New submission from Christian Heimes <li...@cheimes.de>:
The hashlib module prefers hash implementations from OpenSSL. In case OpenSSL
is not available or OpenSSL does not provide a hash algorithm, hashlib falls
back to builtin implementations for MD5, SHA1, SHA2 family, SHA3/SHAKE family,
and Blake2. The __get_openssl_constructor [1] function checks OpenSSL by
retrieving the constructor and calling it. The calls fails if OpenSSL doesn't
implement the EVP digest.
It also fails when the EVP digest is available but blocked by a security
policy. In this case it falls back to the builtin implementation. If the
builtin implementation has been removed by the package builder or
--with-builtin-hashlib-hashes, then Python considers the hash algorithm as
broken.
I propose to change the detection code so that Python uses OpenSSL
implementation although it's blocked by the current system policy.
Current behavior:
$ rpm -qa openssl
openssl-1.1.1g-1.fc32.x86_64
$ /configure -C --with-builtin-hashlib-hashes=blake2
$ make -j4
$ ./python
>>> import hashlib
ERROR:root:code for hash md5 was not found.
Traceback (most recent call last):
File "/root/cpython/Lib/hashlib.py", line 131, in __get_openssl_constructor
f()
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/cpython/Lib/hashlib.py", line 251, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/root/cpython/Lib/hashlib.py", line 135, in __get_openssl_constructor
return __get_builtin_constructor(name)
File "/root/cpython/Lib/hashlib.py", line 118, in __get_builtin_constructor
raise ValueError('unsupported hash type ' + name)
ValueError: unsupported hash type md5
>>> hashlib.md5()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
AttributeError: module 'hashlib' has no attribute 'md5'
Proposed behavior:
$ ./python
>>> import hashlib
>>> hashlib.md5()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
>>> hashlib.md5(usedforsecurity=False)
<md5 _hashlib.HASH object @ 0x7fb9d44b9b30>
Related issue:
bpo-9216 added the new hash constructor argument "usedforsecurity".
bpo-40637 added a new configure option --with-builtin-hashlib-hashes
[1]
https://github.com/python/cpython/blob/97fe9cfd9f81fe96a70e1ce80fce04b0c937bfac/Lib/hashlib.py#L121-L135
----------
assignee: christian.heimes
components: Library (Lib)
messages: 369428
nosy: christian.heimes, gregory.p.smith
priority: normal
severity: normal
status: open
title: hashlib: OpenSSL hash detection should obey security policy
type: behavior
versions: Python 3.10, Python 3.9
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue40695>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
