1020895 – rhnpush to a FIPS enabled Satellite fails with a traceback

Bug 1020895 - rhnpush to a FIPS enabled Satellite fails with a traceback

Summary: rhnpush to a FIPS enabled Satellite fails with a traceback

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite 5
Classification:	Red Hat
Component:	Server
Sub Component:
Version:	560
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Milan Zázrivec
QA Contact:	Jan Hutař
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1022186 (view as bug list)
Depends On:
Blocks:	843620
TreeView+	depends on / blocked

Reported:	2013-10-18 13:20 UTC by Milan Zázrivec
Modified:	2015-01-26 11:57 UTC (History)
CC List:	4 users (show)
Fixed In Version:	spacewalk-backend-2.2.13-1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-01-26 11:57:29 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Milan Zázrivec 2013-10-18 13:20:45 UTC

Description of problem:
Upload of an RPM package using rhnpush to a FIPS enabled Satellite
fails with a traceback / internal server error:

Exception Handler Information
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/spacewalk/server/apacheRequest.py", line 123, in call_function
    response = apply(func, params)
  File "/usr/share/rhn/server/handlers/app/packages.py", line 178, in login
    return session.get_session()
  File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSession.py", line 75, in get_session
    return "%sx%s" % (self.session_id, self.digest()) 
  File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnSession.py", line 68, in digest
    ctx = hashlib.new('md5')
  File "/usr/lib64/python2.6/hashlib.py", line 83, in __hash_new
    return _hashlib.new(name, string, usedforsecurity)
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

Version-Release number of selected component (if applicable):
Satellite 5.6

How reproducible:
Always

Steps to Reproduce:
1. Satellite 5.6 running on a FIPS enabled RHEL system
2. rhnpush some content


Actual results:
Above traceback.

Expected results:
No traceback, rhnpush works.

Additional info:
N/A

Comment 1 Milan Zázrivec 2013-10-31 17:53:25 UTC

*** Bug 1022186 has been marked as a duplicate of this bug. ***

Comment 2 Milan Zázrivec 2013-10-31 18:06:31 UTC

As long as we change the sessions hashes from MD5 to SHA*, and
we are rhnpushing from a non-FIPS enabled system (see bug #1025446),
we will be facing the following traceback with MD5 signed RPMs:

Exception Handler Information
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/spacewalk/server/apacheUploadServer.py", line 100, in _wrapper
    ret = function(req)
  File "/usr/share/rhn/upload_server/handlers/package_push/package_push.py", line 115, in handler
    self.file_checksum_type, self.file_checksum)
  File "/usr/lib/python2.6/site-packages/spacewalk/server/rhnPackageUpload.py", line 272, in save_uploaded_package
    a_pkg.save_payload(temp_stream)
  File "/usr/lib/python2.6/site-packages/spacewalk/common/rhn_rpm.py", line 227, in save_payload
    c_hash = checksum.hashlib.new(self.checksum_type)
  File "/usr/lib64/python2.6/hashlib.py", line 83, in __hash_new
    return _hashlib.new(name, string, usedforsecurity)
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

Comment 3 Milan Zázrivec 2014-04-01 13:31:52 UTC

Session hash changed from MD5 -> SHA-256 in spacewalk.git master:
299470c8c4de38d61be5f3501cc2fa6cd1e320a5

Comment 4 Milan Zázrivec 2014-04-01 14:33:24 UTC

Allow to compute MD5 package checksum in fips mode: a478498e201f94cff1b4bacd187cf33c8f61c7a8

Comment 7 Pavel Studeník 2015-01-19 17:19:44 UTC

Reverified with spacewalk-backend-2.3.3-23.el6sat.noarch

# rhnpush rhncfg-* -c channel-rhel6 --server localhost --nosig

Note You need to log in before you can comment on or make changes to this bug.