|
Bugzilla – Full Text Bug Listing |
| Summary: | Upgrade to waf-2.0.14 when released | ||
|---|---|---|---|
| Product: | ns-3 | Reporter: | Chris Vogl <chris.j.vogl> |
| Component: | build system | Assignee: | Gustavo J. A. M. Carneiro <gjcarneiro> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ns-bugs, tomh |
| Priority: | P5 | ||
| Version: | ns-3.29 | ||
| Hardware: | Other | ||
| OS: | Linux | ||
|
Description
Chris Vogl
2018-12-07 13:04:49 UTC
I am only _just_ reading about FIPS, but from what I can see it's a "U.S. government computer security standards that specify requirements for cryptography modules." Well, WAF uses md5, but not for cryptography purposes. FIPS doesn't apply here. Right, I think only those of us "lucky enough" to be required to be FIPS compliant know about FIPS. Unfortunately, md5 is not allowed in any capacity on a FIPS compliant system (there's a stack trace on the Gitlab issue page I linked to that shows the resulting error of waf using hashlib.md5 in a non-security manner). For curiosity purposes, I sought out what has been done to address this in other software. While there is a version of hashlib distributed by RHEL that allows for a "useforsecurity" flag (https://code.djangoproject.com/ticket/28401), but since this isn't very portable, most projects seem to avoid using md5 if their users needs FIPS compliance (which is what waf 2.0.14 will do). CPython's resident security expert disagrees with you: https://mail.python.org/pipermail/python-ideas/2018-December/054677.html He says "In FIPS mode, MD5 is still allowed in **non-security contexts**.". Please see the stack trace I refered to in my previous reply. The TLDR version: if I call hashlib.md5, an error is thrown. If you have a way around this, aside from using a different hash or using a version of hashlib only available to RHEL users, I’m all ears. Firstly, I am not saying we shouldn't update WAF eventually. I am just baffled of the stupidity of crippling CPython's md5 function. Questions arise: 1. Why do you require FIPS for running simulations? 2. Why does your FIPS python md5 function not work even though FIPS only states that md5 not be used in security context? 3. If FIPS is "U.S. government computer security standards that specify requirements for cryptography modules.", since when is CPython, or any library, a cryptographic module? For me, "cryptographic module" is a software component that does cryptographic functions. MD5 is a content hashing algorithm, which is not necessarily used for cryptography (as the WAF use case exemplifies). I am just really annoyed by this type of bureaucratic bulshit. Apologies for venting my frustration onto you. I am genuinely curious about question 1, though. Why is your computer enforcing FIPS? 1) The short answer is that the system administrators for my computer have deemed it so. Also, see my answer to 2. 2) My understanding, from reading posts by other people who have had this issue, is that the hashlib package distributed as part of FIPS-compliant RHEL is designed to throw an error if md5 is called without an additional "useforsecurity" flag. 3) I have no idea... I'm just the messenger here: I'm neither choosing whether or not my computer needs to be FIPS compliant nor how to impose that compliance. On a related note, waf 2.0.14 was just released that avoids throwing an error during the ns3 build on FIPS-compliant RHEL: https://gitlab.com/ita1024/waf/tags/waf-2.0.14. I have been testing waf-2.0.15 on macOS and Linux and think it is ready to merge; I plan to merge on 8 April 2019 unless there are concerns. A testing branch is available here: https://gitlab.com/tomhenderson/ns-3-dev/tree/upgrade-waf-2.0.15 git clone https://gitlab.com/tomhenderson/ns-3-dev.git cd ns-3-dev git checkout -b upgrade-waf-2.0.15 origin/upgrade-waf-2.0.15 ./waf configure ... waf-2.0.15 merged in 9a34eb91 |