Description of problem: Tried running the Python test suite with incorrectly set up OPENSSL_FORCE_FIPS_MODE=1 without prelinking. Output was: ERROR:root:code for hash md5 was not found. Traceback (most recent call last): File "/usr/lib64/python2.7/hashlib.py", line 121, in <module> globals()[__func_name] = __get_hash(__func_name) File "/usr/lib64/python2.7/hashlib.py", line 92, in __get_openssl_constructor f(usedforsecurity=False) ValueError: error:2D07D06A:FIPS routines:EVP_DigestInit_ex:fips selftest failed ERROR:root:code for hash sha1 was not found. Traceback (most recent call last): File "/usr/lib64/python2.7/hashlib.py", line 121, in <module> globals()[__func_name] = __get_hash(__func_name) File "/usr/lib64/python2.7/hashlib.py", line 92, in __get_openssl_constructor f(usedforsecurity=False) ValueError: error:2D07D06A:FIPS routines:EVP_DigestInit_ex:fips selftest failed ERROR:root:code for hash sha224 was not found. Traceback (most recent call last): File "/usr/lib64/python2.7/hashlib.py", line 121, in <module> globals()[__func_name] = __get_hash(__func_name) File "/usr/lib64/python2.7/hashlib.py", line 92, in __get_openssl_constructor f(usedforsecurity=False) ValueError: error:2D07D06A:FIPS routines:EVP_DigestInit_ex:fips selftest failed ERROR:root:code for hash sha256 was not found. Traceback (most recent call last): File "/usr/lib64/python2.7/hashlib.py", line 121, in <module> globals()[__func_name] = __get_hash(__func_name) File "/usr/lib64/python2.7/hashlib.py", line 92, in __get_openssl_constructor f(usedforsecurity=False) ValueError: error:2D07D06A:FIPS routines:EVP_DigestInit_ex:fips selftest failed ERROR:root:code for hash sha384 was not found. Traceback (most recent call last): File "/usr/lib64/python2.7/hashlib.py", line 121, in <module> globals()[__func_name] = __get_hash(__func_name) File "/usr/lib64/python2.7/hashlib.py", line 92, in __get_openssl_constructor f(usedforsecurity=False) ValueError: error:2D07D06A:FIPS routines:EVP_DigestInit_ex:fips selftest failed ERROR:root:code for hash sha512 was not found. Traceback (most recent call last): File "/usr/lib64/python2.7/hashlib.py", line 121, in <module> globals()[__func_name] = __get_hash(__func_name) File "/usr/lib64/python2.7/hashlib.py", line 92, in __get_openssl_constructor f(usedforsecurity=False) ValueError: error:2D07D06A:FIPS routines:EVP_DigestInit_ex:fips selftest failed fips.c(153): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE Neúspěšně ukončen (SIGABRT) (core dumped [obraz paměti uložen]) (This causes FIPS mode to be enabled, but fail on initialization. This is not really expected to "work", and some error messages _were_ output, but outputing the error message without crashing would be preferrable.) Version-Release number of selected component: python-2.7.3-7.2.fc17 Additional info: libreport version: 2.0.18 abrt_version: 2.0.18 backtrace_rating: 4 cmdline: python tests/alltests.py crash_function: OpenSSLDie kernel: 3.6.6-1.fc17.x86_64 truncated backtrace: :Thread no. 1 (10 frames) : #2 OpenSSLDie at cryptlib.c:891 : #3 EVP_DigestUpdate at digest.c:288 : #4 ssleay_rand_add at md_rand.c:270 : #5 RAND_load_file at randfile.c:130 : #6 _wrap_rand_load_file at SWIG/_m2crypto_wrap.c:9755 : #7 call_function at /usr/src/debug/Python-2.7.3/Python/ceval.c:4098 : #8 PyEval_EvalFrameEx at /usr/src/debug/Python-2.7.3/Python/ceval.c:2740 : #9 PyEval_EvalCodeEx at /usr/src/debug/Python-2.7.3/Python/ceval.c:3330 : #10 fast_function at /usr/src/debug/Python-2.7.3/Python/ceval.c:4194 : #11 call_function at /usr/src/debug/Python-2.7.3/Python/ceval.c:4119
Created attachment 649283 [details] File: core_backtrace
Created attachment 649284 [details] File: environ
Created attachment 649286 [details] File: backtrace
Created attachment 649287 [details] File: cgroup
Created attachment 649288 [details] File: limits
Created attachment 649289 [details] File: executable
Created attachment 649290 [details] File: maps
Created attachment 649291 [details] File: dso_list
Created attachment 649292 [details] File: proc_pid_status
Created attachment 649293 [details] File: open_fds
Created attachment 649294 [details] File: var_log_messages
So, what happened here: * RAND_add() was called * RAND_add() internally called EVP_DigestInit(), without checking for failure EVP_DigestInit() detected the FIPS selftest failure and returned an error code * RAND_add() then called EVP_DigestUpdate(), which abort()ed because the FIPS self-test failed and the caller was not supposed to call *Update on something that failed *Init. So, RAND_add() should have had error handling. OTOH RAND_add() returns void, so it has no way to indicate failure to the caller, and failure to add randomness can critically break a cryptosystem; silently ignoring a failure is not an option. So the only error handling RAND_add() could have realistically added is a call to abort(), which happens to be basically what the current code does.