966903 – python-blivet fails in fips mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 966903 - python-blivet fails in fips mode

Summary: python-blivet fails in fips mode

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	python-blivet
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	David Lehman
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	839624
TreeView+	depends on / blocked

Reported:	2013-05-24 08:55 UTC by Bohuslav "Slavek" Kabrda
Modified:	2021-09-03 14:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:	python-blivet-0.18.2-1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 12:40:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Bohuslav "Slavek" Kabrda 2013-05-24 08:55:09 UTC

Using

>>> blivet.iscsi.randomIname()

raises ValueError, because md5 is not allowed in fips mode. It seems that it would make sense to use

hashlib.md5(usedforsecurity=False), because AFAICS this is not something that would be security-critical.

Comment 2 Miloslav Trmač 2013-05-24 15:57:21 UTC

(In reply to Bohuslav "Slavek" Kabrda from comment #0)
> Using
> 
> >>> blivet.iscsi.randomIname()
> 
> raises ValueError, because md5 is not allowed in fips mode. It seems that it
> would make sense to use
> 
> hashlib.md5(usedforsecurity=False), because AFAICS this is not something
> that would be security-critical.

That's not completely obvious from a quick (and _uninformed_ look): what would happen if two different computers chose the same initiator name?

Why is it based on os.uname(), which changes a value on every kernel upgrade anyway?

If the desire is to make a random identifier, just do precisely that and generate random numbers, perhaps using os.urandom() if randomness is really required; no md5 use necessary.

I can't see what the construction (md5 of a system-specific-but-not-constant value) + random digits is supposed to achieve, so it's very likely I'm missing something.

Comment 3 David Lehman 2013-05-24 17:37:36 UTC

That code is from 2006 and includes the following comment: "Generate a random initiator name the same way as iscsi-iname". My guess is that there are some clues in either the man page or the code for iscsi-iname.

Comment 4 David Lehman 2013-08-08 19:09:44 UTC

How's this for a solution?

diff --git a/blivet/iscsi.py b/blivet/iscsi.py
index d35dbea..fceb881 100644
--- a/blivet/iscsi.py
+++ b/blivet/iscsi.py
@@ -25,8 +25,6 @@ import os
 import logging
 import shutil
 import time
-import hashlib
-import random
 import itertools
 log = logging.getLogger("blivet")
 
@@ -60,20 +58,6 @@ def has_iscsi():
 
     return True
 
-def randomIname():
-    """Generate a random initiator name the same way as iscsi-iname"""
-
-    s = "iqn.1994-05.com.domain:01."
-    m = hashlib.md5()
-    u = os.uname()
-    for i in u:
-        m.update(i)
-    dig = m.hexdigest()
-
-    for i in range(0, 6):
-        s += dig[random.randrange(0, 32)]
-    return s
-
 class iscsi(object):
     """ iSCSI utility class.
 
@@ -115,7 +99,7 @@ class iscsi(object):
         if self._initiator != "":
             return self._initiator
 
-        return randomIname()
+        return util.capture_output(["iscsi-iname"]).strip()
 
     def _setInitiator(self, val):
         if self.initiatorSet and val != self._initiator:

Comment 5 Miloslav Trmač 2013-08-10 18:21:19 UTC

One less MD5 user to think about => completely fine with me.

Comment 6 Jan Stodola 2014-01-30 12:41:37 UTC

Reproduced with python-blivet-0.18.1-1.el7

[root@localhost ~]# cat /proc/sys/crypto/fips_enabled 
1
[root@localhost ~]# rpm -q python-blivet
python-blivet-0.18.1-1.el7.noarch
[root@localhost ~]# python
Python 2.7.5 (default, Nov  6 2013, 23:28:41) 
[GCC 4.8.2 20131020 (Red Hat 4.8.2-2)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import blivet
>>> blivet.iscsi.iscsi().initiator
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/blivet/iscsi.py", line 118, in _getInitiator
    return randomIname()
  File "/usr/lib/python2.7/site-packages/blivet/iscsi.py", line 67, in randomIname
    m = hashlib.md5()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
>>>

Verified with python-blivet-0.18.19-2.el7:

[root@localhost ~]# cat /proc/sys/crypto/fips_enabled 
1
[root@localhost ~]# rpm -q python-blivet
python-blivet-0.18.19-2.el7.noarch
[root@localhost ~]# python
Python 2.7.5 (default, Jan 14 2014, 07:56:48) 
[GCC 4.8.2 20131212 (Red Hat 4.8.2-9)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import blivet
>>> blivet.iscsi.iscsi().initiator
'iqn.1994-05.com.redhat:eda0611edc85'
>>>

Moving to VERIFIED.

Comment 7 Ludek Smid 2014-06-13 12:40:13 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.