Bug 2152741

Summary: suds Reader classes break when FIPS is enabled [ Rhel 9]
Product: Red Hat Enterprise Linux 9 Reporter: Joshua Baker <jobaker>
Component: python-sudsAssignee: Jeff Ortel <jortel>
Status: NEW --- QA Contact: cluster-qe <cluster-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.2   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joshua Baker 2022-12-12 22:07:26 UTC 
Description of problem:

suds Reader.mangle() invokes hashlib.md5. md5 is not FIPS-compliant and is thus disabled when FIPS is enabled.

As a result, the fence_vmware_soap fence agent for High Availability clusters is broken when FIPS is enabled. This is one of our most commonly used fence agents, and it relies on suds. There is no known workaround, as suds does not allow a client to disable mangling or choose a different mangling method. Further, for many users of fence_vmware_soap, there is no other viable fence agent for their environment.

It is crucial that we get a fix for this. Otherwise, it will render High Availability clustering unusable in many VMware environments where FIPS is enabled on the guest OS.


Version-Release number of selected component (if applicable):
Python "suds" module available in "fence-agents-common" for Rhel 9:

# rpm -q fence-agents-common
fence-agents-common-4.10.0-20.el9_0.2.noarch


How reproducible:
1. Enable FIPS mode.
2. Open a python3 interpreter and run:

Steps to Reproduce:
[root@clustera-rhel9 ~]# python3
Python 3.9.10 (main, Feb  9 2022, 00:00:00)
[GCC 11.2.1 20220127 (Red Hat 11.2.1-9)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys
>>> sys.path.insert(0, '/usr/lib/fence-agents/support/common')
>>> from suds.options import Options
>>> from suds.wsdl import Definitions
>>> from suds.reader import DefinitionsReader
>>> reader = DefinitionsReader(Options(), Definitions)


Actual results:

>>> reader.open('https://www.example.com')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/fence-agents/support/common/suds/reader.py", line 101, in open
    id = self.mangle(url, "wsdl")
  File "/usr/lib/fence-agents/support/common/suds/reader.py", line 61, in mangle
    h = md5(name.encode()).hexdigest()
ValueError: [digital envelope routines] unsupported


Expected results:

No "disabled for FIPS" exception. There will be a different exception if you use incorrect options like I did, or it should succeed if you use valid options.


Additional info:

This issue was corrected in Rhel 8 with the below bugs:

    1921920 – suds Reader classes break when FIPS is enabled
    https://bugzilla.redhat.com/show_bug.cgi?id=1921920

    2059753 – suds Reader classes break when FIPS is enabled [rhel-8.5.0.z]
    https://bugzilla.redhat.com/show_bug.cgi?id=2059753

    2059752 – suds Reader classes break when FIPS is enabled [rhel-8.4.0.z]
    https://bugzilla.redhat.com/show_bug.cgi?id=2059752

The below fix does not appear to be available in RHEL 9:

  - Use usedforsecurity=False for md5() calls to make suds work on FIPS enabled systems by oalbrigt · Pull Request #72 · suds-community/suds 
    https://github.com/suds-community/suds/pull/72/commits/9bdefdaeb1238f0bbed2a0d36215717990e13949

Do not see that patch in our version of suds:

    # rpm -q fence-agents-common
    fence-agents-common-4.10.0-30.el9_1.1.noarch

    # grep "usedforsecurity" /usr/lib/fence-agents/support/common/suds/reader.py
    # echo $? 
    1

We are running the unpatched version:

    # grep md5 /usr/lib/fence-agents/support/common/suds/reader.py
      from hashlib import md5
      # 'md5' package in older Python versions.
      from md5 import md5
          h = md5(name.encode()).hexdigest()