[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"
Dave Malcolm
report at bugs.python.org
Sat Jul 3 01:57:08 CEST 2010
Dave Malcolm <dmalcolm at redhat.com> added the comment:
Attached patch checks for errors in the initialization of _hashlib, and only registers the names that are actually available.
It also contains the ssl init from the first patch.
I added a _hashlib._errors dict, containing errors, so that you can examine them at runtime:
$ OPENSSL_FORCE_FIPS_MODE=1 ./python
Python 2.7rc2+ (trunk:82445, Jul 2 2010, 14:00:30)
[GCC 4.4.3 20100422 (Red Hat 4.4.3-18)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import _hashlib
[35786 refs]
>>> _hashlib._errors
{'md5': '_hashopenssl.c:541: error:060800A0:digital envelope routines:EVP_DigestInit_ex:unknown cipher'}
[35825 refs]
>>> dir (_hashlib)
['__doc__', '__file__', '__name__', '__package__', '_errors', 'new', 'openssl_sha1', 'openssl_sha224', 'openssl_sha256', 'openssl_sha384', 'openssl_sha512']
[35838 refs]
(note the absence of openssl_md5)
Note that hashlib (as opposed to _hashlib) seems to gracefully fall back to Python's _md5 module when in this state:
>>> import hashlib
[36107 refs]
>>> m = m = hashlib.md5(); m.update('abc\n'); print m.hexdigest()
0bee89b07a248e27c83fc3d5951213c1
[36109 refs]
This seems to be option (A) from my initial message.
----------
stage: -> patch review
Added file: http://bugs.python.org/file17846/remove-unusable-hashes-from-hashopenssl.patch
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue9146>
_______________________________________
More information about the Python-bugs-list
mailing list