Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Theia should work on a FIPS-compliant system #8378

Closed
azatsarynnyy opened this issue Aug 13, 2020 · 0 comments · Fixed by #8379
Closed

Theia should work on a FIPS-compliant system #8378

azatsarynnyy opened this issue Aug 13, 2020 · 0 comments · Fixed by #8379
Assignees
@azatsarynnyy
Labels
security issues related to security Team: Che-Editors issues regarding the che-editors team

Comments

@azatsarynnyy
Copy link
Member

Bug Description:

When running in a FIPS-compliant environment, Theia fails with:

...
2020-08-13 16:26:00.637 root ERROR Request getHostStoragePath failed with error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS Params: Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS
    at new Hash (internal/crypto/hash.js:33:18)
    at Object.createHash (crypto.js:101:10)
    at PluginPathsServiceImpl.<anonymous> (/home/theia/node_modules/@theia/plugin-ext/lib/main/node/paths/plugin-paths-service.js:158:58)
    at step (/home/theia/node_modules/@theia/plugin-ext/lib/main/node/paths/plugin-paths-service.js:57:23)
    at Object.next (/home/theia/node_modules/@theia/plugin-ext/lib/main/node/paths/plugin-paths-service.js:38:53)
    at fulfilled (/home/theia/node_modules/@theia/plugin-ext/lib/main/node/paths/plugin-paths-service.js:29:58)
...

Frontend is loaded partially:
image

Steps to Reproduce:

Run Theia in a FIPS-compliant environment.

Additional Information

  • Operating System: Red Hat Enterprise Linux 8.2
  • Theia Version: 1.4.0

FIPS (Federal Information Processing Standard) 140-2 ensures that cryptographic tools implement their algorithms properly.
When Linux is running in FIPS mode, it switches all the core crypto components to work with FIPS-approved algorithms only (e.g., AES, SHA2-256, RSA). All non-approved (weak) algorithms are blocked (e.g. MD5).

Eclipse Theia uses NodeJS crypto module which is a wrapper for OpenSSL cryptographic functions. There are places in the code where both MD5 and SHA256 algorithms are used:

theia/dev-packages/electron/electron-ffmpeg-lib.js

Line 33 in 51e4c70

const sha256 = crypto.createHash('sha256');

theia/packages/plugin-ext/src/main/node/paths/plugin-paths-service.ts

Line 87 in 51e4c70

return crypto.createHash('md5').update(rootsStr).digest('hex');

The use of MD5 is disallowed in any FIPS-compliant system, thus the Linux kernel (and OpenSSL) will not make it available when a system is running in a FIPS mode.

Possible solution

To fix that, I propose to replace using weak MD5 with the FIPS-approved SHA256 algorithm.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@azatsarynnyy azatsarynnyy

Labels
security issues related to security Team: Che-Editors issues regarding the che-editors team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use FIPS-approved SHA256 instead of weak MD5 eclipse-theia/theia
1 participant
@azatsarynnyy