Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips #1005

Closed
kamal2222ahmed opened this issue Sep 26, 2018 · 4 comments
Closed

ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips #1005

kamal2222ahmed opened this issue Sep 26, 2018 · 4 comments
Labels
to-be-fixed
Milestone
2.4.0

Comments

@kamal2222ahmed
Copy link

I am trying to use s3cmd on CentOs 7.5 , and it works fine with $s3cmd ls s3://alpha-team-share/chefprod

but when uploading:

s3cmd put backup_chef_2018-09-26-133542.tar.gz s3://alpha-team-share/chefprod

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
An unexpected error has occurred.
Please try reproducing the error using
the latest s3cmd code from the git master
branch found at:
https://github.com/s3tools/s3cmd
and have a look at the known issues list:
https://github.com/s3tools/s3cmd/wiki/Common-known-issues-and-their-solutions
If the error persists, please report the
following lines (removing any private
info as necessary) to:
s3tools-bugs@lists.sourceforge.net

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Invoked as: /bin/s3cmd put backup_chef_2018-09-26-133542.tar.gz s3://alpha-team-share/chefprod
Problem: ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
S3cmd: 2.0.2
python: 2.7.5 (default, May 31 2018, 09:41:32)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
environment LANG=en_US.UTF-8

Traceback (most recent call last):
File "/bin/s3cmd", line 3092, in
rc = main()
File "/bin/s3cmd", line 3001, in main
rc = cmd_func(args)
File "/bin/s3cmd", line 369, in cmd_object_put
local_list, single_file_local, exclude_list, total_size_local = fetch_local_list(args, is_src = True)
File "/usr/lib/python2.7/site-packages/S3/FileLists.py", line 352, in fetch_local_list
total_size = _fetch_local_list_info(local_list)
File "/usr/lib/python2.7/site-packages/S3/FileLists.py", line 231, in _fetch_local_list_info
md5 = loc_list.get_md5(relative_file) # this does the file I/O
File "/usr/lib/python2.7/site-packages/S3/FileDict.py", line 48, in get_md5
md5 = Utils.hash_file_md5(self[relative_file]['full_name'])
File "/usr/lib/python2.7/site-packages/S3/Utils.py", line 260, in hash_file_md5
h = md5()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
An unexpected error has occurred.
Please try reproducing the error using
the latest s3cmd code from the git master
branch found at:
https://github.com/s3tools/s3cmd
and have a look at the known issues list:
https://github.com/s3tools/s3cmd/wiki/Common-known-issues-and-their-solutions
If the error persists, please report the
above lines (removing any private
info as necessary) to:
s3tools-bugs@lists.sourceforge.net
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

i tried with disabeling md5, same error:

s3cmd put backup_chef_2018-09-26-133542.tar.gz --no-check-md5 s3://alpha-team-share/chefprod
upload: 'backup_chef_2018-09-26-133542.tar.gz' -> 's3://alpha-team-share/chefprod' [part 1 of 14, 15MB] [1 of 1]
ERROR:
Upload of 'backup_chef_2018-09-26-133542.tar.gz' part 1 failed. Use
/bin/s3cmd abortmp s3://alpha-team-share/chefprod A0JRa0hmeyBjBcie3VEDFl_bHhjEkhDGr2nJCO095X0UmGmuFYR7n1mKEDtN2km.CrToyN6OhLdRVFtiW7AqmxHNPs_uhNzESzEO_M3xM6
to abort the upload, or
/bin/s3cmd --upload-id A0JRa0hmeyBjBcie3VEDFl_bHhjEkhDGr2nJCO095X0UmGmuFYR7n1mKEDtN2km.CrToyN6OhLdRVFtiW7AqmxHNPs_uhNzESzEO_M3xM6 put ...
to continue the upload.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
An unexpected error has occurred.
Please try reproducing the error using
the latest s3cmd code from the git master
branch found at:
https://github.com/s3tools/s3cmd
and have a look at the known issues list:
https://github.com/s3tools/s3cmd/wiki/Common-known-issues-and-their-solutions
If the error persists, please report the
following lines (removing any private
info as necessary) to:
s3tools-bugs@lists.sourceforge.net

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Invoked as: /bin/s3cmd put backup_chef_2018-09-26-133542.tar.gz --no-check-md5 s3://alpha-team-share/chefprod
Problem: ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
S3cmd: 2.0.2
python: 2.7.5 (default, May 31 2018, 09:41:32)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
environment LANG=en_US.UTF-8

Traceback (most recent call last):
File "/bin/s3cmd", line 3092, in
rc = main()
File "/bin/s3cmd", line 3001, in main
rc = cmd_func(args)
File "/bin/s3cmd", line 421, in cmd_object_put
response = s3.object_put(full_name, uri_final, extra_headers, extra_label = seq_label)
File "/usr/lib/python2.7/site-packages/S3/S3.py", line 677, in object_put
return self.send_file_multipart(src_stream, headers, uri, size, extra_label)
File "/usr/lib/python2.7/site-packages/S3/S3.py", line 1603, in send_file_multipart
upload.upload_all_parts(extra_label)
File "/usr/lib/python2.7/site-packages/S3/MultiPart.py", line 119, in upload_all_parts
self.upload_part(seq, offset, current_chunk_size, labels, remote_status = remote_statuses.get(seq))
File "/usr/lib/python2.7/site-packages/S3/MultiPart.py", line 176, in upload_part
response = self.s3.send_file(request, self.file_stream, labels, buffer, offset = offset, chunk_size = chunk_size)
File "/usr/lib/python2.7/site-packages/S3/S3.py", line 1417, in send_file
md5_hash = md5()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
An unexpected error has occurred.
Please try reproducing the error using
the latest s3cmd code from the git master
branch found at:
https://github.com/s3tools/s3cmd
and have a look at the known issues list:
https://github.com/s3tools/s3cmd/wiki/Common-known-issues-and-their-solutions
If the error persists, please report the
above lines (removing any private
info as necessary) to:
s3tools-bugs@lists.sourceforge.net
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
@fviard
Copy link
Contributor

fviard commented Sep 26, 2018

Hum, a similar case happened previously.
Your distribution/crypto package is in FIPS mode.

For FIPS, md5 is not a good (/allowed) cryptographic primitive because it is weak.
For that reason the function is disabled in your openssl library.

The problem, is that we are using md5 for differentiating files to be uploading for sync, but also for integrity check of transfer.
When you disable "md5" in the config, you in fact disable the md5 sum for file comparison for sync because it is an expensive operation. But not the md5 that is there to check that the server has the right file, not a corrupted one. This operation is not expensive.

The case of the FIPS is stupid because here the md5 is not used in a cryptographic context.
And it will not be used for "encryption" or to check the connection that uses https.

For your case, your only solution would be to modify the source of s3cmd if you can't change your distribution/ssl library.

If you want my opinion, what i have read is that it is stupid to use the FIPS version of openssl because you will get legacy versions...

@aiskuld
Copy link

aiskuld commented Jan 24, 2020

I had this issue with a python package that was using md5 for hashing identifiers. Specifically, it was Django when I was trying to migrate my database with python manage.py migrate. To fix it, I changed the hashlib.md5() function that was causing the error to hashlib.md5(usedforsecurity=False)

Here is the command to do that if you don't want to dig through the file
single file:

sed -i 's/hashlib.md5()/hashlib.md5(usedforsecurity=False)/g' <virtual_environment>/lib/python3.6/site-packages/django/db/backends/base/schema.py

This function is also found in the following file locations, but I would probably only change it if it causes an error.

$ grep -iRl "hashlib.md5()" .
<virtual_environment>/lib/python3.6/site-packages/django/utils/cache.py
<virtual_environment>/lib/python3.6/site-packages/django/db/models/indexes.py
<virtual_environment>/lib/python3.6/site-packages/django/contrib/staticfiles/storage.py

I know this is somewhat unrelated to the question asked, but it is the first result on Google, and I wouldn't be surprised if it's the same or a similar issue here

@kdickerson
Copy link

Sorry for a little bit of noise, but I have a blog post that's relevant to @aiskuld 's comment about patching hashlib: http://blog.serindu.com/2019/11/12/django-in-fips-mode/ I monkey-patch the appropriate Django packages at runtime so I can avoid a forked codebase.

That approach should be useful for any other instance of needing to utilize libraries using blocked algorithms for non-security purposes while in FIPS mode.

Pectojin pushed a commit to Pectojin/scripts that referenced this issue Mar 19, 2020
fix FIPS mode compatibility
90c35a2 
Issue is almost identical to s3tools/s3cmd#1005
@Pectojin Pectojin mentioned this issue Mar 19, 2020
Open
@memsharded memsharded mentioned this issue Oct 2, 2020
Closed
@gabe-l-hart gabe-l-hart mentioned this issue Oct 6, 2020
Closed
@davidkarlsen davidkarlsen mentioned this issue Jan 27, 2021
Closed
@audreytoskin audreytoskin mentioned this issue Sep 3, 2021
Closed
@dantebben dantebben mentioned this issue Nov 30, 2021
Closed
@gadfort gadfort mentioned this issue Jan 13, 2022
Closed
@maroth96 maroth96 mentioned this issue Feb 2, 2022
Merged
@phillbaker phillbaker mentioned this issue Mar 1, 2022
Merged
@efussi efussi mentioned this issue May 3, 2022
Closed
@fviard fviard closed this as completed in 2f57a4a Oct 4, 2022
@fviard fviard added this to the 2.4.0 milestone Oct 4, 2022
@fviard
Copy link
Contributor

fviard commented Oct 4, 2022

Fixed, thanks to @maroth96 !

@bernstei bernstei mentioned this issue Jan 13, 2023
Closed
@dbeatty10 dbeatty10 mentioned this issue Feb 8, 2023
Closed
2 tasks
@jlloyd-widen jlloyd-widen mentioned this issue Nov 9, 2023
Merged
alangenfeld pushed a commit to dagster-io/dagster that referenced this issue Dec 5, 2023
@jlloyd-widen
Feature/md5 usedforsecurity (#17866)
55f7522 
## Summary & Motivation
For FIPS enabled systems the MD5 function is disabled in `openssl`.
Since Dagster is using `hashlib.md5` in various locations (`dagster`,
`dagster-dbt`, and `dagster-k8s`), on a FIPS enabled environment the UI
will deliver the following error when trying to load the code location:

```
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

  File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_grpc/server.py", line 609, in _get_serialized_external_repository_data
    external_repository_data_from_def(
  File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_core/host_representation/external_data.py", line 1341, in external_repository_data_from_def
    asset_graph = external_asset_graph_from_defs(
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_core/host_representation/external_data.py", line 1531, in external_asset_graph_from_defs
    atomic_execution_unit_id = assets_def.unique_id
                               ^^^^^^^^^^^^^^^^^^^^
  File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_core/definitions/assets.py", line 1254, in unique_id
    return hashlib.md5((json.dumps(sorted(self.keys))).encode("utf-8")).hexdigest()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
```

A web search [indicates](s3tools/s3cmd#1005)
that flagging such `hashlib.md5` uses with the `usedforsecurity=False`
parameter will resolve this error. As far as I can ascertain, each of
the modified usages are indeed NOT used for the security of the md5
algorithm but instead used to determine the uniqueness of the item(s)
being hashed. If this is not the case, my PR will need to be corrected.

## How I Tested These Changes
I have deployed these changes on my own companies FIPS-enabled,
k8s-based systems and seen the error resolved.
zyd14 pushed a commit to zyd14/dagster that referenced this issue Jan 20, 2024
@jlloyd-widen @zyd14
Feature/md5 usedforsecurity (dagster-io#17866)
19784d9 
## Summary & Motivation
For FIPS enabled systems the MD5 function is disabled in `openssl`.
Since Dagster is using `hashlib.md5` in various locations (`dagster`,
`dagster-dbt`, and `dagster-k8s`), on a FIPS enabled environment the UI
will deliver the following error when trying to load the code location:

```
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

  File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_grpc/server.py", line 609, in _get_serialized_external_repository_data
    external_repository_data_from_def(
  File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_core/host_representation/external_data.py", line 1341, in external_repository_data_from_def
    asset_graph = external_asset_graph_from_defs(
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_core/host_representation/external_data.py", line 1531, in external_asset_graph_from_defs
    atomic_execution_unit_id = assets_def.unique_id
                               ^^^^^^^^^^^^^^^^^^^^
  File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_core/definitions/assets.py", line 1254, in unique_id
    return hashlib.md5((json.dumps(sorted(self.keys))).encode("utf-8")).hexdigest()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
```

A web search [indicates](s3tools/s3cmd#1005)
that flagging such `hashlib.md5` uses with the `usedforsecurity=False`
parameter will resolve this error. As far as I can ascertain, each of
the modified usages are indeed NOT used for the security of the md5
algorithm but instead used to determine the uniqueness of the item(s)
being hashed. If this is not the case, my PR will need to be corrected.

## How I Tested These Changes
I have deployed these changes on my own companies FIPS-enabled,
k8s-based systems and seen the error resolved.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
to-be-fixed
Projects
None yet
Milestone
2.4.0
Development

No branches or pull requests
4 participants
@kamal2222ahmed @kdickerson @fviard @aiskuld