[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Change by Gregory P. Smith : -- stage: backport needed -> resolved status: open -> closed ___ Python tracker ___ ___

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Irit Katriel added the comment: Looks like this is complete and can be closed. -- nosy: +iritkatriel ___ Python tracker ___ ___

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Gregory P. Smith added the comment: New changeset 31b8efeaa893e95358b71eb2b8365552d3966b4a by Gregory P. Smith in branch '3.6': [3.6] bpo-9146: Raise a ValueError if OpenSSL fails to init a hash func (#3274) https://github.com/python/cpython/commit/31b8efeaa893e95358b71eb2b8365552d3966b4a

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Gregory P. Smith added the comment: New changeset 4f013881cb0ca7d29620ddb0594dde09bc5d24ca by Gregory P. Smith in branch 'master': bpo-9146: add the missing NEWS entry. (#3275) https://github.com/python/cpython/commit/4f013881cb0ca7d29620ddb0594dde09bc5d24ca --

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Changes by Gregory P. Smith : -- pull_requests: +3318 ___ Python tracker ___ ___

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Changes by Gregory P. Smith : -- pull_requests: +3317 ___ Python tracker ___ ___

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Changes by Charalampos Stratakis : -- nosy: +cstratak ___ Python tracker ___ ___

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Gregory P. Smith added the comment: Resolved for 3.7, assigning to christian to deal with the backports as I believe he has employer motivation to see those in (should be trivial). -- assignee: gregory.p.smith -> christian.heimes resolution: -> fixed stage: patch review -> backport

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Gregory P. Smith added the comment: New changeset 07244a83014fad42da937c17d98474b47a570bf7 by Gregory P. Smith in branch 'master': bpo-9146: Raise a ValueError if OpenSSL fails to init a hash func. (#1777) https://github.com/python/cpython/commit/07244a83014fad42da937c17d98474b47a570bf7

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Changes by Gregory P. Smith : -- pull_requests: +1859 ___ Python tracker ___ ___

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Gregory P. Smith added the comment: I like your patch, raising an exception is indeed the right thing to do. i'll get this patch in. whether or not the built-in non-openssl based _md5 and _sha1 module exist in "fips" mode is a separate build time issue - lets keep this one just dealing with

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Kevin Christopher added the comment: I tripped over this exact issue a few months ago, while working on a FIPSified OpenSSL library (custom platform). Attached a different (more minimal) patch; this one focuses more narrowly on the exact failure mode. It's based on 'master' (~3.7), applies

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Christian Heimes added the comment: I can no longer reproduce the crash with Python 2.7 and 3.5 (Fedora 24 with OpenSSL 1.0.2h). Is this still a problem for you? -- status: open -> pending ___ Python tracker

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

Changes by Donald Stufft donald.stu...@gmail.com: -- nosy: +dstufft ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue9146 ___ ___ Python-bugs-list

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

Changes by Jan Pokorný pokorny_...@seznam.cz: -- nosy: +jpokorny ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue9146 ___ ___ Python-bugs-list

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

Changes by Christian Heimes li...@cheimes.de: -- nosy: +christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue9146 ___ ___

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

Dave Malcolm dmalc...@redhat.com added the comment: I've filed issue 9216 to discuss this at a higher level, with an API proposal -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue9146 ___

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

Dave Malcolm dmalc...@redhat.com added the comment: Thanks. The relevant code in setup.py is all wrapped with --pydebug: if COMPILED_WITH_PYDEBUG or not have_usable_openssl: All of my testing had been --with-pydebug. Rebuilding without --with-pydebug leads to some interesting

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

Dave Malcolm dmalc...@redhat.com added the comment: I'm attaching an updated patch which: - adds error checking to the various places where EVP_DigestInit is called - adds a test to test_hashlib to ensure that hashlib still works gracefully when OPENSSL_FORCE_FIPS_MODE=1 is set in the

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

Gregory P. Smith g...@krypto.org added the comment: I'm pretty sure Python setup.py does not build the non-openssl md5, sha1, sha256 and sha512 extension modules at all when openssl is present. So falling back on them is not likely to work unless anyone who wants this crazy force fips mode

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

Changes by Gregory P. Smith g...@krypto.org: -- nosy: -gps ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue9146 ___ ___ Python-bugs-list mailing

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

New submission from Dave Malcolm dmalc...@redhat.com: Having run: prelink --undo --all the following works OK: OPENSSL_FORCE_FIPS_MODE=1 python -c import hashlib; m = m = hashlib.md5(); m.update('abc') but the following segfaults: OPENSSL_FORCE_FIPS_MODE=1 python -c import ssl; import

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

Antoine Pitrou pit...@free.fr added the comment: First, is it only with 2.7 or 2.6? Second, I don't really get the point of the FIPS mode. The PDF you linked to seems full of bureaucratic jargon. Third, I can't reproduce under Mandriva, but perhaps it's because it's using OpenSSL 1.0.0 (which

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

Dave Malcolm dmalc...@redhat.com added the comment: Thanks First, is it only with 2.7 or 2.6? I've seen this with both 2.6 tarball builds and SVN trunk; in both cases against openssl-1.0.0-1.[ Second, I don't really get the point of the FIPS mode. The PDF you linked to seems full of

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

Antoine Pitrou pit...@free.fr added the comment: with the attached patch to SVN trunk, I don't need the initial import ssl to reproduce the segfault Nice, so at least that oddity is eliminated :) So I guess it's down to the A, B, and C approaches you suggested. Of course, if we choose to

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

Dave Malcolm dmalc...@redhat.com added the comment: Attached patch checks for errors in the initialization of _hashlib, and only registers the names that are actually available. It also contains the ssl init from the first patch. I added a _hashlib._errors dict, containing errors, so that you

[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if ssl imported before hashlib

Dave Malcolm dmalc...@redhat.com added the comment: Not quite ready yet: Named methods work: $ OPENSSL_FORCE_FIPS_MODE=1 ./python -c import hashlib; m = hashlib.md5(); m.update('abc\n'); print m.hexdigest()0bee89b07a248e27c83fc3d5951213c1 [15741 refs] but lookup by name still fails: