I am trying to build a version of Python which is FIPS compliant, i.e does not let a user use a cryptographic algorithm which has not been approved by FIPS like MD5.
For this, I built a version of Openssl-3 using the enable-fips flag which will ensure that the fips provider is generated and I have updated my openssl.cnf file to use the FIPS provider. Here is my openssl.cnf file:
openssl_conf = openssl_init .include /usr/local/openssl/ssl/fipsmodule.cnf [openssl_init] providers = provider_sect [provider_sect] fips = fips_sect base = base_sect [base_sect] activate = 1
This works like a charm and I am not able to calculate the MD5 digest using openssl binary whereas I am able to calculate SHA1 which is FIPS validated:
./openssl MD5 openssl Error setting digest C020A0E9FB7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 102), Properties () C020A0E9FB7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252:
./openssl SHA1 openssl SHA1(openssl)= 2c9d99744d2fdc0ae12ca31829126d68f2792977
I built Python with this version of Openssl-3:
./python Python 3.8.14 (default, Oct 19 2022, 18:13:27) [GCC 7.3.1 20180712 (Red Hat 7.3.1-15)] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> ssl.OPENSSL_VERSION 'OpenSSL 3.0.5 5 Jul 2022'
I am reading the documentation for hashlib: hashlib — Secure hashes and message digests — Python 3.10.8 documentation and found this:
Constructors for hash algorithms that are always present in this module are
md5()is normally available as well, though it may be missing or blocked if you are using a rare “FIPS compliant” build of Python.
I assumed that building with Openssl-3 using the FIPS provider in the openss.cnf file is equivalent to using a
FIPS compliant build of python where I will not be allowed to use algorithms that are not FIPS valdiated. But I am able to calculate the digest using
>>> ssl.OPENSSL_VERSION 'OpenSSL 3.0.5 5 Jul 2022' >>> import hashlib >>> m = hashlib.md5() >>> m.update(b"hello") >>> m.digest() b']A@*\xbcK*v\xb9q\x9d\x91\x10\x17\xc5\x92'
I tried searching online but cannot find the directions to building a FIPS compliant version of Python. Can I please get some help with this?