Red Hat Bugzilla – Bug 815395
import hashlib fails on FIPS-enabled rhel5 i386 machine
Last modified: 2017-04-06 06:12:27 EDT
Description of problem: When "import hashlib" is issued on an FIPS-enabled rhel5 i386 machine, it fails with the following error: Traceback (most recent call last): File "./test.py", line 2, in ? import hashlib File "/usr/lib/python2.4/site-packages/hashlib.py", line 136, in ? md5 = __get_builtin_constructor('md5') File "/usr/lib/python2.4/site-packages/hashlib.py", line 63, in __get_builtin_constructor import _md5 ImportError: No module named _md5 The "test.py" file is just: #!/usr/bin/python import hashlib I've tried to debug this further - removing all leading underscores from imports/returns in the __get_builtin_constructor function (file /usr/lib/python2.4/site-packages/hashlib.py) somehow fixes the problem. So it looked like a simple backport bug (python2.4 uses module names without underscores, ie. /usr/lib/python2.4/lib-dynload/md5module.so), until I found out that this problem is only i386-specific and FIPS-specific. When I turn FIPS mode off, importing hashlib works just fine. Version-Release number of selected component (if applicable): python-hashlib-20081119-4.el5 How reproducible: On rhel5 (tested with 5.6 and 5.8), i386 install and with FIPS enabled (fips=1 kernel parameter + removed prelink) - always. Any other combination doesn't suffer from this problem - rhel6 works, rhel5 on 64-bit architectures works (even with fips=1), rhel5 on i386 with fips=0 works as well. Steps to Reproduce: 1. Install rhel5.8, install epel repo rpm 2. prelink -u -a ; yum remove -y prelink 3. edit kernel cmdline in /etc/grub.conf , add fips=1 to it 4. yum install python-hashlib 5. echo -e '#!/usr/bin/python\nimport hashlib' > test.py 4. chmod +x test.py 5. ./test.py # works 6. reboot 7. ./test.py # fails Actual results: "import hashlib" fails entirely, even with FIPS-allowed ciphers (ie. "from hashlib import sha512") Expected results: Since all other achitectures / systems doesn't seem to have this problem, I suppose the correct fix for this bug would be to make python-hashlib work on rhel5 i386 FIPS-enabled distro like it works on rhel5 x86_64 FIPS-enabled one. Disallowing the use of md5/sha1/sha<512 is for another possible bug report. Additional info: FIPS: http://en.wikipedia.org/wiki/Federal_Information_Processing_Standard
Fedora EPEL 5 changed to end-of-life (EOL) status on 2017-03-31. Fedora EPEL 5 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora or Fedora EPEL, please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.