Waf rebuilding issue with python3

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Thu Dec 13 10:06:40 UTC 2018 

On 13/12/18 8:09 PM, Volker Lendecke via samba-technical wrote:
> On Thu, Dec 13, 2018 at 01:48:16PM +1300, Andrew Bartlett via samba-technical wrote:
>> On Wed, 2018-12-12 at 18:58 +0100, Stefan Metzmacher wrote:
>>>
>>> Maybe there're some ordering/sorting differences between
>>> python2 and python3. Or is somehow uses a different
>>> hashing algorithm.
>>>
>>> metze
>>
>> Yes, that is it, the per-exec seed for the hash function used to avoid
>> hash attacks on production servers.  Attached is a workaround I've
>> pushed to autobuild while someone finds the rouge hash.
> 
> It's weird to put randomness into the hash determining the file
> content. But that's waf for you...
> 

I can't reproduce it, but buildtools/wafsamba/samba_utils.py around 370
looks suspicious to me:

> # make sure we have md5. some systems don't have it
> try:
>     from hashlib import md5
>     # Even if hashlib.md5 exists, it may be unusable.
>     # Try to use MD5 function. In FIPS mode this will cause an exception
>     # and we'll get to the replacement code
>     foo = md5(b'abcd')

Ignore this bit for a second...

> except:
>     try:
>         import md5
          ^^^^^^^^^^
This will always fail in Python 3 (no md5 module). So we fall back to

>         # repeat the same check here, mere success of import is not enough.
>         # Try to use MD5 function. In FIPS mode this will cause an exception
>         foo = md5.md5(b'abcd')
>     except:
>         Context.SIG_NIL = hash('abcd')
>         class replace_md5(object):
>             def __init__(self):
>                 self.val = None
>             def update(self, val):
>                 self.val = hash((self.val, val))
                             ^^^^
using the builtin randomised hash here.

>             def digest(self):
>                 return str(self.val)
>             def hexdigest(self):
>                 return self.digest().encode('hex')
>         def replace_h_file(filename):
>             f = open(filename, 'rb')
>             m = replace_md5()
>             while (filename):
>                 filename = f.read(100000)
>                 m.update(filename)
>             f.close()
>             return m.digest()
>         Utils.md5 = replace_md5
>         Task.md5 = replace_md5
>         Utils.h_file = replace_h_file
> 

So the question is why/whether the first "from hashlib import md5; md5(b'abcd')" can fail.
I can't see a problem, unless people indeed have FIPS compliant pythons.

(Well, I can see problems in the way the code is silently catching all exceptions,
causing this all this mystery, but that's a slightly different matter).

cheers,
Douglas

More information about the samba-technical mailing list