I am trying to build a version of Python which is FIPS compliant, i.e does not let a user use a cryptographic algorithm which has not been approved by FIPS like MD5.
For this, I built a version of Openssl-3 using the enable-fips flag which will ensure that the fips provider is generated and I have updated my openssl.cnf file to use the FIPS provider. Here is my openssl.cnf file:
openssl_conf = openssl_init
.include /usr/local/openssl/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
base = base_sect
[base_sect]
activate = 1
This works like a charm and I am not able to calculate the MD5 digest using openssl binary whereas I am able to calculate SHA1 which is FIPS validated:
./openssl MD5 openssl
Error setting digest
C020A0E9FB7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 102), Properties ()
C020A0E9FB7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252:
./openssl SHA1 openssl
SHA1(openssl)= 2c9d99744d2fdc0ae12ca31829126d68f2792977
I built Python with this version of Openssl-3:
./python
Python 3.8.14 (default, Oct 19 2022, 18:13:27)
[GCC 7.3.1 20180712 (Red Hat 7.3.1-15)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 3.0.5 5 Jul 2022'
I am reading the documentation for hashlib: hashlib — Secure hashes and message digests — Python 3.12.1 documentation and found this:
Constructors for hash algorithms that are always present in this module are
sha1()
,sha224()
,sha256()
,sha384()
,sha512()
,blake2b()
.md5()
is normally available as well, though it may be missing or blocked if you are using a rare “FIPS compliant” build of Python.
I assumed that building with Openssl-3 using the FIPS provider in the openss.cnf file is equivalent to using a FIPS compliant
build of python where I will not be allowed to use algorithms that are not FIPS valdiated. But I am able to calculate the digest using MD5
algorithm:
>>> ssl.OPENSSL_VERSION
'OpenSSL 3.0.5 5 Jul 2022'
>>> import hashlib
>>> m = hashlib.md5()
>>> m.update(b"hello")
>>> m.digest()
b']A@*\xbcK*v\xb9q\x9d\x91\x10\x17\xc5\x92'
I tried searching online but cannot find the directions to building a FIPS compliant version of Python. Can I please get some help with this?