Red Hat Bugzilla – Bug 815395
import hashlib fails on FIPS-enabled rhel5 i386 machine
Last modified: 2017-04-06 06:12:27 EDT
Description of problem:
When "import hashlib" is issued on an FIPS-enabled rhel5 i386 machine,
it fails with the following error:
Traceback (most recent call last):
File "./test.py", line 2, in ?
File "/usr/lib/python2.4/site-packages/hashlib.py", line 136, in ?
md5 = __get_builtin_constructor('md5')
File "/usr/lib/python2.4/site-packages/hashlib.py", line 63, in __get_builtin_constructor
ImportError: No module named _md5
The "test.py" file is just:
I've tried to debug this further - removing all leading underscores from
imports/returns in the __get_builtin_constructor function (file
/usr/lib/python2.4/site-packages/hashlib.py) somehow fixes the problem.
So it looked like a simple backport bug (python2.4 uses module names without
underscores, ie. /usr/lib/python2.4/lib-dynload/md5module.so), until I found
out that this problem is only i386-specific and FIPS-specific. When I turn
FIPS mode off, importing hashlib works just fine.
Version-Release number of selected component (if applicable):
On rhel5 (tested with 5.6 and 5.8), i386 install and with FIPS enabled
(fips=1 kernel parameter + removed prelink) - always.
Any other combination doesn't suffer from this problem - rhel6 works,
rhel5 on 64-bit architectures works (even with fips=1), rhel5 on i386 with fips=0 works as well.
Steps to Reproduce:
1. Install rhel5.8, install epel repo rpm
2. prelink -u -a ; yum remove -y prelink
3. edit kernel cmdline in /etc/grub.conf , add fips=1 to it
4. yum install python-hashlib
5. echo -e '#!/usr/bin/python\nimport hashlib' > test.py
4. chmod +x test.py
5. ./test.py # works
7. ./test.py # fails
"import hashlib" fails entirely, even with FIPS-allowed ciphers
(ie. "from hashlib import sha512")
Since all other achitectures / systems doesn't seem to have this problem,
I suppose the correct fix for this bug would be to make python-hashlib work
on rhel5 i386 FIPS-enabled distro like it works on rhel5 x86_64 FIPS-enabled one.
Disallowing the use of md5/sha1/sha<512 is for another possible bug report.
Fedora EPEL 5 changed to end-of-life (EOL) status on 2017-03-31. Fedora EPEL 5
is no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of Fedora
or Fedora EPEL, please feel free to reopen this bug against that version. If
you are unable to reopen this bug, please file a new report against the current
release. If you experience problems, please add a comment to this bug.
Thank you for reporting this bug and we are sorry it could not be fixed.