-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Description
Context
Python compiled for FIPS (built with FIPS compatible openssl) does not allow the use of the md5 algorithm. Typically, md5 is completely disabled by a custom patch to Python to prevent the usage of md5 for FIPS compliance, as Python may fallback to its own md5 implementation if openssl does not provide one, which is true for FIPS.
The import of md5
from the hashlib
module is problematic because urllib is widely used in Python, such as when installing pip
and this completely breaks down when FIPS mode is enabled.
https://github.com/urllib3/urllib3/blob/main/src/urllib3/util/ssl_.py
$ python3 -m ensurepip --upgrade --default-pip
...
File "/tmp/tmp052h8i17/pip-24.0-py3-none-any.whl/pip/_vendor/requests/__init__.py", line 43, in <module>
File "/tmp/tmp052h8i17/pip-24.0-py3-none-any.whl/pip/_vendor/urllib3/__init__.py", line 13, in <module>
File "/tmp/tmp052h8i17/pip-24.0-py3-none-any.whl/pip/_vendor/urllib3/connectionpool.py", line 12, in <module>
File "/tmp/tmp052h8i17/pip-24.0-py3-none-any.whl/pip/_vendor/urllib3/connection.py", line 15, in <module>
File "/tmp/tmp052h8i17/pip-24.0-py3-none-any.whl/pip/_vendor/urllib3/util/__init__.py", line 8, in <module>
File "/tmp/tmp052h8i17/pip-24.0-py3-none-any.whl/pip/_vendor/urllib3/util/ssl_.py", line 8, in <module>
ImportError: cannot import name 'md5' from 'hashlib' (/opt/python-fips/lib/python3.12/hashlib.py)
Traceback (most recent call last):
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "/opt/python-fips/lib/python3.12/ensurepip/__main__.py", line 5, in <module>
sys.exit(ensurepip._main())
^^^^^^^^^^^^^^^^^
File "/opt/python-fips/lib/python3.12/ensurepip/__init__.py", line 284, in _main
return _bootstrap(
^^^^^^^^^^^
File "/opt/python-fips/lib/python3.12/ensurepip/__init__.py", line 200, in _bootstrap
return _run_pip([*args, *_PACKAGE_NAMES], additional_paths)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/python-fips/lib/python3.12/ensurepip/__init__.py", line 101, in _run_pip
return subprocess.run(cmd, check=True).returncode
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/python-fips/lib/python3.12/subprocess.py", line 571, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['/usr/local/bin/python3', '-W', 'ignore::DeprecationWarning', '-c', '\nimport runpy\nimport sys\nsys.path = [\'/tmp/tmp052h8i17/pip-24.0-py3-none-any.whl\'] + sys.path\nsys.argv[1:] = [\'install\', \'--no-cache-dir\', \'--no-index\', \'--find-links\', \'/tmp/tmp052h8i17\', \'--upgrade\', \'pip\']\n
As a result, the urllib
module is unusable with Python compiled for FIPS.
Would it be possible to provide a way to get around this problem, given that in such an environment I would like to disable the usage of md5?