hashlib.md5(...) throws server error in FIPS enabled systems

[jonlev1n]

I have the admin interface installed on my application, which is running on a FIPS-enabled system. The system then complains about the md5 implementation (see trace below). I have a workaround for now, manually adding the usedforsecurity=False kwarg on line 83, but this is not ideal since my normal method of monkey patching the module does not seem to be working.

Anyone else run into this issue? Can this be addressed in the code, or has anyone figured out a valid method for patching?

.
.
.
File "/opt/python/run/venv/lib/python3.9/site-packages/django/template/base.py", line 842, in resolve
    value = self._resolve_lookup(context)
  File "/opt/python/run/venv/lib/python3.9/site-packages/django/template/base.py", line 909, in _resolve_lookup
    current = current()
  File "/opt/python/run/venv/lib/python3.9/site-packages/django/template/loader_tags.py", line 79, in super
        # ImproperlyConfigured - must include i18n urls:
        # urlpatterns += [url(r'^i18n/', include('django.conf.urls.i18n')),]
        return None
    request = context.get("request", None)
    if not request:
        return None
    full_path = request.get_full_path()
    return mark_safe(self.render(self.context))
  File "/opt/python/run/venv/lib/python3.9/site-packages/django/template/loader_tags.py", line 63, in render
    result = block.nodelist.render(context)
  File "/opt/python/run/venv/lib/python3.9/site-packages/django/template/base.py", line 1000, in render
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/opt/python/run/venv/lib/python3.9/site-packages/django/template/base.py", line 1000, in <listcomp>
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/opt/python/run/venv/lib/python3.9/site-packages/django/template/base.py", line 958, in render_annotated
    return self.render(context)
  File "/opt/python/run/venv/lib/python3.9/site-packages/django/template/library.py", line 239, in render
    output = self.func(*resolved_args, **resolved_kwargs)
  File "/opt/python/run/venv/lib/python3.9/site-packages/admin_interface/templatetags/admin_interface_tags.py", line 90, in get_admin_interface_nocache
    return hash_string(__version__)
  File "/opt/python/run/venv/lib/python3.9/site-packages/admin_interface/templatetags/admin_interface_tags.py", line 83, in hash_string
    hash_object = hashlib.md5(text.encode())
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for fips

[merwok]

The usedforsecurity parameter is intended for this kind of use case, it should be easy to add it (Python 3.9+).
Or change the hash algo to be sha224 or something allowed by FIPS!

[jonlev1n]

Agreed. Created pr #168 which is identical to my local changes.

[merwok]

You should keep the issue open for discussion!

I checked the readme and this project supports older versions than 3.9, so the parameter can’t be used unconditionally.

[jonlev1n]

Ah, I see. I wouldn't call myself a python expert here so I guess I just got lucky with the version I'm using. I'll reopen just in case anyone runs into the same issue as me and comes here looking.

One possibility would be to wrap in a try/except in the pr, or as you suggested to use a different hashing algorithm.

If I'm understanding the source correctly, the offending function is just called from @simple_tag decorator, which is only supposed to return text... So, (in theory?) the hash used should not matter. I'm not sure which is the preferable implementation here, though.

[fabiocaccamo]

@jonlev1n thanks for reporting this and for the PR.

As you can see from the PR status checks, the CI fails due to the unsupported usedforsecurity argument:

TypeError: openssl_md5() takes no keyword arguments

In this case, considering that usedforsecurity option has been introduced only in Python 3.9 I think the best/only backward-compatible solution is to change the hash algorithm (as pointed out by @merwok).

[jonlev1n]

@fabiocaccamo No problem. I originally made the PR without realizing that argument was not available. I updated the PR just a few minutes ago using sha224(...) in place of md5(...) - I will be interested to see that that passes the CI tests. I updated in place on my staging system which seems to be working ok, though I realize that is not worth much other than a quick sanity check.

Thanks again to @merwok for pointing the underlying issue out.

[fabiocaccamo]

@jonlev1n thank you very much for the PR, you can upgrade to 0.19.2 version.