Bug 966903 - python-blivet fails in fips mode
python-blivet fails in fips mode
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python-blivet (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: David Lehman
Release Test Team
:
Depends On:
Blocks: 839624
  Show dependency treegraph
 
Reported: 2013-05-24 04:55 EDT by Bohuslav "Slavek" Kabrda
Modified: 2014-06-18 00:43 EDT (History)
2 users (show)

See Also:
Fixed In Version: python-blivet-0.18.2-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 08:40:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bohuslav "Slavek" Kabrda 2013-05-24 04:55:09 EDT
Using

>>> blivet.iscsi.randomIname()

raises ValueError, because md5 is not allowed in fips mode. It seems that it would make sense to use

hashlib.md5(usedforsecurity=False), because AFAICS this is not something that would be security-critical.
Comment 2 Miloslav Trmač 2013-05-24 11:57:21 EDT
(In reply to Bohuslav "Slavek" Kabrda from comment #0)
> Using
> 
> >>> blivet.iscsi.randomIname()
> 
> raises ValueError, because md5 is not allowed in fips mode. It seems that it
> would make sense to use
> 
> hashlib.md5(usedforsecurity=False), because AFAICS this is not something
> that would be security-critical.

That's not completely obvious from a quick (and _uninformed_ look): what would happen if two different computers chose the same initiator name?

Why is it based on os.uname(), which changes a value on every kernel upgrade anyway?

If the desire is to make a random identifier, just do precisely that and generate random numbers, perhaps using os.urandom() if randomness is really required; no md5 use necessary.

I can't see what the construction (md5 of a system-specific-but-not-constant value) + random digits is supposed to achieve, so it's very likely I'm missing something.
Comment 3 David Lehman 2013-05-24 13:37:36 EDT
That code is from 2006 and includes the following comment: "Generate a random initiator name the same way as iscsi-iname". My guess is that there are some clues in either the man page or the code for iscsi-iname.
Comment 4 David Lehman 2013-08-08 15:09:44 EDT
How's this for a solution?

diff --git a/blivet/iscsi.py b/blivet/iscsi.py
index d35dbea..fceb881 100644
--- a/blivet/iscsi.py
+++ b/blivet/iscsi.py
@@ -25,8 +25,6 @@ import os
 import logging
 import shutil
 import time
-import hashlib
-import random
 import itertools
 log = logging.getLogger("blivet")
 
@@ -60,20 +58,6 @@ def has_iscsi():
 
     return True
 
-def randomIname():
-    """Generate a random initiator name the same way as iscsi-iname"""
-
-    s = "iqn.1994-05.com.domain:01."
-    m = hashlib.md5()
-    u = os.uname()
-    for i in u:
-        m.update(i)
-    dig = m.hexdigest()
-
-    for i in range(0, 6):
-        s += dig[random.randrange(0, 32)]
-    return s
-
 class iscsi(object):
     """ iSCSI utility class.
 
@@ -115,7 +99,7 @@ class iscsi(object):
         if self._initiator != "":
             return self._initiator
 
-        return randomIname()
+        return util.capture_output(["iscsi-iname"]).strip()
 
     def _setInitiator(self, val):
         if self.initiatorSet and val != self._initiator:
Comment 5 Miloslav Trmač 2013-08-10 14:21:19 EDT
One less MD5 user to think about => completely fine with me.
Comment 6 Jan Stodola 2014-01-30 07:41:37 EST
Reproduced with python-blivet-0.18.1-1.el7

[root@localhost ~]# cat /proc/sys/crypto/fips_enabled 
1
[root@localhost ~]# rpm -q python-blivet
python-blivet-0.18.1-1.el7.noarch
[root@localhost ~]# python
Python 2.7.5 (default, Nov  6 2013, 23:28:41) 
[GCC 4.8.2 20131020 (Red Hat 4.8.2-2)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import blivet
>>> blivet.iscsi.iscsi().initiator
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/blivet/iscsi.py", line 118, in _getInitiator
    return randomIname()
  File "/usr/lib/python2.7/site-packages/blivet/iscsi.py", line 67, in randomIname
    m = hashlib.md5()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
>>>

Verified with python-blivet-0.18.19-2.el7:

[root@localhost ~]# cat /proc/sys/crypto/fips_enabled 
1
[root@localhost ~]# rpm -q python-blivet
python-blivet-0.18.19-2.el7.noarch
[root@localhost ~]# python
Python 2.7.5 (default, Jan 14 2014, 07:56:48) 
[GCC 4.8.2 20131212 (Red Hat 4.8.2-9)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import blivet
>>> blivet.iscsi.iscsi().initiator
'iqn.1994-05.com.redhat:eda0611edc85'
>>>

Moving to VERIFIED.
Comment 7 Ludek Smid 2014-06-13 08:40:13 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.