[bug] Error during conan export-pkg when using md5 with FIPS

[MichaelHCline]

I am getting the following error message when doing a conan export-pkg command (see traceback):

ERROR: [digital envelope routines: EVP_DigestInit_ex] disabled for fips

My company IT department did some updates on the system yesterday that brought about this problem. (I am unsure which mod exactly broke it). I can get conan to work again by making the following changes:

"/usr/local/lib/python3.6/site-packages/conans/util/files.py": line 126:
Changed:
md5alg = hashlibmd5()
To:
md5alg = hashlibmd5(usedforsecurity=False)

"/usr/lib64/python3.6/hashlib.py": line 176
usedforsecurity = kwargs.pop(‘usedforsecurity’, True)
To:
usedforsecurity = kwargs.pop(‘usedforsecurity’, False)

I would need to do this on every machine that we use conan, and over time I may have to keep redoing it, so it doesnt seem like the right answer.

Environment Details (include every applicable attribute)

• Operating System+version: uname -a = Linux **** 3.10.0-1127.13.1.el7.x86_64 Feature: Add travis, appveyor CI, check PRs #1 SMP Fri Jun 12 14:34:17 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux
• Compiler+version: (n/a) gcc 4.8.5
• Conan version: 1.24.0
• Python version: 3.6

Steps to reproduce (Include if Applicable)

conan export-pkg . --profile=myprofile --force

Logs (Executed commands with output) (Include/Attach if Applicable)

cd .. && conan export-pkg . --profile Linux/conanprofile --force
Exporting package recipe
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/conans/client/command.py", line 2002, in run
method(args[0][1:])
File "/usr/local/lib/python3.6/site-packages/conans/client/command.py", line 970, in export_pkg
ignore_dirty=args.ignore_dirty)
File "/usr/local/lib/python3.6/site-packages/conans/client/conan_api.py", line 89, in wrapper
return f(api, *args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/conans/client/conan_api.py", line 420, in export_pkg
graph_lock=graph_info.graph_lock, ignore_dirty=ignore_dirty)
File "/usr/local/lib/python3.6/site-packages/conans/client/cmd/export.py", line 155, in cmd_export
manifest = FileTreeManifest.create(package_layout.export(), package_layout.export_sources())
File "/usr/local/lib/python3.6/site-packages/conans/model/manifest.py", line 123, in create
file_dict[name] = md5sum(filepath)
File "/usr/local/lib/python3.6/site-packages/conans/util/files.py", line 136, in md5sum
return _generic_algorithm_sum(file_path, "md5")
File "/usr/local/lib/python3.6/site-packages/conans/util/files.py", line 150, in _generic_algorithm_sum
m = hashlib.new(algorithm_name)
File "/usr/lib64/python3.6/hashlib.py", line 178, in __hash_new
name, data, usedforsecurity=usedforsecurity)
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for fips

ERROR: [digital envelope routines: EVP_DigestInit_ex] disabled for fips
make[1]: *** [conanexport] Error 1
make: *** [.DEFAULT] Error 2

[memsharded]

Hi, it seems that your openssl system library was updated and is overly restricted. From s3tools/s3cmd#1005 (comment), I read:

For FIPS, md5 is not a good (/allowed) cryptographic primitive because it is weak.
For that reason the function is disabled in your openssl library.

The problem, is that we are using md5 for differentiating files to be uploading for sync, but also for integrity check of transfer.
When you disable "md5" in the config, you in fact disable the md5 sum for file comparison for sync because it is an expensive operation. But not the md5 that is there to check that the server has the right file, not a corrupted one. This operation is not expensive.

The case of the FIPS is stupid because here the md5 is not used in a cryptographic context.
And it will not be used for "encryption" or to check the connection that uses https.

I would say that we are in a similar use case. We use md5 checksums, not in a cryptographic way, but just as a convenient hash of files, and those hashes are used for very basic checks.

Lets have a look to the usedforsecurity=False attribute, seems a simple fix, in case you want to contribute a Pull Request and see what our CI says.

[memsharded]

Doing a PR in https://github.com/conan-io/conan/pull/7807/files

Can't guarantee that this will be merged. This is not a Conan bug, but some systems having a non-conformant python distribution and breaking the standard python apis contracts.

[memsharded]

Hi @MichaelHCline

We are going to integrate a fix for this in next 1.30 (due today). Please keep tuned and upgrade when released, test and report. Thanks very much!

[MichaelHCline]

James- I typed your same change into my files.py in my version 1.24, and that worked fine for me. Thankx. Havent tried 1.30 yet. From: James <[email protected]> Sent: Monday, October 5, 2020 7:45 AM To: conan-io/conan <[email protected]> Cc: Mike Cline <[email protected]>; Mention <[email protected]> Subject: [External] Re: [conan-io/conan] [bug] Error during conan export-pkg when using md5 with FIPS (#7800) Hi @MichaelHCline<https://github.com/MichaelHCline> We are going to integrate a fix for this in next 1.30 (due today). Please keep tuned and upgrade when released, test and report. Thanks very much! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#7800 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AQQBVDAM3HMH44HIKZPZ4HTSJGWUFANCNFSM4SB6DSXA>.