[issue9146] Segfault in hashlib in OpenSSL FIPS mode using non-FIPS-compliant hashes, if "ssl" imported before "hashlib"

Dave Malcolm report at bugs.python.org
Fri Jul 2 21:46:47 CEST 2010

Dave Malcolm <dmalcolm at redhat.com> added the comment:


> First, is it only with 2.7 or 2.6?
I've seen this with both 2.6 tarball builds and SVN trunk; in both cases against openssl-1.0.0-1.[

> Second, I don't really get the point of the FIPS mode. The PDF you linked to seems full of bureaucratic jargon.

> Third, I can't reproduce under Mandriva, but perhaps it's because it's using OpenSSL 1.0.0 (which the PDF says isn't supported).
Thanks for the info.  This is my fault, sorry.  I'm using openssl-1.0.0-1 on Fedora; on doublechecking I see that we appear to be carrying various patches in our openssl packages, which I assume are a backport from a more recent version of the FIPS support:
(see http://cvs.fedoraproject.org/viewvc/devel/openssl/ ); I'll see if I can get more information from other Fedorans to verify this, and on what version of openssl upstream this is equivalent to.

> Fourth, if MD5 is insecure and FIPS disables insecure algorithm, then why should hashlib allow MD5 hashing when FIPS mode is enabled?
My understanding is that some sites wish to prohibit the use of MD5 as an authentication mechanism, but don't need to prohibit it where the use is not "cryptography", e.g. to compute an index into a hash table where intentionally induced hash collisions can not break the application's security.

> Fifth, please take a look at the OpenSSL initialization routine in _sslmodule.c and try to transplant it to the hashlib initialization routine:

Done; with the attached patch to SVN trunk, I don't need the initial "import ssl" to reproduce the segfault; the following will segfault (in the same place):
OPENSSL_FORCE_FIPS_MODE=1 gdb --args ./python -c "import hashlib; m = m = hashlib.md5(); m.update('abc')"

keywords: +patch
Added file: http://bugs.python.org/file17841/add_ssl_init_to_hashlib.patch

Python tracker <report at bugs.python.org>

More information about the Python-bugs-list mailing list