barman-wal-archive not working on FIPS 140 mode enabled systems
50 views
Skip to first unread message
Norbert Poellmann
Jul 28, 2021, 7:53:59 AM7/28/21
to Barman, Backup and Recovery Manager for PostgreSQL
Hi,
with barman 2.12.1-1.rhel8 command: barman-wal-archive we ran into a problem with usage of python3.6 hashlib.md5().
Because of a system/kernel enabled FIPS mode:
[postgres@myserver ~]$ fips-mode-setup --check
FIPS mode is enabled
FIPS mode is enabled
python cannot use md5()
$ python3.6 -c "import hashlib; m=hashlib.md5()"
Traceback (most recent call last):
File "<string>", line 1, in <module>
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
Traceback (most recent call last):
File "<string>", line 1, in <module>
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
barman-wal-archive uses hashlib.md5() and hits this problem.
We are working in a company environmen, where kernel disable of FIPS rules
Any ideas? A barman version without usage of md5() coming?
As far as I see, this two small changes might help (it helps for me with python3.6, even if https://docs.python.org/3/library/hashlib.html says something about the new keyword argument usedforsecurity starting with v3.9:
cd /usr/lib/python3.6/site-packages/barman
[root@myserver barman]$ grep -irs hashlib.md5 .
./clients/walarchive.py: #checksum = hashlib.md5()
./clients/walarchive.py: checksum = hashlib.md5(usedforsecurity=False)
./utils.py: #md5 = hashlib.md5()
./utils.py: checksum = hashlib.md5(usedforsecurity=False)
[root@myserver barman]$ grep -irs hashlib.md5 .
./clients/walarchive.py: #checksum = hashlib.md5()
./clients/walarchive.py: checksum = hashlib.md5(usedforsecurity=False)
./utils.py: #md5 = hashlib.md5()
./utils.py: checksum = hashlib.md5(usedforsecurity=False)
Thanks,
Norbert Poellmann
Abhijit Menon-Sen
Jul 29, 2021, 1:30:00 PM7/29/21
to pgba...@googlegroups.com
On Wed, Jul 28, 2021 at 5:24 PM Norbert Poellmann <n...@bsn.com> wrote:
>
> As far as I see, this two small changes might help (it helps for me with python3.6, even if https://docs.python.org/3/library/hashlib.html says something about the new keyword argument usedforsecurity starting with v3.9:
>
> cd /usr/lib/python3.6/site-packages/barman
> [root@myserver barman]$ grep -irs hashlib.md5 .
> ./clients/walarchive.py: #checksum = hashlib.md5()
> ./clients/walarchive.py: checksum = hashlib.md5(usedforsecurity=False)
> ./utils.py: #md5 = hashlib.md5()
> ./utils.py: checksum = hashlib.md5(usedforsecurity=False)
Thanks for the report.
>
> As far as I see, this two small changes might help (it helps for me with python3.6, even if https://docs.python.org/3/library/hashlib.html says something about the new keyword argument usedforsecurity starting with v3.9:
>
> cd /usr/lib/python3.6/site-packages/barman
> [root@myserver barman]$ grep -irs hashlib.md5 .
> ./clients/walarchive.py: #checksum = hashlib.md5()
> ./clients/walarchive.py: checksum = hashlib.md5(usedforsecurity=False)
> ./utils.py: #md5 = hashlib.md5()
> ./utils.py: checksum = hashlib.md5(usedforsecurity=False)
At first glance, I would actually prefer to switch to a different hash
than to use a keyword argument that is version-specific, since we
support a range of Python versions (and have not yet removed 2.7
support).
We shall investigate further.
-- Abhijit
Reply all
Reply to author
Forward
0 new messages