hashlib.md5() on FIPS compliant systems

[NavidSassan]

which is used in base, causing:

File "/usr/lib64/nagios/plugins/disk-io", line 283,
    in main() File "/usr/lib64/nagios/plugins/disk-io", line 138,
    in main lib.base2.coe(lib.db_sqlite2.create_index(conn, 'name'))

File "/usr/lib64/nagios/plugins/lib/db_sqlite2.py", line 109,
    in create_index index_name = 'idx_{}'.format(base2.md5sum(table + column_list))

File "/usr/lib64/nagios/plugins/lib/base2.py", line 641,
    in md5sum return hashlib.md5(string).hexdigest() ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

redhat implemented a usedforsecurity=False parameter, which was also integrated into python >= 3.9 (see https://bugzilla.redhat.com/show_bug.cgi?id=1744670).

this could be implemented as a fallback. the other question is, how do we handle this if usedforsecurity is not available.

can be replicated on a system according to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations (the 'After the System Installation'-steps are enough).

[NavidSassan]

mentioned in issue support#1550

[NavidSassan]

In GitLab by @sandrolf on Nov 3, 2021, 09:21

python2 and python3

[NavidSassan]

attempted solution:

diff --git a/base2.py b/base2.py
index ac4a164..21205c1 100644
--- a/base2.py
+++ b/base2.py
@@ -638,7 +638,18 @@ def match_range(value, spec):


 def md5sum(string):
-    return hashlib.md5(string).hexdigest()
+    try:
+        return hashlib.md5(string).hexdigest()
+    except ValueError as e:
+        if 'disabled for fips' in e.message:
+            try:
+                # this only works for python >= 3.9, or if usedforsecurity was backported
+                return hashlib.md5(string, usedforsecurity=False).hexdigest()
+            except:
+                # TODO: provide an alternative
+                raise e
+        else:
+            raise


 def mltext2array(input, skip_header=False, sort_key=-1):
diff --git a/base3.py b/base3.py
index f6c080a..cb19e81 100644
--- a/base3.py
+++ b/base3.py
@@ -23,6 +23,7 @@ import operator
 import os
 import re
 import shlex
+import ssl # this is required by the workaround in the md5sum() method
 import subprocess
 import sys
 import time
@@ -634,7 +635,18 @@ def match_range(value, spec):


 def md5sum(string):
-    return hashlib.md5(string.encode('utf-8')).hexdigest()
+    try:
+        return hashlib.md5(string.encode('utf-8')).hexdigest()
+    except ValueError as e:
+        if 'disabled for fips' in e.message:
+            try:
+                # this only works for python >= 3.9, or if usedforsecurity was backported
+                return hashlib.md5(string.encode('utf-8'), usedforsecurity=False).hexdigest()
+            except:
+                # TODO: provide an alternative
+                raise e
+        else:
+            raise


 def mltext2array(input, skip_header=False, sort_key=-1):

[NavidSassan]

In GitLab by @markuslf on Nov 3, 2021, 09:49

# TODO: provide an alternative is important because of Python 2.7 on CentOS 7 and Python 3.6 on CentOS 8. ;-)

[NavidSassan]

In GitLab by @markuslf on Nov 9, 2021, 11:36

FIPS disables some algorithms, for example md5() - even if it is just used to build a hash. So we replaced md5() by sha1().

[NavidSassan]

In GitLab by @markuslf on Nov 9, 2021, 11:38

mentioned in commit 1552d8e

[NavidSassan]

In GitLab by @markuslf on Nov 9, 2021, 11:38

mentioned in commit 928284d

[NavidSassan]

mentioned in commit 4538120