Bug 2055209
| Summary: | python-cryptography does not detect 3DES is blocked in FIPS mode | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Christian Heimes <cheimes> | |
| Component: | python-cryptography | Assignee: | Christian Heimes <cheimes> | |
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 9.0 | CC: | lmiksik, ssidhaye, sumenon | |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
|
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | python-cryptography-36.0.1-1.el9_0 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2062815 (view as bug list) | Environment: | ||
| Last Closed: | 2022-05-17 13:45:50 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 2054785, 2059630 | |||
| Bug Blocks: | 2062815 | |||
A possible fix is to remove TripleDES from _fips_ciphers after #2054785 has been fixed. https://github.com/pyca/cryptography/blob/cc80cb35d7067fa793eb37c557f312df3173f19d/src/cryptography/hazmat/backends/openssl/backend.py#L150 Upstream has agreed to solve the problem in upstream and mark 3DES as unsupported in FIPS mode. I have created upstream PR https://github.com/pyca/cryptography/pull/6879 Verifying using the latest RHEL 9.0 nightly repos [root@ci-vm-10-0-137-195 ~]# rpm -qa python3-cryptography python3-cryptography-36.0.1-1.el9_0.x86_64 [root@ci-vm-10-0-137-195 ~]# python3 Python 3.9.10 (main, Feb 9 2022, 00:00:00) [GCC 11.2.1 20220127 (Red Hat 11.2.1-9)] on linux Type "help", "copyright", "credits" or "license" for more information. >>> from cryptography.hazmat.backends.openssl import backend >>> backend._is_fips_enabled() True >>> from cryptography.hazmat.primitives.ciphers import algorithms, modes >>> backend.cipher_supported(algorithms.TripleDES(b"\x00" * 8), modes.CBC(b"\x00" * 8)) False >>> [root@ci-vm-10-0-137-195 ~]# sysctl crypto.fips_enabled crypto.fips_enabled = 1 [root@ci-vm-10-0-137-195 ~]# Based on above results marking bugzilla verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: python-cryptography), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:2580 |
Description of problem: Since RHBZ#2026445 OpenSSL 3.0.1 blocks 3DES (TripleDES, TDEA) in FIPS mode. PyCA cryptography is not aware that 3DES is blocked and fails wth an internal error Version-Release number of selected component (if applicable): openssl-3.0.1-5.el9 python3-cryptography-3.4.7-6.el9 How reproducible: always Steps to Reproduce: from cryptography.hazmat.primitives import cmac from cryptography.hazmat.primitives.ciphers import algorithms import os key = os.urandom(16) cmac.CMAC(algorithms.TripleDES(key)) Actual results: File "cm.py", line 5, in <module> cmac.CMAC(algorithms.TripleDES(key)) File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/primitives/cmac.py", line 34, in __init__ self._ctx = self._backend.create_cmac_ctx(self._algorithm) File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 894, in create_cmac_ctx return _CMACContext(self, algorithm) File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/cmac.py", line 48, in __init__ self._backend.openssl_assert(res == 1) File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 242, in openssl_assert return binding._openssl_assert(self._lib, ok, errors=errors) File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 77, in _openssl_assert raise InternalError( cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=50856204, lib=6, reason=524556, reason_text=b'error:0308010C:digital envelope routines::unsupported')]) Expected results: cryptography.exceptions.UnsupportedAlgorithm: This backend does not support CMAC. Additional info: 3DES is disabled by patch https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0045-FIPS-services-minimize.patch NIST SP 800-131A rev 2 (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf) lists TDEA encryption (aka TripleDES) as disallowed / disallowed after 2023.