cryptography icon indicating copy to clipboard operation
cryptography copied to clipboard

Published 20 hours ago verified publisher icon pyca

FreeBSD bug exposes potential logic issue with fips support check

Open jvanasco opened this issue 1 year ago • 1 comments

I should have reported this sooner...

In November of this year, a Certbot user on FreeBSD experienced an issue in which the stack trace ended with:

  • https://community.letsencrypt.org/t/did-openssl-3-0-break-certbot/207661/7
  File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", line 9, in <module>
    from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "EVP_default_properties_is_fips_enabled"

A community member tracked the cause to a library link / compiling bug in the FreeBSD port

  • https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273770

Digging through the code for a potential temporary hotfix, I realized the issue was due to the April 2023 commit to migrate fips detection to rust:

  • https://github.com/pyca/cryptography/pull/8822

The material change here, is caused by the following logic:

  • the FIPs detection runs on every use of the library
  • the FreeBSD bug of not having the linked symbol in raises an exception in Rust
  • the Rust exception is fatal

The hotfix I recommended was to downgrade cryptography:

pip install "cryptography==40.0.2"

However, I wanted to suggest the logic be potentially changed to catch this particular symbol error and fail the FIPs detection instead of raising an Exception.

note: This issue may be slightly related to #9010

jvanasco avatar Jun 28 '24 15:06 jvanasco

I'm a bit confused on how this happens: the FIPS detection logic is only present when you're on OpenSSL 3. Does FreeBSD have OpenSSL 3 without this symbol somehow?

alex avatar Jun 28 '24 15:06 alex

This issue has been waiting for a reporter response for 3 days. It will be auto-closed if no activity occurs in the next 5 days.

github-actions[bot] avatar Jul 02 '24 00:07 github-actions[bot]

Yes. From what I’ve read, i think they ship two versions of OpenSSL, one with FIPS and one without it. It seems they package everything built against the version with FIPS.

jvanasco avatar Jul 02 '24 02:07 jvanasco

Even OpenSSL's that are not built for FIPS should have this symbol though.

alex avatar Jul 02 '24 02:07 alex

This issue has been waiting for a reporter response for 3 days. It will be auto-closed if no activity occurs in the next 5 days.

github-actions[bot] avatar Jul 06 '24 00:07 github-actions[bot]

This issue has not received a reporter response and has been auto-closed. If the issue is still relevant please leave a comment and we can reopen it.

github-actions[bot] avatar Jul 11 '24 00:07 github-actions[bot]