MD5 compatibility fixes (was: [SCM] Samba Shared Repository - branch master updated)
ab at samba.org
Sat Dec 8 07:55:23 MST 2012
On Sat, Dec 8, 2012 at 2:44 PM, Jelmer Vernooij <jelmer at samba.org> wrote:
> On Sat, Dec 08, 2012 at 01:31:03PM +0100, Andreas Schneider wrote:
>> Changeset truncated at 500 lines:
>> diff --git a/buildtools/wafsamba/samba_utils.py b/buildtools/wafsamba/samba_utils.py
>> index c1869df..cab87a4 100644
>> --- a/buildtools/wafsamba/samba_utils.py
>> +++ b/buildtools/wafsamba/samba_utils.py
>> @@ -388,9 +388,17 @@ def RUN_COMMAND(cmd,
>> # make sure we have md5. some systems don't have it
>> from hashlib import md5
>> + try:
>> + foo = md5.md5('abcd')
>> + except ValueError:
>> + raise
> This looks really odd - what does the 'except ValueError: ; raise' bit do?
> Wouldn't the behaviour of this code be the same without it?
No, it is not.
FIPS mode is preventing certain (outdated) cryptographic operations to
be used. When operating system runs in FIPS mode all access to actual
banned crypto algorithms will cause failures.
In FIPS mode Python md5 module can be imported without any issues and
ValueError exception will be raised when actually attempting to call
to md5 function. Thus, we would never see that the code would actually
be unusable with existing check.
This leads to sudden failure of configure stage later because waf uses
hash function (md5 by default) to notice differences between objects'
states. The hash calculation is done deep in waf code causes unhandled
exception in FIPS mode and that one causes early exit from
run_c_code() routine, leaving unbalanced "enter directory - leave
directory" pairs. The latter causes sudden removal of the temporary
directory while it is in use by the configure check which, in turn,
causes os.getcwd('.') to throw exception (since current directory was
just deleted) and abort the execution.
The way I've coded this fix we are re-using existing infra in wafsamba
to replace hash function. I'm re-raising exception that FIPS mode may
raise so that we are falling through to actual replacement code.
Look to alternative patch that is all in waf proper and attempted to
move it to sha1: http://cpaste.org/1521/
/ Alexander Bokovoy
More information about the samba-technical