Bug 2059630

Summary: [Rebase] Rebase python-cryptography to 36.0.1 for OpenSSL 3.0 FIPS support
Product: Red Hat Enterprise Linux 9 Reporter: Christian Heimes <cheimes>
Component: python-cryptographyAssignee: Christian Heimes <cheimes>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: abokovoy, alee, dsavinea, ftrivino, jamarsha, jsnitsel, jwboyer, myusuf, pcahyna, pvlasin, ssidhaye, torsava, wpoteat
Target Milestone: rcKeywords: Rebase, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-cryptography-36.0.1-1.el9_0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2060787 (view as bug list) Environment:
Last Closed: 2022-05-17 13:45:50 UTC Type: Component Upgrade
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2054785, 2055209, 2060343, 2060787    

Description Christian Heimes 2022-03-01 15:06:24 UTC 
Description of problem:
I would like to request a rebase of python-cryptography to 36.0.1 in order to provide compatibility with OpenSSL 3.0 in FIPS mode. I'm aware that my requests comes very late in the RHEL 9 release cycle. My request is motivated by the fact that rebase of our OpenSSL package to 3.0.1 and our downstream FIPS patches have revealed several issues with our build of python-cryptography.

As of today RHEL 9 contains python-cryptography 3.4.7 + a largish patch set for OpenSSL 3.0.0 compatibility. The upstream release 3.4.7 does not have full OpenSSL 3.0.0 compatibility. The patchset contains necessary backports from 35.0 and 36.0 release to make python-cryptography fully OpenSSL 3.0.0 compatibility in non-FIPS mode.

However patchset is not sufficient to use python-cryptography in FIPS mode. OpenSSL 3.0's FIPS mode works differently than OpenSSL 1.1.1. FIPS 140-3 also blocks more algorithms than 140-2. On top of that, C9S and RHEL 9 builds of OpenSSL 3.0 block additional algorithms like 3DES and DSA. An attempt to identify and backport all necessary FIPS changes from 36.0 to 3.4 turned out to be complicated and fragile. Upstream has changed and reworked the code and their test suite a lot between 3.4 and 36.0


Additional info:
Upstream changelog https://cryptography.io/en/latest/changelog/ Note: Upstream changed version scheme. The next major version after 3.4.7 was 35.0
Comment 2 Christian Heimes 2022-03-01 15:43:39 UTC 
The Gitlab draft PR https://gitlab.com/redhat/centos-stream/rpms/python-cryptography/-/merge_requests/8 contains rebase to 36.0 (36.0.1) with three additional patches to work around failing 3DES, DSA, and error code check tests. The build is passing all upstream integration tests with openssl-3.0.1-5.el9 on a RHEL 9 1minutetip host in FIPS mode (1minutetip --fips).

A scratch build is available at https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1021498
Comment 22 Sumedh Sidhaye 2022-03-14 10:14:21 UTC 
[root@server ~]#  rpm -q --changelog python3-cryptography
* Fri Mar 04 2022 Christian Heimes <cheimes> - 36.0.1-6
- Rebase to 36.0.1, related: rhbz#2059630, rhbz#2060787
- OpenSSL 3.0 FIPS mode is now detected correctly, related: rhbz#2054785
- Fix error check from EVP_PKEY_CTX_set_signature_md, related: rhbz#2060343
- Block 3DES in FIPS mode, related: rhbz#2055209
- Disable DSA tests in FIPS mode
- Enable SHA1 signatures in test suite
- Fix serialization of keyusage ext with no bits
- Re-enable tests that are passing again

...

[root@server ~]#  rpm -qa python3-cryptography
python3-cryptography-36.0.1-1.el9_0.x86_64
[root@server ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 9.0 Beta (Plow)
Comment 24 errata-xmlrpc 2022-05-17 13:45:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: python-cryptography), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2580