Python3

hashlib.algorithms_available lists algorithms that cannot be used

Bug #1976299 reported by Andreas Hasenack
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Python3
New
Unknown
python-ecdsa (Debian)
Fix Released
Unknown
python-ecdsa (Ubuntu)
Invalid
Undecided
Unassigned
Jammy
Invalid
Undecided
Unassigned
Kinetic
Invalid
Undecided
Unassigned
python3.10 (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Confirmed
Medium
Unassigned
Kinetic
Fix Released
Undecided
Unassigned

Bug Description

Ubuntu 22.10
python-ecdsa 0.18.0~b1-1

==================================== ERRORS ====================================
_ ERROR collecting .pybuild/cpython3_3.10_ecdsa/build/ecdsa/test_malformed_sigs.py _
/usr/lib/python3.10/hashlib.py:160: in __hash_new
    return _hashlib.new(name, data, **kwargs)
E ValueError: [digital envelope routines] unsupported

During handling of the above exception, another exception occurred:
ecdsa/test_malformed_sigs.py:42: in <module>
    hash_and_size = [
ecdsa/test_malformed_sigs.py:43: in <listcomp>
    (name, hashlib.new(name).digest_size) for name in algorithms_available
/usr/lib/python3.10/hashlib.py:166: in __hash_new
    return __get_builtin_constructor(name)(data)
/usr/lib/python3.10/hashlib.py:123: in __get_builtin_constructor
    raise ValueError('unsupported hash type ' + name)
E ValueError: unsupported hash type whirlpool
=========================== short test summary info ============================
ERROR ecdsa/test_malformed_sigs.py - ValueError: unsupported hash type whirlpool
!!!!!!!!!!!!!!!!!!!! Interrupted: 1 error during collection !!!!!!!!!!!!!!!!!!!!
=============================== 1 error in 1.25s ===============================
E: pybuild pybuild:369: test: plugin distutils failed with: exit code=2: cd '/home/ubuntu/x/python-ecdsa-0.18.0~b1/.pybuild/cpython3_3.10_ecdsa/build'; python3.10 -m pytest
dh_auto_test: error: pybuild --test --test-pytest -i python{version} -p 3.10 returned exit code 13
make: *** [debian/rules:6: binary] Error 25
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Upstream: https://github.com/tlsfuzzer/python-ecdsa/issues/285

Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.2 KiB)

This seems to be an issue with how python (3.10) is interacting with openssl.

The list of supported hash algorithms that we get is not actually supported:

$ python3 -c "import hashlib; a = {(name, hashlib.new(name).digest_size) for name in hashlib.algorithms_available}"
Traceback (most recent call last):
  File "/usr/lib/python3.10/hashlib.py", line 160, in __hash_new
    return _hashlib.new(name, data, **kwargs)
ValueError: [digital envelope routines] unsupported

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "<string>", line 1, in <setcomp>
  File "/usr/lib/python3.10/hashlib.py", line 166, in __hash_new
    return __get_builtin_constructor(name)(data)
  File "/usr/lib/python3.10/hashlib.py", line 123, in __get_builtin_constructor
    raise ValueError('unsupported hash type ' + name)
ValueError: unsupported hash type ripemd160

ripemd160 is in the list:
>>> hashlib.algorithms_available
{'shake_256', 'sha224', 'shake_128', 'sha512_224', 'blake2b', 'ripemd160', 'sha384', 'sha1', 'sha256', 'sha3_384', 'sha3_512', 'md5-sha1', 'sha512', 'whirlpool', 'sm3', 'md4', 'blake2s', 'sha512_256', 'sha3_224', 'sha3_256', 'md5'}

But like many others, unusable:
>>> hashlib.new("md4")
Traceback (most recent call last):
  File "/usr/lib/python3.10/hashlib.py", line 160, in __hash_new
    return _hashlib.new(name, data, **kwargs)
ValueError: [digital envelope routines] unsupported

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.10/hashlib.py", line 166, in __hash_new
    return __get_builtin_constructor(name)(data)
  File "/usr/lib/python3.10/hashlib.py", line 123, in __get_builtin_constructor
    raise ValueError('unsupported hash type ' + name)
ValueError: unsupported hash type md4

The list of hash names begins with this, in hashlib.py:
__always_supported = ('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512',
                      'blake2b', 'blake2s',
                      'sha3_224', 'sha3_256', 'sha3_384', 'sha3_512',
                      'shake_128', 'shake_256')

It then gets potentially augmented with openssl's list:
    import _hashlib
    new = __hash_new
    __get_hash = __get_openssl_constructor
    algorithms_available = algorithms_available.union(
            _hashlib.openssl_md_meth_names)

And indeed, md4 and ripemd160 (and others) come from openssl's list:
>>> _hashlib.openssl_md_meth_names
frozenset({'shake_256', 'sha224', 'shake_128', 'sha512_224', 'blake2b', 'ripemd160', 'sha384', 'sha1', 'sha256', 'sha3_384', 'sha3_512', 'md5-sha1', 'sha512', 'whirlpool', 'sm3', 'md4', 'blake2s', 'sha512_256', 'sha3_256', 'sha3_224', 'md5'})

and it's unusable:
>>> _hashlib.new("md4")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: [digital envelope routines] unsupported

This was nicely summarized in https://github.com/tlsfuzzer/python-ecdsa/issues/285#issuecomment-1040319586

Looks like the openssl legacy provider is not fully loaded: it's there "enough" to spit out the legacy hash na...

Read more...

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

And this is the fix for 3.10: https://github.com/python/cpython/pull/32085

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Marking the python-ecdsa task as invalid, as there is nothing to fix there.

Changed in python-ecdsa (Ubuntu):
status: New → Invalid
summary: - FTBFS: unsupported hash type whirlpool
+ hashlib.algorithms_available lists algorithms that cannot be used
Andreas Hasenack (ahasenack)
Changed in python-ecdsa (Ubuntu Jammy):
status: New → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python3.10 (Ubuntu Jammy):
status: New → Confirmed
Changed in python3.10 (Ubuntu):
status: New → Confirmed
Brian Murray (brian-murray)
tags: added: rls-kk-incoming
Simon Chopin (schopin)
tags: added: transition-openssl3-jj
Matthieu Clemenceau (mclemenceau)
tags: added: fr-2442
Brian Murray (brian-murray)
tags: removed: rls-kk-incoming
Bug Watch Updater (bug-watch-updater)
Changed in python-ecdsa (Debian):
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in python-ecdsa (Debian):
status: Confirmed → Fix Released
Revision history for this message
Simon Chopin (schopin) wrote :

I just tested, and the issue is indeed fixed in Kinetic but is still present in Jammy. We'd need to SRU a cherry-pick of the hashlib patch mentioned in #3

Changed in python3.10 (Ubuntu Kinetic):
status: Confirmed → Fix Released
Matthieu Clemenceau (mclemenceau)
tags: added: foundations-todo
Julian Andres Klode (juliank)
Changed in python3.10 (Ubuntu Jammy):
importance: Undecided → Medium
Bug Watch Updater (bug-watch-updater)
Changed in python3:
status: Unknown → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.