Bug 815395 - import hashlib fails on FIPS-enabled rhel5 i386 machine
import hashlib fails on FIPS-enabled rhel5 i386 machine
Status: NEW
Product: Fedora EPEL
Classification: Fedora
Component: python-hashlib (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Dennis Gilmore
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-04-23 10:09 EDT by Jiri Jaburek
Modified: 2014-07-02 06:56 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jiri Jaburek 2012-04-23 10:09:19 EDT
Description of problem:
When "import hashlib" is issued on an FIPS-enabled rhel5 i386 machine,
it fails with the following error:

Traceback (most recent call last):
  File "./test.py", line 2, in ?
    import hashlib
  File "/usr/lib/python2.4/site-packages/hashlib.py", line 136, in ?
    md5 = __get_builtin_constructor('md5')
  File "/usr/lib/python2.4/site-packages/hashlib.py", line 63, in __get_builtin_constructor
    import _md5
ImportError: No module named _md5

The "test.py" file is just:

import hashlib

I've tried to debug this further - removing all leading underscores from
imports/returns in the __get_builtin_constructor function (file
/usr/lib/python2.4/site-packages/hashlib.py) somehow fixes the problem.

So it looked like a simple backport bug (python2.4 uses module names without
underscores, ie. /usr/lib/python2.4/lib-dynload/md5module.so), until I found
out that this problem is only i386-specific and FIPS-specific. When I turn
FIPS mode off, importing hashlib works just fine.

Version-Release number of selected component (if applicable):

How reproducible:
On rhel5 (tested with 5.6 and 5.8), i386 install and with FIPS enabled
(fips=1 kernel parameter + removed prelink) - always.
Any other combination doesn't suffer from this problem - rhel6 works,
rhel5 on 64-bit architectures works (even with fips=1), rhel5 on i386 with fips=0 works as well.

Steps to Reproduce:
1. Install rhel5.8, install epel repo rpm
2. prelink -u -a ; yum remove -y prelink
3. edit kernel cmdline in /etc/grub.conf , add fips=1 to it
4. yum install python-hashlib
5. echo -e '#!/usr/bin/python\nimport hashlib' > test.py
4. chmod +x test.py
5. ./test.py  # works
6. reboot
7. ./test.py  # fails

Actual results:
"import hashlib" fails entirely, even with FIPS-allowed ciphers
(ie. "from hashlib import sha512")

Expected results:
Since all other achitectures / systems doesn't seem to have this problem,
I suppose the correct fix for this bug would be to make python-hashlib work
on rhel5 i386 FIPS-enabled distro like it works on rhel5 x86_64 FIPS-enabled one.

Disallowing the use of md5/sha1/sha<512 is for another possible bug report.

Additional info:
FIPS: http://en.wikipedia.org/wiki/Federal_Information_Processing_Standard

Note You need to log in before you can comment on or make changes to this bug.