Bug 1749346
| Summary: | rpmbuild -bc krb5.spec failed in FIPS (python-sphinx - ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Filip Dvorak <fdvorak> |
| Component: | python-sphinx | Assignee: | Charalampos Stratakis <cstratak> |
| Status: | CLOSED ERRATA | QA Contact: | Dita Stehlikova <dstehlik> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.1 | CC: | cstratak, dstehlik, fdvorak, pviktori, rharwood |
| Target Milestone: | rc | Keywords: | Reopened, Reproducer |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | python-sphinx-1.7.6-2.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 16:28:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
What the use case of building an rpm in FIPS mode? sphinx uses md5 in various locations and md5 is forbidden in FIPS (unless a specific workaround is used) so it seems that things are working the intended way. I wanted to use it in the following test: TC#574625 FIPS: /CoreOS/krb5/Sanity/sanity-test-of-cipher-suites but I was talking with my colleagues and I think that it is possible to build a package in normal mode and then I can change mode to FIPS. Now I think that we can close this bug. MD5 is forbidden for cryptographic use. The use of MD5 for docs building is far from cryptographic, and moreover, completely arbitrary on sphinx's part.
The function it bails out on is this:
```python
def get_stable_hash(obj):
# type: (Any) -> unicode
"""
Return a stable hash for a Python data structure. We can't just use
the md5 of str(obj) since for example dictionary items are enumerated
in unpredictable order due to hash randomization in newer Pythons.
"""
if isinstance(obj, dict):
return get_stable_hash(list(obj.items()))
elif isinstance(obj, (list, tuple)):
obj = sorted(get_stable_hash(o) for o in obj)
return md5(text_type(obj).encode('utf8')).hexdigest()
```
So... not only is it non-cryptographic, but it could be almost any other hash. sha2 would work. Or, to avoid confusion entirely, you could use siphash. Or any number of other things. Or set the flag that it's not FIPS-related in openssl.
(Reopening because today I needed to build krb5 on my FIPS machine to test FIPS-specific patches, and cannot do so.)
Do you need Sphinx to test FIPS-specific patches? Can you build krb5 without the docs? Or build in a regular build environment instead of FIPS?
> Or set the flag that it's not FIPS-related in openssl.
The usedforsecurity argument was added to Python 3.9; it'll take a few years before projects like Sphinx can use it. And I don't think this is worth patching downstream.
> Can you build krb5 without the docs? By "docs" here we mean man pages. At the point where I'm patching my build to not make man pages, I think it's about equivalent effort to just locally patch my sphinx. Sure, I can work around your package being weirdly stubborn about this. But now you're up to two people who wanted to be able to do this - and that's just for this package in particular. It adds up. > The usedforsecurity argument was added to Python 3.9; it'll take a few years before projects like Sphinx can use it. So just use a different hash then. The code just indicates it needs to be stable. > And I don't think this is worth patching downstream. I do. Here's a patch: https://src.osci.redhat.com/rpms/python-sphinx/pull-request/1 Upstream sphinx is open to suggestions related to FIPS mode, e.g. check out https://github.com/sphinx-doc/sphinx/issues/7611 OK, let's try pushing it into 8.4. For QA, the reproducer is building krb5 under FIPS mode. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (python-sphinx bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1964 |
Description of problem: The command rpmbuild -bc krb5.spec failed in FIPS mode on RHEL-8.1 because of exception in python-sphinx Version-Release number of selected component (if applicable): RHEL-8.1.0-20190821.0 krb5-1.17-8.el8 python3-sphinx-1.7.6-1.el8 How reproducible: Always Steps to Reproduce: 1. enable FIPS mode on RHEL-8.1 machine with buildroot repo 2. dnf builddep krb5-*.src.rpm 3. rpmbuild -bc /root/rpmbuild/SPECS/krb5.spec Actual results: Exception occurred: File "/usr/lib/python3.6/site-packages/sphinx/builders/html.py", line 90, in get_stable_hash return md5(text_type(obj).encode('utf8')).hexdigest() ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS The full traceback has been saved in /tmp/sphinx-err-78iz6csi.log, if you want to report the issue to the developers. Please also report this if it was a user error, so that a better error message can be provided next time. A bug report can be filed in the tracker at <https://github.com/sphinx-doc/sphinx/issues>. Thanks! error: Bad exit status from /var/tmp/rpm-tmp.bJPseI (%build) Expected results: rpmbuild -bc /root/rpmbuild/SPECS/krb5.spec should finish successfully