Make sure CFN Helper Scripts (cfn-init) are FIPS 140-2 compliant.

[taylorb-syd]

1. Title

AWS::CloudFormation::Init

2. Scope of request

AWS::CloudFormation::Init - Helper scripts FIPS compliance

3. Expected behaviour

When performing FIPS validation the cfn-init, cfn-signal tools should pass FIPS validation and not use any non-FIPS compliance algorithms and hashes.

4. Suggest specific test cases

1. Start an instance in FIPS compliant mode[1][2]/
2. Bootstrap using cfn-init testing common modules.
3. Ensure this works without errors.

5. Helpful Links to speed up research and evaluation

[1] How RHEL 8 is designed for FIPS 140-2 requirements

[2] Enable FIPS 140-2 Mode on Amazon Linux 2

6. Category (required)

1. Compute (EC2, ECS, EKS, Lambda...)

7. Any additional context (optional)

When using the cfn-init tool with FIPS 140-2 enabled you will get an error similar to:

error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

cfnbootstrap/util.py includes a MD5 hash-check which doesn't work when FIPS is enabled, and there is no flag/option to disable the hash-check or use a different validation method that is compatible with FIPS:

This error is likely due to using MD5 hash verification in the cfn-init tool which is disabled in a FIPS 140-2 enabled instance.

[phene]

👍 for fixing this.

[benklop]

not actually disabled, the patch https://github.com/python/cpython/pull/16044/files#diff-04e8e8496549dc7aaaf50466bb5c87e6R84-R88 has been applied in FIPS enabled python. modifying the function call to hashlib.md5() to add usedforsecurity=false, or possibly doing somryhing like:

try:
  hashlib.md5("blah")
except ValueError e:
  # throws value errors for issues with FIPS
  hashlib.md5("blah", usedforsecurity=False)