Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: Support FIPS mode - do not use md5 hash #7335

Open
1 of 2 tasks
opoplawski opened this issue May 23, 2018 · 8 comments
Open
1 of 2 tasks

RFE: Support FIPS mode - do not use md5 hash #7335

opoplawski opened this issue May 23, 2018 · 8 comments
Assignees
@jezdez @chenghlee
Labels
backlog issue has been triaged but has not been earmarked for any upcoming release pending::discussion contains some ongoing discussion that needs to be resolved prior to proceeding source::anaconda created by members of Anaconda, Inc. source::community catch-all for issues filed by community members stale::recovered [bot] recovered after being marked as stale type::feature request for a new feature or capability

Comments

@opoplawski
Copy link
Contributor

I'm submitting a...

  • bug report
  • feature request

md5 hashes are unsafe and are disabled in FIPS mode.

See also #5282

Steps to Reproduce

Boot with fips=1

# /usr/bin/conda create -y -n scipy35-anaconda -c anaconda  python=3.5 astropy basemap h5py jupyter matplotlib mkl mysql-connector-python netcdf4 notebook numba pandas pip scikit-learn scipy seaborn sunpy sympy xarray nbbrowserpdf tensorflow                            
Solving environment: failed

# >>>>>>>>>>>>>>>>>>>>>> ERROR REPORT <<<<<<<<<<<<<<<<<<<<<<

    Traceback (most recent call last):
      File "/usr/lib/python3.4/site-packages/conda/exceptions.py", line 819, in __call__
        return func(*args, **kwargs)
      File "/usr/lib/python3.4/site-packages/conda/cli/main.py", line 78, in _main
        exit_code = do_call(args, p)
      File "/usr/lib/python3.4/site-packages/conda/cli/conda_argparse.py", line 77, in do_call
        exit_code = getattr(module, func_name)(args, parser)
      File "/usr/lib/python3.4/site-packages/conda/cli/main_create.py", line 11, in execute
        install(args, parser, 'create')
      File "/usr/lib/python3.4/site-packages/conda/cli/install.py", line 235, in install
        force_reinstall=context.force,
      File "/usr/lib/python3.4/site-packages/conda/core/solve.py", line 505, in solve_for_transaction
        force_remove, force_reinstall)
      File "/usr/lib/python3.4/site-packages/conda/core/solve.py", line 438, in solve_for_diff
        final_precs = self.solve_final_state(deps_modifier, prune, ignore_pinned, force_remove)
      File "/usr/lib/python3.4/site-packages/conda/core/solve.py", line 179, in solve_final_state
        index, r = self._prepare(prepared_specs)
      File "/usr/lib/python3.4/site-packages/conda/core/solve.py", line 560, in _prepare
        self.subdirs, prepared_specs)
      File "/usr/lib/python3.4/site-packages/conda/core/index.py", line 174, in get_reduced_index
        subdir_datas = tuple(SubdirData(Channel(url)) for url in channel_urls)
      File "/usr/lib/python3.4/site-packages/conda/core/index.py", line 174, in <genexpr>
        subdir_datas = tuple(SubdirData(Channel(url)) for url in channel_urls)
      File "/usr/lib/python3.4/site-packages/conda/core/subdir_data.py", line 68, in __call__
        subdir_data_instance = super(SubdirDataType, cls).__call__(channel)
      File "/usr/lib/python3.4/site-packages/conda/core/subdir_data.py", line 131, in __init__
        splitext(cache_fn_url(self.url_w_credentials))[0])
      File "/usr/lib/python3.4/site-packages/conda/core/subdir_data.py", line 606, in cache_fn_url
        md5 = hashlib.md5(ensure_binary(url)).hexdigest()
    ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

Expected Behavior

conda should work

Environment Information

`conda info`

     active environment : None
       user config file : /root/.condarc
 populated config files : /etc/conda/condarc.d/nwra.yml
                          /usr/share/conda/condarc.d/defaults.yaml
          conda version : 4.5.1
    conda-build version : not installed
         python version : 3.4.8.final.0
       base environment : /usr  (read only)
           channel URLs : http://conda.cora.nwra.com/main/linux-64
                          http://conda.cora.nwra.com/main/noarch
                          http://condaorg.cora.nwra.com/ncar/linux-64
                          http://condaorg.cora.nwra.com/ncar/noarch
                          http://condaorg.cora.nwra.com/OpenAstronomy/linux-64
                          http://condaorg.cora.nwra.com/OpenAstronomy/noarch
          package cache : /var/cache/conda/pkgs
                          /root/.conda/pkgs
       envs directories : /opt/anaconda/envs
                          /root/conda/envs
                          /root/.conda/envs
                          /usr/envs
               platform : linux-64
             user-agent : conda/4.5.1 requests/2.12.5 CPython/3.4.8 Linux/3.10.0-862.3.2.el7.x86_64 rhel/7.5 glibc/2.17
                UID:GID : 0:0
             netrc file : None
           offline mode : False

@kalefranz kalefranz added type::feature request for a new feature or capability source::community catch-all for issues filed by community members labels Sep 24, 2018
@lilmatt
Copy link

lilmatt commented Jul 25, 2019

@kalefranz Could this be handled by changing to sha256 here, or is there more to it?
https://github.com/conda/conda/blob/master/conda/core/subdir_data.py#L634

@msarahan
Copy link
Contributor

seems like it. This really isn't a cryptographic application of md5, though. It's just a short name. Perhaps we should just base64 encode it instead of md5?

@github-actions
Copy link

Hi there, thank you for your contribution to Conda!

This issue has been automatically marked as stale because it has not had recent activity. It will be closed automatically if no further activity occurs.

If you would like this issue to remain open please:

  1. Verify that you can still reproduce the issue in the latest version of Conda

  2. Comment that the issue is still reproducible and include:

  • What version of Conda you reproduced the issue on
  • What OS and version you reproduced the issue on
  • What steps you followed to reproduce the issue
  1. It would also be helpful to have the output of the following commands available:
  • conda info
  • conda config --show-sources
  • conda list --show-channel-urls

NOTE: If this issue was closed prematurely, please leave a comment and we will gladly reopen the issue.

In case this issue was originally about a project that is covered by the Anaconda issue tracker (e.g. Anaconda, Miniconda, packages built by Anaconda, Inc. like Anaconda Navigator etc), please reopen the issue there again.

Thanks!

@github-actions github-actions bot added the stale [bot] marked as stale due to inactivity label Nov 21, 2021
@opoplawski
Copy link
Contributor Author

Presumably this still needs to get addressed

@github-actions github-actions bot added stale::recovered [bot] recovered after being marked as stale and removed stale [bot] marked as stale due to inactivity labels Dec 21, 2021
@topherocity topherocity mentioned this issue Jul 26, 2022
Merged
3 tasks
@jezdez jezdez added source::anaconda created by members of Anaconda, Inc. severity::1 blocker; broken functionality with no workaround labels May 23, 2023
@jezdez jezdez self-assigned this May 23, 2023
@jezdez jezdez modified the milestones: 23.7.0, 23.5.0 May 23, 2023
@kenodegard kenodegard modified the milestones: 23.5.0, 23.7.0 May 24, 2023
@kenodegard kenodegard added the backlog issue has been triaged but has not been earmarked for any upcoming release label May 24, 2023
@jezdez jezdez removed this from the 23.7.0 milestone Jul 7, 2023
@travishathaway
Copy link
Contributor

travishathaway commented Sep 11, 2023
edited

@chenghlee and @jezdez,

Has this been resolved? I couldn't help but notice the usage of usedforsecurity=False in our usage of hashlib here: https://github.com/conda/conda/blob/8faf745567b93e8112003b934bbe4b9191c16506/conda/gateways/repodata/__init__.py#L905-L914/__init__.py#L917-L928

@jezdez
Copy link
Member

jezdez commented Sep 11, 2023

This is unresolved so far, we haven't come to a conclusion if we should support running on FIPS enabled system due to a lack of access for testing.

@chenghlee Do you know more off the top of your head?

@beeankha beeankha removed the severity::1 blocker; broken functionality with no workaround label Sep 11, 2023
@travishathaway
Copy link
Contributor

I had the chance to talk with @chenghlee, and he said that FIPS is something that we still do not officially support, but it is an ongoing discussion.

@travishathaway travishathaway added the pending::discussion contains some ongoing discussion that needs to be resolved prior to proceeding label Sep 11, 2023
@bollwyvl bollwyvl mentioned this issue Oct 10, 2023
Open
2 tasks
@xnox
Copy link

xnox commented Mar 12, 2024

I can test on FIPS systems as containers as github actions. Is that something that is needed to support conda in fips mode?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jezdez jezdez

@chenghlee chenghlee

Labels
backlog issue has been triaged but has not been earmarked for any upcoming release pending::discussion contains some ongoing discussion that needs to be resolved prior to proceeding source::anaconda created by members of Anaconda, Inc. source::community catch-all for issues filed by community members stale::recovered [bot] recovered after being marked as stale type::feature request for a new feature or capability
Projects
🧭 Planning
Status: 🆕 New
Milestone
No milestone
Development

No branches or pull requests
10 participants
@jezdez @xnox @msarahan @lilmatt @travishathaway @opoplawski @kalefranz @chenghlee @kenodegard @beeankha