Skip to content

[Storage] Fix MD5 not work on FIPS enabled machine issue #5746

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 30, 2018
Merged

[Storage] Fix MD5 not work on FIPS enabled machine issue #5746

merged 3 commits into from
Mar 30, 2018

Conversation

blueww
Copy link
Member

@blueww blueww commented Mar 15, 2018
edited
Loading

Description

Fix the issue #4807

The resolution:

  • At the begin of the related cmdlets, try call the MD5 caculate function, if the MD5 function report FIPS exception, set DMlib to use native MD5; else still use the orignal MD5 algrithm.

With this change:

  • we can get the issue resolved without adding new parameter, so script can be shared across machines without change
  • PowerShell by default will still use the orignal MD5 algrithm, so aligned with .net SDK (the MD5 check cost will be very low)
  • It don’t need big cmdlet framework change.

Checklist

praries880
praries880 suggested changes Mar 15, 2018
View reviewed changes
Copy link
Contributor

@praries880 praries880 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@blueww
Thanks for fixing the issue :)
The changes look good to me... but this is a scenario we would like to have tests for. Do kindly add tests for this.

@blueww
Copy link
Member Author

blueww commented Mar 16, 2018

@praries880

Currently, we don't have Unit test for E2E of Storage data plan cmdlets. But will cover it in another test framework.
As I know, @MiYanni might will add Unit test for it in the future.

So for this change, the test we can do is to check FIPSEnabled is disable on normal machine. But dur to the protect level, we can't access FIPSEnabled from test case. I can change FIPSEnabled to public to add a test. But it looks not proper to change an object from protected to public just for test.

So I think we can wait for @MiYanni to add the storage Unit test, then add test case for it.

@MiYanni
Copy link
Contributor

MiYanni commented Mar 16, 2018

@blueww I'm not involved in this situation/issue. What's going on?

@blueww
Copy link
Member Author

blueww commented Mar 19, 2018

@MiYanni
Don't worry. It's just I am asked to add Unit test for some Storage data plan cmdlets change. But we don't have E2E Storage Dataplan test in PowerShell Unit test now.
As I remember, Mark send you a mail to add Storage Data plan test based on a script before.
So this test should base on the test change that change.
I am not pushing you to add the test now. Just explain why we can't add test for this change now.

@cormacpayne
Copy link
Member

Sign job: https://azuresdkci.westus2.cloudapp.azure.com/job/ps-sign/265/

@praries880
Copy link
Contributor

@blueww Thanks for the explanation.
Since we cant create a test, would you mind testing the signed bits for your changes (found here https://azuresdkci.westus2.cloudapp.azure.com/job/ps-sign/265/artifact/src/Package/) and test the functionality on a machine where you can controll the FIPS setting?

praries880
praries880 previously approved these changes Mar 20, 2018
View reviewed changes
@praries880 praries880 assigned blueww and unassigned markcowl Mar 20, 2018
markcowl
markcowl requested changes Mar 21, 2018
View reviewed changes
src/Storage/Commands.Storage/Common/StorageCloudCmdletBase.cs Outdated
{
get
{
if (fIPSEnabled.HasValue)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed, use fipsEnabled

src/Storage/Commands.Storage/Common/StorageCloudCmdletBase.cs Outdated
return false;
}
}
private static bool? fIPSEnabled = null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

variable name should be fipsEnabled

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed, use fipsEnabled

src/Storage/Commands.Storage/Common/StorageCloudCmdletBase.cs Outdated
fIPSEnabled = true;
return true;
}
fIPSEnabled = false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

vertical space

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

public static bool FipsEnabled {get;} = IsFIPSEnabled();

internal static bool ISFIPSEnabled()
{
                try
                {
                    System.Security.Cryptography.MD5.Create();
                    return false;
                }
              catch (System.Reflection.TargetInvocationException)
                {
                    return true;
                }
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can take advantage of the fact that the static initializer will run once to simploify the code - so we cans et the value and then use it later

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed as the code from you. Thanks!

src/Storage/Commands.Storage/File/Cmdlet/SetAzureStorageFileContent.cs Outdated
// if FIPS policy is enabled, must use native MD5
if (FIPSEnabled)
{
CloudStorageAccount.UseV1MD5 = false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this the only cmdlet that would be impacted? Wouldn't every blob-related cmdlet need this setting?

Copy link
Member Author

@blueww blueww Mar 22, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only upload blob/file cmdlets need use MD5 function to calculate blob/file Property "ContentMD5". Other cmdlets don't use this function. So only need change cmdlets Set-AzureStorageBlob(File)Content

@blueww
Copy link
Member Author

blueww commented Mar 22, 2018

@markcowl

I have fixed the comments from you, please help to check. Change log is also added.
The on-demand test can be found in: https://azuresdkci.westus2.cloudapp.azure.com/job/powershell-demand/650/

markcowl
markcowl previously approved these changes Mar 30, 2018
View reviewed changes
@markcowl markcowl assigned blueww and unassigned markcowl Mar 30, 2018
@markcowl
Copy link
Member

on demand run here: https://azuresdkci.westus2.cloudapp.azure.com/view/PowerShell/job/powershell-demand/685/

@cormacpayne cormacpayne merged commit 815af56 into Azure:preview Mar 30, 2018
@MiYanni MiYanni mentioned this pull request Apr 2, 2018
Closed
@danielli90 danielli90 mentioned this pull request Feb 11, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markcowl markcowl markcowl approved these changes

@praries880 praries880 praries880 left review comments

Assignees
No one assigned
Labels
Waiting for On Demand
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@blueww @MiYanni @cormacpayne @praries880 @markcowl @azuresdkci @vladimir-shcherbakov