Upgrade to 1.2.3, broken diffs, fips and md5

Dan

unread,

Oct 28, 2018, 6:08:45 AM10/28/18

to Trac Users

I just migrated a customer install to 1.2.3 on Centos 7.5 and when trying to view diffs, I was seeing the following error:

ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

I ended up writing the following patch to resolve the issue:

--- ./web/api.py.orig   2018-10-18 07:52:24.205812859 -0700
+++ ./web/api.py        2018-10-27 17:18:17.864423747 -0700
@@ -21,2 +21,3 @@
 from datetime import datetime
+import hashlib
 from hashlib import md5
@@ -24,2 +25,3 @@
 import mimetypes
+import inspect
 import os
@@ -638,3 +640,10 @@
         if isinstance(extra, list):
-            m = md5()
+            try:
+              m = md5()
+            except ValueError as e:
+              if 'usedforsecurity' in inspect.getargspec(hashlib.new)[0]:
+                m = md5(usedforsecurity=False)
+              else:
+                raise e
+
             for elt in extra:

Changing the hash may be more desirable, but this was the Minimum Viable Product.

Has anyone else run into this? If so, how was it resolved?

Peter Suter

unread,

Oct 28, 2018, 6:54:38 AM10/28/18

to trac-...@googlegroups.com

On 28.10.2018 02:32, Dan wrote:

I just migrated a customer install to 1.2.3 on Centos 7.5 and when trying to view diffs, I was seeing the following error:

ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

Changing the hash may be more desirable, but this was the Minimum Viable Product.

Has anyone else run into this? If so, how was it resolved?

Apparently there was a similar issue with notifications: https://trac.edgewall.org/ticket/12562
It's now possible to change the hash in trac.ini:
[notification]
message_id_hash = sha1
https://trac.edgewall.org/wiki/TracIni#notification-message_id_hash-option

But I don't think it applies to your case yet.

Jun Omae

unread,

Oct 29, 2018, 6:38:09 AM10/29/18

to trac-...@googlegroups.com

The usedforsecurity parameter is supported only in RHEL/CentOS 6,7.
The issue cannot be resolved on Ubuntu 1604.

The md5 is used for generating ETag header and whether the page
content is cached. If not cached, the content is just rendered and
sent to the client.

We could use sha1 rather than md5 because it is not needed to keep the
value between Trac versions. However, md5 is used in also
trac/web/auth.py to implement HTTP digest authentication and cannot be
removed. Therefore, HTTP digest authentication cannot be used with
FIPS 140-2 environment.

If you don't need FIPS 140-2, try to disable FIPS 140-2.

diff --git a/trac/web/api.py b/trac/web/api.py
index f98d1a93d..b93f4af36 100644
--- a/trac/web/api.py
+++ b/trac/web/api.py
@@ -19,7 +19,7 @@ from BaseHTTPServer import BaseHTTPRequestHandler
from Cookie import CookieError, BaseCookie, SimpleCookie
import cgi
from datetime import datetime
-from hashlib import md5
+from hashlib import sha1
import new
import mimetypes
import os
@@ -636,7 +636,7 @@ class Request(object):
so that consecutive requests can be cached.

"""
if isinstance(extra, list):
- m = md5()

+ m = sha1()
for elt in extra:
m.update(repr(elt))
extra = m.hexdigest()

--
Jun Omae <jun...@gmail.com> (大前潤)

RjOllos

unread,

Nov 14, 2018, 10:50:38 PM11/14/18

to Trac Users

Created a ticket for your proposed change:

https://trac.edgewall.org/ticket/13103

- Ryan

Reply all

Reply to author

Forward