Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

ipython does not work with python compiled with openssl in fips mode. #10615

Closed
srinathgs opened this Issue May 30, 2017 · 6 comments

Comments

Projects
None yet
5 participants
Contributor

srinathgs commented May 30, 2017

in fips mode, md5 is disabled. hence, ipython fails with

    hash_digest = hashlib.md5(code.encode("utf-8")).hexdigest()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

this error.

A fix is changing md5 to sha256 in IPython/core/compilerop.py in this line. I can raise a pull request if the change looks fine.

Owner

takluyver commented May 30, 2017

Sounds OK to me, go ahead and make a PR :-)

Owner

ivanov commented May 30, 2017

As best I can tell, sha1 is supported in FIPS mode, if that's true, let's use that, instead. We're not using this for a cryptographically secure purpose, and sha256 is a bit slower, and generates a much longer string, most of which we will throw away, anyway - since we take only the first 12 characters.

Also, although it is used in a deprecated function, for now, md5 is also imported in IPython/utils/path.py. I created a bug to remove it for some future first time contributor.

Owner

Carreau commented May 30, 2017 edited

Why not "Just" hex(abs(hash("""this is a string """))) if it's not cryptographically secure ?

Edit: (abs because python can give you a negative hex number prefixed with -)

Owner

takluyver commented May 31, 2017

hex(abs(hash())) may give you a shorter string if hash() happens to return a number close to 0. That may not be a problem, but it might mean that e.g. regexes looking for 12 hex characters don't work.

Owner

Carreau commented May 31, 2017

Ad, but we can pad to 12 with 0s then.

@srinathgs srinathgs added a commit to srinathgs/ipython that referenced this issue Jul 12, 2017

@srinathgs srinathgs Make IPython work with OpenSSL in FIPS mode #10615
`md5` is not supported with OpenSSL in FIPS mode, hence moving `md5` to `sha1`
93aa9ad
Contributor

srinathgs commented Jul 12, 2017

@ivanov: I somehow missed this thread because of the whole hoard of notifications from my github subscriptions.

I just verified sha1 is available in FIPS mode, I have created a PR which changes md5 to sha1. Thanks.

minrk added this to the 5.5 milestone Jul 12, 2017

takluyver closed this in #10696 Jul 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment