search

zodb / relstorage

A backend for ZODB that stores pickles in a relational database.
Other
53 stars 46 forks source link

FIPS support #480

Closed runyaga closed 1 year ago

runyaga commented 2 years ago

Hi Jason / zodb-dev,

On platforms which have FIPS enabled hashlib.md5 will blow up:

File ".../RelStorage-3.4.5-py3.8-linux-x86_64.egg/relstorage/adapters/schema.py", line 304, in _checksum_for_str    
return md5(
 ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

A proposed way to resolve this is to add a md5 alias/partial in relstorage._util and change relstorage md5 references from hashlib to the relstorage._util module. For platforms which are not FIPS enabled there should be no function call overhead.

A PR will be incoming but I wanted to see if this is interest to you or if you have another solution. A quick review of relstorage+deps it seems nothing at runtime is using hashlib.md5.

jamadden commented 2 years ago

What benefit is there to running RelStorage in FIPS mode? I'm not aware of any, so I would just recommend not doing that 😄

jamadden commented 2 years ago

A quick review of relstorage+deps it seems nothing at runtime is using hashlib.md5.

The MD5 checksum is stored as part of the state for an object in history preserving storages. It is used during (at least) undo operations.

runyaga commented 2 years ago

FIPS mode is enabled at the OS level. We can not opt-out of it. In our case we are running containers on FIPS enabled RHEL server's and at runtime the md5 call blows up.

jamadden commented 2 years ago

Thanks, the context is helpful.

jamadden commented 1 year ago

Fixed in 3.5.0a5.