Modify

Opened 8 years ago

Closed 6 years ago

#12854 closed defect (fixed)

Clicking on the Admin Users link generates "error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips"

Reported by: adrya.stembridge@… Owned by: Jun Omae
Priority: high Component: AccountManagerPlugin
Severity: normal Keywords: fips, md5, sha1
Cc: Trac Release:

Description (last modified by Ryan J Ollos)

I recently upgraded our server from EL6 to EL7, however the major change is that this system is now running in FIPS mode. When systems are running in FIPS mode, MD5 hashing is not available.

Trac works OK, except when I go to Admin - Users (https://example.com/trac/admin/accounts/users). The following error appears instead of the Users page:

Trac detected an internal error: 
"ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips"

Trac maintainers are addressing a similar error with notification.py by adding a configuration item allowing admins to select MD5 (default) or SHA1 for the digest algorithm. Previously, MD5 was hard coded into the python scripts.

trac:#12562

Python Traceback

Most recent call last:
    File "/usr/lib/python2.7/site-packages/trac/web/main.py", line 554, in _dispatch_request
    File "/usr/lib/python2.7/site-packages/trac/web/main.py", line 247, in dispatch
    File "/usr/lib/python2.7/site-packages/trac/admin/web_ui.py", line 119, in process_request
    File "/usr/lib/python2.7/site-packages/acct_mgr/admin.py", line 204, in render_admin_panel
    File "/usr/lib/python2.7/site-packages/acct_mgr/admin.py", line 449, in _do_users
    File "/usr/lib/python2.7/site-packages/acct_mgr/admin.py", line 73, in fetch_user_data
    File "/usr/lib/python2.7/site-packages/acct_mgr/model.py", line 140, in get_user_attribute 

System Information:

Trac 	1.0.10
Babel 	0.9.6
Genshi 	0.7 (with speedups)
mod_wsgi 	3.4 (WSGIProcessGroup WSGIApplicationGroup %{GLOBAL})
pysqlite 	2.6.0
Python 	2.7.5 (default, Aug 9 2016, 05:27:46) [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)]
setuptools 	0.9.8
SQLite 	3.7.17
jQuery	1.7.2
jQuery UI	1.8.21
jQuery Timepicker	1.0.1

Enabled Plugins:
CKIntegration 	1.1dev 	/usr/lib/python2.7/site-packages
TracAccountManager 	0.4.4 	/usr/lib/python2.7/site-packages

Attachments (2)

model.py (9.2 KB) - added by adrya.stembridge@… 8 years ago.
changed md5 to sha1
patch.txt (1.4 KB) - added by anonymous 7 years ago.
diff -Uaur ORIG_model.py NEW_model.py > patch.txt

Download all attachments as: .zip

Change History (16)

comment:1 Changed 8 years ago by adrya.stembridge@…

Apologies for the formatting in the submitted bug report. I am unable to edit.

comment:2 Changed 8 years ago by Ryan J Ollos

Description: modified (diff)

comment:3 Changed 8 years ago by Ryan J Ollos

Owner: changed from Steffen Hoffmann to Ryan J Ollos
Status: newaccepted

There are 3 uses of hashlib.md5 in accountmanagerplugin/trunk/acct_mgr/model.py@15717:475,493,499#L465. I'll need to study the code to see if it's a simple matter of replacing the md5 hash method with another hash method.

comment:4 Changed 8 years ago by adrya.stembridge@…

I noticed that as well. Could hash type be set as a config option rather than hard coding?

comment:5 Changed 8 years ago by adrya.stembridge@…

The attached model.py works fine. I replaced md5 with sha1.

Note that my trac.ini [account-manager] section also contains htpasswd_hash_type = sha1

Changed 8 years ago by adrya.stembridge@…

Attachment: model.py added

changed md5 to sha1

comment:6 Changed 8 years ago by Jun Omae

Could you please post patch as unified diff format rather than modified file? See trac:wiki:TracDev/SubmittingPatches.

comment:7 Changed 8 years ago by adrya.stembridge@…

Yes, I'll work on this ASAP. Will be out of town this weekend, look for it next week. This would be my very first submitted patch to anything. :D

comment:8 Changed 8 years ago by Ryan J Ollos

Owner: Ryan J Ollos deleted
Status: acceptednew

comment:9 Changed 7 years ago by adrya.stembridge@…

Realized that I never attached the patch file. Just attached to this ticket.

Changed 7 years ago by anonymous

Attachment: patch.txt added

diff -Uaur ORIG_model.py NEW_model.py > patch.txt

comment:10 Changed 7 years ago by Jun Omae

Keywords: algorithm Digest removed

comment:11 Changed 7 years ago by adrya.stembridge@…

The updated file works fine - this issue could be marked closed, or once verified perhaps rolled into production?

comment:12 Changed 6 years ago by Jun Omae

I noticed an issue about the hexdigest while refactoring the patch. Same hexdigest can be generated because account, authenticated and name are simply concatenated.

account authenticated name concatenated string
foo 1 b0ah foo1b0ah
foo1b 0 ah foo1b0ah

Work around is to pad null byte between values:

  • accountmanagerplugin/trunk/acct_mgr/model.py

    diff --git a/accountmanagerplugin/trunk/acct_mgr/model.py b/accountmanagerplugin/trunk/acct_mgr/model.py
    index 24aa7233d..8c421a77a 100644
    a b def get_user_attribute(env, username=None, authenticated=1, attribute=None, 
    441441        """ % (sel_stmt, where_stmt)
    442442    sql_args = tuple(constraints)
    443443
     444    def unique_id(*values):
     445        # Generate sha1 digest from NUL value1 NUL value2 NUL value3 NUL
     446        m = hashlib.sha1()
     447        m.update('\0')
     448        for value in values:
     449            if isinstance(value, unicode):
     450                value = value.encode('utf-8')
     451            elif not isinstance(value, str):
     452                value = str(value)
     453            m.update(value)
     454            m.update('\0')
     455        return m.hexdigest()
     456
    444457    res = {}
    445458    for row in env.db_query(sql, sql_args):
    446459        if sel_stmt == 'COUNT(*)':
    def get_user_attribute(env, username=None, authenticated=1, attribute=None, 
    452465        account = res_row.pop('sid')
    453466        authenticated = res_row.pop('authenticated')
    454467        # Create single unique attribute ID.
    455         m = hashlib.md5()
    456         m.update(''.join([account, str(authenticated),
    457                           res_row.get('name')]).encode('utf-8'))
    458         row_id = m.hexdigest()
     468        row_id = unique_id(account, authenticated, res_row.get('name'))
    459469        if account in res:
    460470            if authenticated in res[account]:
    461471                res[account][authenticated].update({
    def get_user_attribute(env, username=None, authenticated=1, attribute=None, 
    470480                    'id': {res_row['name']: row_id}
    471481                }
    472482                # Create account ID for additional authentication state.
    473                 m = hashlib.md5()
    474                 m.update(''.join([account,
    475                                   str(authenticated)]).encode('utf-8'))
    476                 res[account]['id'][authenticated] = m.hexdigest()
     483                res[account]['id'][authenticated] = unique_id(account,
     484                                                              authenticated)
    477485        else:
    478486            # Create account ID for authentication state.
    479             m = hashlib.md5()
    480             m.update(''.join([account, str(authenticated)]).encode('utf-8'))
    481487            res[account] = {
    482488                authenticated: {
    483489                    res_row['name']: res_row['value'],
    484490                    'id': {res_row['name']: row_id}
    485491                },
    486                 'id': {authenticated: m.hexdigest()}
     492                'id': {authenticated: unique_id(account, authenticated)}
    487493            }
    488494    return res
    489495

comment:13 Changed 6 years ago by Ryan J Ollos

comment:12 change looks good to me. Please go ahead and commit that and any other changes you like.

comment:14 Changed 6 years ago by Jun Omae

Owner: set to Jun Omae
Resolution: fixed
Status: newclosed

In 17222:

TracAccountManager: use sha1 rather than md5 which is not available with FIPS mode (closes #12854)

Initial patch by adrya.stembridge@…

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jun Omae.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.