Cryptographic tweaks in python/python3 in rawhide (F17)

David Malcolm dmalcolm at redhat.com
Wed Sep 14 21:15:33 UTC 2011 

Summary: most users shouldn't see any differences, but rawhide's python
should now better support OpenSSL FIPS mode, as of python-2.7.2-14.fc17
and python3-3.2.2-5.fc17 onwards.

Long version:
I've just built some tweaks to python's cryptographic code in rawhide,
aimed at making it play better with FIPS mode.  It's actually a forward
port of some code that's been in RHEL 6's python 2.6 since RHEL 6.0
(where it was was rhbz#563986).

The idea is that in high-security environments, it's possible to set
site-wide configuration to deny the use of known insecure cryptographic
algorithms.

The main example here is MD5.  MD5 is past its "use-by date", and should
not be used for security purposes.  See e.g.:
  http://www.kb.cert.org/vuls/id/836068

In the past, Fedora build of the python 2 standard library has contained
the following modules:

  Pure python modules:

    * hashlib (implemented in terms of _hashlib)
    * md5 (implemented in terms of _hashlib, falling back to _md5)
    * sha (implemented in terms of _hashlib, falling back to _sha256,
_sha512,
      _sha as appopriate)

  C module wrapping OpenSSL:

    * _hashlib

  Modules with pure C implementations of certain crypto hash algorithms:
    * _md5
    * _sha256
    * _sha512
    * _sha

As of python-2.7.2-14.fc17, I've dropped the final four modules above;
instead, all crypto code within our build of python's stdlib is
implemented in terms of _hashlib, and thus OpenSSL.

Similarly python3-3.2.2-5.fc17 drops the final four modules.

There is a slight risk that this will break any code that uses "_md5"
etc directly, but such code shouldn't be using those modules: they
should use the analogous API entrypoints in either md5/sha or hashlib
instead.  (Potentially this could lead to hardware acceleration of the
hash computation).

I've also fixed things so that the remaining modules do the right thing
in FIPS mode.

In the past, if you ran python with OPENSSL_FORCE_FIPS_MODE=1 in the
enviroment, the _hashlib module would segfault when used with a broken
crypto hash algorithm.  I've now fixed this so that an exception will be
raised when using bad algorithms:

In normal mode:
  $ python -c "import hashlib; m = hashlib.md5(); m.update('abc'); print
m.hexdigest()"
  900150983cd24fb0d6963f7d28e17f72

In FIPS mode:
  $ OPENSSL_FORCE_FIPS_MODE=1 python -c "import hashlib; m =
hashlib.md5(); m.update('abc'); print m.hexdigest()"
  Traceback (most recent call last):
    File "<string>", line 1, in <module>
  ValueError: error:060800A0:digital envelope
routines:EVP_DigestInit_ex:unknown cipher
(previously, this case would segfault)

[Note that you may need to turn off prelinking, and undo any prelinking
that may have occurred for FIPS mode to work: sudo prelink -u --all ]

If you're using FIPS mode but have some legacy non-security purpose for
MD5 (e.g. hash buckets for optimization, not security), I've added a
non-standard optional keyword argument: usedforsecurity=True, which you
can override to False to mark a callsite as non-security sensitive, and
thus keep using MD5 at audited callsites:

  $ OPENSSL_FORCE_FIPS_MODE=1 python -c "import hashlib; m =
hashlib.md5(usedforsecurity=False); m.update('abc'); print
m.hexdigest()"
  900150983cd24fb0d6963f7d28e17f72

I've sent a version of this upstream for Python 3 as
http://bugs.python.org/issue9216

Hope the above makes sense (and that I didn't break anything)
Dave

More information about the python-devel mailing list