Bug 1064849

Summary: python-pymongo uses FIPS unsafe md5 function
Product: Red Hat Software Collections Reporter: Robert Kuska <rkuska>
Component: python-pymongoAssignee: Bohuslav "Slavek" Kabrda <bkabrda>
Status: CLOSED WONTFIX QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: python33CC: jberan
Target Milestone: beta   
Target Release: 2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1064844 Environment:
Last Closed: 2014-12-05 09:40:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1064844    
Bug Blocks:    

Description Robert Kuska 2014-02-13 12:18:10 UTC 
+++ This bug was initially created as a clone of Bug #1064844 +++

PyMongo uses md5 hash for authentification and md5 is not safe to use while FIPS mode is on. Using PyMongo authentification will result in failures with FIPS mode.


From pymongo/auth.py:

try:
    import hashlib
    _MD5 = hashlib.md5
except ImportError: # for Python < 2.5
    import md5
    _MD5 = md5.new
....

def __password_digest(username, password):

....

    md5hash = _MD5()
    data = "%s:mongo:%s" % (username, password)
    md5hash.update(data.encode('utf-8'))
    return unicode(md5hash.hexdigest())

I do not recommend to fix this issue, changing hash function to e.g sha256 may result into backward incompatible change.
Comment 2 Bohuslav "Slavek" Kabrda 2014-12-05 09:40:19 UTC 
This bug is here only for purpose of documenting missing FIPS functionality, but as mentioned in the original report, this won't be fixed.