MD5 compatibility fixes (was: [SCM] Samba Shared Repository - branch master updated)
Jelmer Vernooij
jelmer at samba.org
Sat Dec 8 08:12:52 MST 2012
On Sat, Dec 08, 2012 at 04:55:23PM +0200, Alexander Bokovoy wrote:
> On Sat, Dec 8, 2012 at 2:44 PM, Jelmer Vernooij <jelmer at samba.org> wrote:
> > On Sat, Dec 08, 2012 at 01:31:03PM +0100, Andreas Schneider wrote:
> >> Changeset truncated at 500 lines:
> >>
> >> diff --git a/buildtools/wafsamba/samba_utils.py b/buildtools/wafsamba/samba_utils.py
> >> index c1869df..cab87a4 100644
> >> --- a/buildtools/wafsamba/samba_utils.py
> >> +++ b/buildtools/wafsamba/samba_utils.py
> >> @@ -388,9 +388,17 @@ def RUN_COMMAND(cmd,
> >> # make sure we have md5. some systems don't have it
> >> try:
> >> from hashlib import md5
> >> + try:
> >> + foo = md5.md5('abcd')
> >> + except ValueError:
> >> + raise
> > This looks really odd - what does the 'except ValueError: ; raise' bit do?
> > Wouldn't the behaviour of this code be the same without it?
> No, it is not.
>
> FIPS mode is preventing certain (outdated) cryptographic operations to
> be used. When operating system runs in FIPS mode all access to actual
> banned crypto algorithms will cause failures.
>
> In FIPS mode Python md5 module can be imported without any issues and
> ValueError exception will be raised when actually attempting to call
> to md5 function. Thus, we would never see that the code would actually
> be unusable with existing check.
>
> This leads to sudden failure of configure stage later because waf uses
> hash function (md5 by default) to notice differences between objects'
> states. The hash calculation is done deep in waf code causes unhandled
> exception in FIPS mode and that one causes early exit from
> run_c_code() routine, leaving unbalanced "enter directory - leave
> directory" pairs. The latter causes sudden removal of the temporary
> directory while it is in use by the configure check which, in turn,
> causes os.getcwd('.') to throw exception (since current directory was
> just deleted) and abort the execution.
That bit seems reasonable; I'm curious about the re-raising of the
exception.
> The way I've coded this fix we are re-using existing infra in wafsamba
> to replace hash function. I'm re-raising exception that FIPS mode may
> raise so that we are falling through to actual replacement code.
What is the point of re-raising the exception? This:
try:
x = md5.md5('foo')
except ValueError:
raise
should be equivalent to this:
x = md5.md5('foo')
If not, can you explain what the difference is?
Cheers,
Jelmer
More information about the samba-technical
mailing list