id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 28401 Allow hashlib.md5() calls to work with FIPS kernels Andrew DiPrinzio Ade Lee "Specifically, every use of hashlib.md5() is an issue for FIPS kernels which lack openssl support for md5. However, at least on RHEL and Centos, hashlib.new() supports the usedforsecurity=False flag that allows you to bypass the FIPS prohibition on md5. Many of the cases in which the md5 function is used qualify as non-security uses since it is used to mainly truncate values. Of course the md5 auth backends would constitute a security usages and should not include the usedforsecurity=False and thus should fail on FIPS systems. Therefore i propose that we add the usedforsecurity=False flag where warranted and handling in case some versions of python do not support this flag. (I tested python 2.7 on OSX and it errors when the usedforsecurity flag is set). If everyone this this is a good plan I will go ahead and make a PR. list of all useages of hashlib.md5 [https://github.com/django/django/search?q=hashlib.md5&type=Code&utf8=%E2%9C%93] django-developers thread [https://groups.google.com/forum/#!msg/django-developers/dlUIPzQgnpM/Mtl7CQbPAQAJ] django-users thread [https://groups.google.com/forum/#!topic/django-users/THJdhaKo-ng] Example stack trace: {{{ Operations to perform: Apply all migrations: admin, auth, contenttypes, dashboard, kombu_transport_django, sessions Running migrations: Applying contenttypes.0001_initial...Traceback (most recent call last): File ""manage.py"", line 10, in execute_from_command_line(sys.argv) File ""/usr/lib64/python2.7/site-packages/django/core/management/__init__.py"", line 367, in execute_from_command_line utility.execute() File ""/usr/lib64/python2.7/site-packages/django/core/management/__init__.py"", line 359, in execute self.fetch_command(subcommand).run_from_argv(self.argv) File ""/usr/lib64/python2.7/site-packages/django/core/management/base.py"", line 294, in run_from_argv self.execute(*args, **cmd_options) File ""/usr/lib64/python2.7/site-packages/django/core/management/base.py"", line 345, in execute output = self.handle(*args, **options) File ""/usr/lib64/python2.7/site-packages/django/core/management/commands/migrate.py"", line 204, in handle fake_initial=fake_initial, File ""/usr/lib64/python2.7/site-packages/django/db/migrations/executor.py"", line 115, in migrate state = self._migrate_all_forwards(state, plan, full_plan, fake=fake, fake_initial=fake_initial) File ""/usr/lib64/python2.7/site-packages/django/db/migrations/executor.py"", line 145, in _migrate_all_forwards state = self.apply_migration(state, migration, fake=fake, fake_initial=fake_initial) File ""/usr/lib64/python2.7/site-packages/django/db/migrations/executor.py"", line 244, in apply_migration state = migration.apply(state, schema_editor) File ""/usr/lib64/python2.7/site-packages/django/db/migrations/migration.py"", line 129, in apply operation.database_forwards(self.app_label, schema_editor, old_state, project_state) File ""/usr/lib64/python2.7/site-packages/django/db/migrations/operations/models.py"", line 532, in database_forwards getattr(new_model._meta, self.option_name, set()), File ""/usr/lib64/python2.7/site-packages/django/db/backends/base/schema.py"", line 333, in alter_unique_together self.execute(self._create_unique_sql(model, columns)) File ""/usr/lib64/python2.7/site-packages/django/db/backends/base/schema.py"", line 913, in _create_unique_sql ""name"": self.quote_name(self._create_index_name(model, columns, suffix=""_uniq"")), File ""/usr/lib64/python2.7/site-packages/django/db/backends/base/schema.py"", line 819, in _create_index_name index_unique_name = '_%s' % self._digest(table_name, *column_names) File ""/usr/lib64/python2.7/site-packages/django/db/backends/base/schema.py"", line 123, in _digest h = hashlib.md5() ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips }}} " Cleanup/optimization closed Core (Other) dev Normal fixed FIPS, md5, python3.9 Ready for checkin 1 0 0 0 0 0