Bug 1724745

Summary: With FIPS enabled python3 able to load non-compliant md5 crypto modules
Product: Red Hat Enterprise Linux 8 Reporter: Ryan Mullett <rmullett>
Component: python3Assignee: Charalampos Stratakis <cstratak>
Status: CLOSED DUPLICATE QA Contact: RHEL CS Apps Subsystem QE <rhel-cs-apps-subsystem-qe>
Severity: high Docs Contact:
Priority: high    
Version: 8.2CC: hhorak, pviktori
Target Milestone: rc   
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1734126 (view as bug list) Environment:
Last Closed: 2019-08-13 13:12:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1486212    
Bug Blocks: 1734126    

Description Ryan Mullett 2019-06-27 17:12:26 UTC 
Description of problem:
When a system is fips enabled python on RHEL 8 is still able to load non-fips compliant modules (specifically md5 has been identified, but unsure about others that may be available)

Version-Release number of selected component (if applicable):
python36-3.6.8-2.module+el8.0.0+2975+e0f02136.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install a system with FIPS enabled or run the following:

[root@localhost ~]# fips-mode-setup --enable && reboot

2. Confirm system has FIPS mode enabled:

[root@localhost ~]# update-crypto-policies --show
FIPS

[root@localhost ~]# sysctl -a | grep fips
crypto.fips_enabled = 1

[root@localhost ~]# fips-mode-setup --check
FIPS mode is enabled.

3. Load up python3 and import md5 from hashlib and then attempt to access it.

[root@localhost ~]# python3
Python 3.6.8 (default, Jan 11 2019, 02:17:16) 
[GCC 8.2.1 20180905 (Red Hat 8.2.1-3)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from hashlib import md5
>>> print(md5("password".encode("utf-8")))
<_md5.md5 object at 0x7fe4d8c19570>

Actual results:
>>> print(md5("password".encode("utf-8")))
<_md5.md5 object at 0x7fe4d8c19570>

Expected results:
Previously on RHEL 7 and earlier we get the expected results 

>>> print(md5("password".encode("utf-8")))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips


Additional info:

Looks like the hashlib patch that provides fips compliance was removed initially because of an incompatibility with openssl 1.1.0 and then we never restored it. Here's the relevant Fedora bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1486212
Comment 5 Petr Viktorin (pviktori) 2019-08-13 13:12:47 UTC 
We're handling FIPS mode in bug #1731424

*** This bug has been marked as a duplicate of bug 1731424 ***