Bug 1724745 - With FIPS enabled python3 able to load non-compliant md5 crypto modules
Summary: With FIPS enabled python3 able to load non-compliant md5 crypto modules
Keywords:
Status: CLOSED DUPLICATE of bug 1731424
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: python3
Version: 8.2
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: 8.0
Assignee: Charalampos Stratakis
QA Contact: RHEL CS Apps Subsystem QE
URL:
Whiteboard:
Depends On: 1486212
Blocks: 1734126
TreeView+ depends on / blocked
 
Reported: 2019-06-27 17:12 UTC by Ryan Mullett
Modified: 2019-08-13 13:12 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1734126 (view as bug list)
Environment:
Last Closed: 2019-08-13 13:12:47 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1486212 unspecified CLOSED Restore hashlib FIPS patch 2020-10-14 00:28:05 UTC

Description Ryan Mullett 2019-06-27 17:12:26 UTC
Description of problem:
When a system is fips enabled python on RHEL 8 is still able to load non-fips compliant modules (specifically md5 has been identified, but unsure about others that may be available)

Version-Release number of selected component (if applicable):
python36-3.6.8-2.module+el8.0.0+2975+e0f02136.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install a system with FIPS enabled or run the following:

[root@localhost ~]# fips-mode-setup --enable && reboot

2. Confirm system has FIPS mode enabled:

[root@localhost ~]# update-crypto-policies --show
FIPS

[root@localhost ~]# sysctl -a | grep fips
crypto.fips_enabled = 1

[root@localhost ~]# fips-mode-setup --check
FIPS mode is enabled.

3. Load up python3 and import md5 from hashlib and then attempt to access it.

[root@localhost ~]# python3
Python 3.6.8 (default, Jan 11 2019, 02:17:16) 
[GCC 8.2.1 20180905 (Red Hat 8.2.1-3)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from hashlib import md5
>>> print(md5("password".encode("utf-8")))
<_md5.md5 object at 0x7fe4d8c19570>

Actual results:
>>> print(md5("password".encode("utf-8")))
<_md5.md5 object at 0x7fe4d8c19570>

Expected results:
Previously on RHEL 7 and earlier we get the expected results 

>>> print(md5("password".encode("utf-8")))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips


Additional info:

Looks like the hashlib patch that provides fips compliance was removed initially because of an incompatibility with openssl 1.1.0 and then we never restored it. Here's the relevant Fedora bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1486212

Comment 5 Petr Viktorin 2019-08-13 13:12:47 UTC
We're handling FIPS mode in bug #1731424

*** This bug has been marked as a duplicate of bug 1731424 ***


Note You need to log in before you can comment on or make changes to this bug.