ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for fips

[ryno75]

After installing the pre-requisites and installing adfs-aws via pip3 using the --user option on a RHEL7 box I receive the following error when attempting to run the aws-adfs command (this error happens regardless of the --adfs-host parameter.

Command that produces error

It does not matter which cmdline arguments are specified, this error is persistent against my configuration. And using either a fake or real hostname yields the same error.

$ aws-adfs login --adfs-host foo
/home/{redacted}/.local/lib/python3.6/site-packages/fido2/utils.py:34: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
  from cryptography.hazmat.backends import default_backend
Traceback (most recent call last):
  File "/home/{redacted}/.local/bin/aws-adfs", line 8, in <module>
    sys.exit(cli())
  File "/home/{redacted}/.local/lib/python3.6/site-packages/click/core.py", line 1128, in __call__
    return self.main(*args, **kwargs)
  File "/home/{redacted}/.local/lib/python3.6/site-packages/click/core.py", line 1053, in main
    rv = self.invoke(ctx)
  File "/home{redacted}/.local/lib/python3.6/site-packages/click/core.py", line 1659, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/{redacted}/.local/lib/python3.6/site-packages/click/core.py", line 1395, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/{redacted}/.local/lib/python3.6/site-packages/click/core.py", line 754, in invoke
    return __callback(*args, **kwargs)
  File "/home/{redacted}/.local/lib/python3.6/site-packages/aws_adfs/login.py", line 197, in login
    principal_roles, assertion, aws_session_duration = authenticator.authenticate(config, assertfile=assertfile)
  File "/home/{redacted}/.local/lib/python3.6/site-packages/aws_adfs/authenticator.py", line 25, in authenticate
    sspi=config.sspi,
  File "/home/{redacted}/.local/lib/python3.6/site-packages/aws_adfs/html_roles_fetcher.py", line 59, in fetch_html_encoded_roles
    cookiejar_filename = '{}_{}'.format(adfs_cookie_location, hashlib.md5(adfs_host.encode('utf-8')).hexdigest())
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for fips

Workaround

A bit of googling revealed some clues that this error originates in the use of hashlib.md5 in the context it is being used in the html_roles_fetcher.py file.
By modifying the /home/{redacted}/.local/lib/python3.6/site-packages/aws_adfs/html_roles_fetcher.py file, changing line 59 by replacing hashlib.md5 with hashlib.sha256, ex:

    cookiejar_filename = '{}_{}'.format(adfs_cookie_location, hashlib.sha256(adfs_host.encode('utf-8')).hexdigest())

Resultant diff:

--- .local/lib/python3.6/site-packages/aws_adfs/html_roles_fetcher.py.orig	2023-08-16 15:52:52.938550611 +0000
+++ .local/lib/python3.6/site-packages/aws_adfs/html_roles_fetcher.py	2023-08-16 15:52:41.257491845 +0000
@@ -56,7 +56,7 @@
     # Windows 64bit maximum date is 3000-12-31T23:59:59Z, and 32bit is 2038-01-18T23:59:59Z.
     #
     # using the same cookiejar across multiple ADFS hosts causes issues, so use a unique jar per host
-    cookiejar_filename = '{}_{}'.format(adfs_cookie_location, hashlib.md5(adfs_host.encode('utf-8')).hexdigest())
+    cookiejar_filename = '{}_{}'.format(adfs_cookie_location, hashlib.sha256(adfs_host.encode('utf-8')).hexdigest())
     session.cookies = cookielib.MozillaCookieJar(filename=cookiejar_filename)

     try:

This modification resolves the error and I am able to run the program as expected.

Is there any objection to making this change to the source repo? If not, I will submit a pull request with this change.

[pdecat]

Hi @ryno75, that sounds like a great improvement! Feel free to open a PR.

Given the length of the hashes are different, I'd say there's no risk of existing users facing clashes with their old cookies files.

Also, I see you are using Python 3.6, while only 3.7 and above are supported with recent versions of aws-adfs.
What version of aws-adfs is installed on your system?