct?
| ) | ||
|
|
||
|
|
||
| def downgrade() -> None: |
Contributor
There was a problem hiding this comment.
no need, we don't support downgrading
| raise CertificateError( | ||
| f"RSA key size {key_bits} is below FIPS minimum of 2048 bits" | ||
| ) | ||
|
|
Contributor
There was a problem hiding this comment.
Do we need to validate other types or do we let them through without checks?
| backend=default_backend(), | ||
| ) | ||
| key = kdf.derive(secret) | ||
| key = urlsafe_b64encode(key) |
Contributor
There was a problem hiding this comment.
why key = urlsafe_b64encode(key) has been removed?
| token = fernet.encrypt(message) | ||
| nonce = os.urandom(12) | ||
| ts = int(time.time()).to_bytes(8, "big") | ||
| ciphertext = aesgcm.encrypt(nonce, message, ts) |
Contributor
There was a problem hiding this comment.
do you have performance tests around the new encryption vs the fernet one?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduce maascommon.fips module with host FIPS mode detection via /proc/sys/crypto/fips_enabled, FIPS-approved SSH algorithm configs, and SSH key validation helpers.
Replace Fernet (AES-CBC + HMAC-SHA256 construction) with AES-256-GCM for pre-shared key encryption in provisioningserver.security, as AES-GCM is directly FIPS 140-3 approved. Update all consumers (beaconing, RPC region/cluster services).
Add FIPS policy enforcement for certificate key generation (reject DSA, enforce minimum RSA 2048-bit keys).
Replace PostgreSQL md5() in BMC unique index with sha256() via Alembic migration, since md5() is blocked under FIPS mode.
Mark non-security SHA-1 usages with usedforsecurity=False (API doc hashing, WebSocket accept, test factory) and remove MD5 password hasher from Django development settings when FIPS is active.
Add FIPS structured-log event constants for consistent observability.