Skip to content

Commit

Permalink
Deprecate explicit RHEL8 FIPS mode support
Browse files Browse the repository at this point in the history
PR 89 migrated the EC2 deployment configuration for this repository to
RHEL8. Those changes included some explicit monkeypatching of MD5 to
allow for running on RHEL8 with FIPS mode enabled.

Going forward, support for EC2 deployment will be maintained in the ec2
branch [1] until such time as we are fully containerized.

For that reason, we no longer need to maintain this code in the main
branch, and it can be removed.

[0] #89
[1] https://github.com/cfpb/website-indexer/tree/ec2
  • Loading branch information
chosak committed Oct 4, 2024
1 parent 0ab40e1 commit 551f351
Showing 1 changed file with 0 additions and 48 deletions.
48 changes: 0 additions & 48 deletions settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -151,51 +151,3 @@
},
},
}

# Monkey patch hashlib.md5 for FIPS mode compliance on RHEL8.
# http://blog.serindu.com/2019/11/12/django-in-fips-mode/
import hashlib
import importlib


def _non_security_md5(*args, **kwargs):
kwargs["usedforsecurity"] = False
return hashlib.md5(*args, **kwargs)


def monkey_patch_md5(modules_to_patch):
"""Monkey-patch calls to MD5 that aren't used for security purposes.
Sets RHEL's custom flag `usedforsecurity` to False allowing MD5 in FIPS mode.
`modules_to_patch` must be an iterable of module names (strings).
Modules must use `import hashlib` and not `from hashlib import md5`.
"""
# Manually load a module as a unique instance
# https://stackoverflow.com/questions/11170949/how-to-make-a-copy-of-a-python-module-at-runtime
HASHLIB_SPEC = importlib.util.find_spec("hashlib")
patched_hashlib = importlib.util.module_from_spec(HASHLIB_SPEC)
HASHLIB_SPEC.loader.exec_module(patched_hashlib)

patched_hashlib.md5 = _non_security_md5 # Monkey patch MD5

# Inject our patched_hashlib for all requested modules
for module_name in modules_to_patch:
module = importlib.import_module(module_name)
module.hashlib = patched_hashlib


modules_to_patch = [
"django.contrib.staticfiles.storage",
"django.core.cache.backends.filebased",
"django.core.cache.utils",
"django.db.backends.utils",
"django.db.backends.sqlite3.base",
"django.utils.cache",
]

try:
import hashlib

hashlib.md5()
except ValueError:
monkey_patch_md5(modules_to_patch)

0 comments on commit 551f351

Please sign in to comment.