Bug 1811170

Summary: Python 3.6 not fully patched for FIPS
Product: Red Hat Enterprise Linux 8 Reporter: David Davis <daviddavis>
Component: python3Assignee: Python Maintainers <python-maint>
Status: CLOSED WORKSFORME QA Contact: RHEL CS Apps Subsystem QE <rhel-cs-apps-subsystem-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: bcotton, jwboyer, rchan
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-14 16:53:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Davis 2020-03-06 18:40:01 UTC 
I'm on CentOS 7.8 with python3-3.6.8-12.el7.x86_64 which was patched for FIPS (see https://bugzilla.redhat.com/show_bug.cgi?id=1732908). However, I can still call md5 in python3:

>>> import hashlib
>>> m = hashlib.new("md5")
>>> m.update(b"This is a test")
>>> m.digest()
b'\xce\x11NE\x01\xd2\xf4\xe2\xdc\xea>\x17\xb5F\xf39'
Comment 1 David Davis 2020-03-06 18:43:32 UTC 
Sorry, my box is actually CentOS 7.5 but the package version is correct.

I can confirm that FIPS is enabled on the box:

$ cat /proc/sys/crypto/fips_enabled
1

And python3 does seem to somewhat work as expected:

$ python3
>>> import hashlib
>>> m = hashlib.md5()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips