Pulp

Looks like this causes problems in Pulp:

May 16 17:28:18 pulp2.dev pulp[7767]: django.request:ERROR: (7767-40896) Internal Server Error: /pulp/api/v2/repositories/
May 16 17:28:18 pulp2.dev pulp[7767]: django.request:ERROR: (7767-40896) Traceback (most recent call last):
May 16 17:28:18 pulp2.dev pulp[7767]: django.request:ERROR: (7767-40896)   File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 131, in get_response
May 16 17:28:18 pulp2.dev pulp[7767]: django.request:ERROR: (7767-40896)     response = middleware_method(request, response)
May 16 17:28:18 pulp2.dev pulp[7767]: django.request:ERROR: (7767-40896)   File "/usr/lib/python2.7/site-packages/django/middleware/http.py", line 23, in process_response
May 16 17:28:18 pulp2.dev pulp[7767]: django.request:ERROR: (7767-40896)     set_response_etag(response)
May 16 17:28:18 pulp2.dev pulp[7767]: django.request:ERROR: (7767-40896)   File "/usr/lib/python2.7/site-packages/django/utils/cache.py", line 109, in set_response_etag
May 16 17:28:18 pulp2.dev pulp[7767]: django.request:ERROR: (7767-40896)     response['ETag'] = quote_etag(hashlib.md5(response.content).hexdigest())
May 16 17:28:18 pulp2.dev pulp[7767]: django.request:ERROR: (7767-40896) ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

I made this temporary fix in /usr/lib/python2.7/site-packages/django/utils/cache.py to work around this:

# response['ETag'] = quote_etag(hashlib.md5(response.content).hexdigest())
response['ETag'] = quote_etag(hashlib.md5(response.content, usedforsecurity=False).hexdigest())

I see three possible ways to patch this:

1. Rescue ValueError and then call md5 with the usedforsecurity flag set to False
2. Switch to a different hashing method (e.g. sha256)
3. Create an md5() function like we did here: https://git.io/vh0wj

I'm leaning towards the first option given that it's simple and has a small footprint. Also, option 2 might have unintended consequences or even bugs.

Thoughts?

I'm fine with option 1.

Normally I would prefer option 2, but since Django 1.x is on maintenence-only mode, I expect that they wouldn't accept it even if it did work perfectly.

For option 1 we'll need to catch a very specific ValueError, just ValueError is not good enough.
Say, it was triggered by a non-FIPS problem, then we would catch ValueError and try to pass usedforsecurity flag to the md5 function which potentially doesn't support it (if it's not a FIPS machine).

I agree not to go with option 2 because we won't be able to merge it into upstream Django.

I think either option 1 and checking a FIPS specific error code if it's there or option 3.

Here's a patch that combines options 1 and 3:

diff --git a/django/utils/cache.py b/django/utils/cache.py
index 0f6232b51b..73f496e0f9 100644
--- a/django/utils/cache.py
+++ b/django/utils/cache.py
@@ -19,6 +19,7 @@ An example: i18n middleware would need to distinguish caches by the
 from __future__ import unicode_literals

 import hashlib
+import inspect
 import logging
 import re
 import time
@@ -106,7 +107,16 @@ def get_max_age(response):

 def set_response_etag(response):
     if not response.streaming:
-        response['ETag'] = quote_etag(hashlib.md5(response.content).hexdigest())
+        try:
+            md5_hash = hashlib.md5(response.content)
+        except ValueError as e:
+            if 'usedforsecurity' in inspect.getargspec(hashlib.new)[0]:
+                md5_hash = hashlib.md5(response.content, usedforsecurity=False)
+            else:
+                raise e
+
+        response['ETag'] = quote_etag(md5_hash.hexdigest())
+
     return response

+1 from me.
Thanks @daviddavis for the patch!