Bug 815395
| Summary: | import hashlib fails on FIPS-enabled rhel5 i386 machine | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Jiri Jaburek <jjaburek> |
| Component: | python-hashlib | Assignee: | Dennis Gilmore <dennis> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | el5 | CC: | dennis, omoris |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-04-06 10:12:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fedora EPEL 5 changed to end-of-life (EOL) status on 2017-03-31. Fedora EPEL 5 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora or Fedora EPEL, please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |
Description of problem: When "import hashlib" is issued on an FIPS-enabled rhel5 i386 machine, it fails with the following error: Traceback (most recent call last): File "./test.py", line 2, in ? import hashlib File "/usr/lib/python2.4/site-packages/hashlib.py", line 136, in ? md5 = __get_builtin_constructor('md5') File "/usr/lib/python2.4/site-packages/hashlib.py", line 63, in __get_builtin_constructor import _md5 ImportError: No module named _md5 The "test.py" file is just: #!/usr/bin/python import hashlib I've tried to debug this further - removing all leading underscores from imports/returns in the __get_builtin_constructor function (file /usr/lib/python2.4/site-packages/hashlib.py) somehow fixes the problem. So it looked like a simple backport bug (python2.4 uses module names without underscores, ie. /usr/lib/python2.4/lib-dynload/md5module.so), until I found out that this problem is only i386-specific and FIPS-specific. When I turn FIPS mode off, importing hashlib works just fine. Version-Release number of selected component (if applicable): python-hashlib-20081119-4.el5 How reproducible: On rhel5 (tested with 5.6 and 5.8), i386 install and with FIPS enabled (fips=1 kernel parameter + removed prelink) - always. Any other combination doesn't suffer from this problem - rhel6 works, rhel5 on 64-bit architectures works (even with fips=1), rhel5 on i386 with fips=0 works as well. Steps to Reproduce: 1. Install rhel5.8, install epel repo rpm 2. prelink -u -a ; yum remove -y prelink 3. edit kernel cmdline in /etc/grub.conf , add fips=1 to it 4. yum install python-hashlib 5. echo -e '#!/usr/bin/python\nimport hashlib' > test.py 4. chmod +x test.py 5. ./test.py # works 6. reboot 7. ./test.py # fails Actual results: "import hashlib" fails entirely, even with FIPS-allowed ciphers (ie. "from hashlib import sha512") Expected results: Since all other achitectures / systems doesn't seem to have this problem, I suppose the correct fix for this bug would be to make python-hashlib work on rhel5 i386 FIPS-enabled distro like it works on rhel5 x86_64 FIPS-enabled one. Disallowing the use of md5/sha1/sha<512 is for another possible bug report. Additional info: FIPS: http://en.wikipedia.org/wiki/Federal_Information_Processing_Standard