Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1835169

Summary: Python's _Py_KeyedHash() uses non-FIPS compliant MAC
Product: Red Hat Enterprise Linux 9 Reporter: Christian Heimes <cheimes>
Component: python3.9Assignee: Python Maintainers <python-maint>
Status: CLOSED ERRATA QA Contact: Lukáš Zachar <lzachar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: cstratak, hhorak, pviktori, torsava, vstinner
Target Milestone: pre-dev-freezeKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python3.9-3.9.10-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:36:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1942527    
Bug Blocks:    

Description Christian Heimes 2020-05-13 09:57:17 UTC 
Description of problem:
Python 3.7 introduced a new way to validate .pyc bytecode files [1]. PYC files can either contain the last modification timestamp of their .py code or a keyed hash (MAC) of the .py file.

The hash and mac algorithm behind _imp.source_hash() and _Py_KeyedHash() is hard-coded to sip24, which is not FIPS compliant.

Version-Release number of selected component (if applicable):
3.7, 3.8, 3.9-alpha

How reproducible:
always

Additional info:
[1] https://docs.python.org/3.9/reference/import.html#pyc-invalidation
[2] https://github.com/python/cpython/blob/f453221c8b80e0570066a9375337f208d50e6406/Python/pyhash.c#L421-L425
Comment 1 Honza Horak 2020-08-07 13:41:04 UTC 
Thanks for the report. I'm wondering whether having this reported for RHEL-9 only does not make it less visible or ignored.. FYI Tomas, do you think it needs to be cloned for Fedora or RHEL8 (for upcoming python39 module) or it is ok this way?
Comment 2 Tomas Orsava 2020-08-07 13:51:17 UTC 
(In reply to Honza Horak from comment #1)
> Thanks for the report. I'm wondering whether having this reported for RHEL-9
> only does not make it less visible or ignored.. FYI Tomas, do you think it
> needs to be cloned for Fedora or RHEL8 (for upcoming python39 module) or it
> is ok this way?

I've already added this (and a query for RHEL9 bugs in general) to the agenda of our next RHEL bugs triage (the coming Wednesday) so we can assess the impact elsewhere as well.
Nevertheless, thanks for the ping, better be safe than sorry.
Comment 3 Petr Viktorin (pviktori) 2020-08-12 12:28:55 UTC 
The simple, and IMO reasonable, fix is to disable that validation mode (under FIPS only).
Comment 4 Victor Stinner 2020-09-09 12:19:54 UTC 
I understand that there are two choices to make Python FIPS compliant:

* Use the file modification rather than a hash of the content for pyc files, especially to *create* pyc files (PEP 552): see SourceLoader.get_code() in Lib/importlib/_bootstrap_external.py
* Use a different hash algorithm: see _imp.source_hash() and _Py_KeyedHash()

I'm not sure if it's possible to detect when Python is running in FIPS mode, and only change the behavior in this case.
Comment 6 Petr Viktorin (pviktori) 2020-10-07 13:29:05 UTC 
Christian, we'll do a downstream patch, unless you put this into upstream -- you're probably the best person to push these changes in CPython.
Comment 7 Petr Viktorin (pviktori) 2021-08-25 12:07:50 UTC 
FIPS support in OpenSSL 3.0 is blocking us; moving to RHEL 9 GA.
Comment 17 errata-xmlrpc 2022-05-17 15:36:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: python3.9), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3899