koji

Clone

#2291 error raised by `hashlib.md5()` on RHEL8.2 (MD5 is disabled by FIPS)
Closed: Fixed 3 years ago by tkopecek. Opened 3 years ago by julian8628.

Closed: Fixed
Reopen Issue

error example:

[Mon Jun 01 09:02:00.211967 2020] [wsgi:error] [pid 88216] [client 10.72.12.22:60781] 211 [ERROR] m=taskinfo u=yzhu@IPA.REDHAT.COM p=88216 r=10.72.12.22:60781 koji.web: Traceback (most recent call last):
[Mon Jun 01 09:02:00.212109 2020] [wsgi:error] [pid 88216] [client 10.72.12.22:60781]   File "/usr/share/koji-web/scripts/wsgi_publisher.py", line 370, in handle_request
[Mon Jun 01 09:02:00.212134 2020] [wsgi:error] [pid 88216] [client 10.72.12.22:60781]     result = func(environ, **data)
[Mon Jun 01 09:02:00.212154 2020] [wsgi:error] [pid 88216] [client 10.72.12.22:60781]   File "/usr/share/koji-web/scripts/index.py", line 741, in taskinfo
[Mon Jun 01 09:02:00.212175 2020] [wsgi:error] [pid 88216] [client 10.72.12.22:60781]     return _genHTML(environ, 'taskinfo.chtml')
[Mon Jun 01 09:02:00.212195 2020] [wsgi:error] [pid 88216] [client 10.72.12.22:60781]   File "/usr/share/koji-web/lib/kojiweb/util.py", line 136, in _genHTML
[Mon Jun 01 09:02:00.212373 2020] [wsgi:error] [pid 88216] [client 10.72.12.22:60781]     environ['koji.values']['authToken'] = _genToken(environ)
[Mon Jun 01 09:02:00.212400 2020] [wsgi:error] [pid 88216] [client 10.72.12.22:60781]   File "/usr/share/koji-web/lib/kojiweb/util.py", line 176, in _genToken
[Mon Jun 01 09:02:00.212421 2020] [wsgi:error] [pid 88216] [client 10.72.12.22:60781]     return hashlib.md5(value).hexdigest()[-8:]
[Mon Jun 01 09:02:00.212441 2020] [wsgi:error] [pid 88216] [client 10.72.12.22:60781] ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

Adding usedforsecurity=False arg will resolve this issue but this option is not available on older platform.
We might need to add some version check for this

Metadata Update from @julian8628:
- Custom field Size adjusted to None
- Issue set to the milestone: 1.22
3 years ago

Yep, I would use it (probably md5 wrapper again), but in this concrete case we can just use other hash function because it is used for security :-)

Yep, I would use it (probably md5 wrapper again).

PR #2317 to use sha1 instead of md5 for web token and a wrapper for other calls
Edited 3 years ago by julian8628

Metadata Update from @jcupova:
- Issue tagged with: testing-ready
3 years ago

Metadata Update from @mfilip:
- Issue tagged with: testing-done
3 years ago

Commit 2778b7a fixes this issue

Commit 0a61104 fixes this issue

Login to comment on this ticket.

Metadata
None

testing-ready testing-done

None
None
Normal
None
Related Pull Requests
  • #2317 Merged 3 years ago
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.