Bug Report - ReportLab not FIPS compliant, does not support FIPS by default
27 views
Skip to first unread message
Cooper
Mar 5, 2024, 2:24:13 PMMar 5
to reportlab-users
Thank you reportlab contributers, for all the work you do.
The hashing algorithm is MD5 which is not FIPS compliant. I had to monkey patch the hashlib to send all MD5 hashes to SHA256.
c = canvas.Canvas(packet, pagesize=page_size) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/reportlab/pdfgen/canvas.py", line 305, in __init__ self._doc = pdfdoc.PDFDocument(compression=pageCompression, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/reportlab/pdfbase/pdfdoc.py", line 137, in __init__ sig = self.signature = md5() ^^^^^ _hashlib.UnsupportedDigestmodError: [digital envelope routines] unsupported
#Fixed by mokey patch (before report lab import)
# Define a wrapper function that calls hashlib.sha256 instead of hashlib.md5
def sha256_as_md5(*args, **kwargs):
print("Warning: MD5 hash requested; using SHA256 as a FIPS-compliant replacement.")
return hashlib.sha256(*args, **kwargs)
original_md5 = hashlib.md5
# Replace the hashlib.md5 with your wrapper function
hashlib.md5 = sha256_as_md5
The hashing algorithm is MD5 which is not FIPS compliant. I had to monkey patch the hashlib to send all MD5 hashes to SHA256.
c = canvas.Canvas(packet, pagesize=page_size) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/reportlab/pdfgen/canvas.py", line 305, in __init__ self._doc = pdfdoc.PDFDocument(compression=pageCompression, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/reportlab/pdfbase/pdfdoc.py", line 137, in __init__ sig = self.signature = md5() ^^^^^ _hashlib.UnsupportedDigestmodError: [digital envelope routines] unsupported
#Fixed by mokey patch (before report lab import)
# Define a wrapper function that calls hashlib.sha256 instead of hashlib.md5
def sha256_as_md5(*args, **kwargs):
print("Warning: MD5 hash requested; using SHA256 as a FIPS-compliant replacement.")
return hashlib.sha256(*args, **kwargs)
original_md5 = hashlib.md5
# Replace the hashlib.md5 with your wrapper function
hashlib.md5 = sha256_as_md5
Zachary Rank
Apr 18, 2024, 1:53:51 AMApr 18
to reportlab-users
I'm running into the same/similar problem with reportlab 4.0.9 on Python 3.9 on Red Hat 8. The call to the hashlib.md5() will not work on operating systems that are FIPS compliant. The fix is a simple one-liner to indicate that the usage of the md5 is not for security purposes.
Here is a stacktrace:
```
Traceback (most recent call last):
...
File "venv/lib/python3.9/site-packages/reportlab/pdfbase/pdfdoc.py", line 137, in __init__
...
File "venv/lib/python3.9/site-packages/reportlab/pdfbase/pdfdoc.py", line 137, in __init__
sig = self.signature = md5()
Exception Type: ValueError
Exception Value: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
Exception Value: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
```
Updating line 137 of reportlab/pdfbase/pdfdoc.py to be `sig = self.signature = md5(usedforsecurity=False)` should resolve the problem for everyone.
Reply all
Reply to author
Forward
0 new messages