hashlib.MD5 is working on FIPS enabled system

[bnaigaonkar]

Bug report

Bug description:

On FIPS Enabled system, hashlib.MD5 is working which is against the FIPS compliance, we found below note in the official document, https://docs.python.org/3/library/hashlib.html

hashlib.algorithms_guaranteed¶
A set containing the names of the hash algorithms guaranteed to be supported by this module on all platforms. Note that ‘md5’ is in this list despite some upstream vendors offering an odd “FIPS compliant” Python build that excludes it.

Can anyone explain what is the meaning of above note in detail ?

CPython versions tested on:

3.11

Operating systems tested on:

Debian Linux

[picnixz]

Related: #118224 (or perhaps a duplicate?)

cc @encukou

[encukou]

You should raise this issue with whoever certified your system for FIPS compliance. Python itself is not “FIPS compliant”, though it provides some tools to make it easier to build such systems. (That usually means disabling things -- reducing usability.)
Specifically, you could use the --with-builtin-hashlib-hashes configure option to build without the bundled md5 library.

A set containing the names of the hash algorithms guaranteed to be supported by this module on all platforms. Note that ‘md5’ is in this list despite some upstream vendors offering an odd “FIPS compliant” Python build that excludes it.

That means that some re-distributors offer changed versions of CPython, where they disable md5 functionality but keep it in the algorithms_guaranteed list.
(Nowadays it's better if they don't disable md5 entirely, but rely on the usedforsecurity argument being passed on to OpenSSL. And then audit uses of usedforsecurity in all Python software on the system.)

Related: #118224 (or perhaps a duplicate?)

Yes, that's a duplicate, and it has more info, so I'll close this one. Thanks for triaging!