OpenSSL 3: Inconsistent CPython/PyPy behavior wrt. unsupported hash types: incorrect results
Hello, we have recently switched PyPy to OpenSSL 3 in Fedora and we see an inconsistent behavior wrt. unsupported hash types, such as md4.
This is CPython (OpenSSL 3):
====================================================================== Python 3.9.13 (main, Jul 22 2022, 00:00:00) [GCC 12.1.1 20220628 (Red Hat 12.1.1-3)] on linux Type "help", "copyright", "credits" or "license" for more information.
import hashlib m = hashlib.new('md4')
Traceback (most recent call last): File "/usr/lib64/python3.9/hashlib.py", line 160, in __hash_new return _hashlib.new(name, data, **kwargs) ValueError: [digital envelope routines] unsupported
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python3.9/hashlib.py", line 166, in __hash_new return __get_builtin_constructor(name)(data) File "/usr/lib64/python3.9/hashlib.py", line 123, in __get_builtin_constructor raise ValueError('unsupported hash type ' + name) ValueError: unsupported hash type md4 ======================================================================
An exception is raised -- md4 is not supported.
And this is PyPy (OpenSSL 3):
====================================================================== Python 2.7.18 (f1d28f87e6d8, Jul 22 2022, 16:05:41) [PyPy 7.3.9 with GCC 12.1.1 20220628 (Red Hat 12.1.1-3)] on linux2 Type "help", "copyright", "credits" or "license" for more information.
import hashlib m = hashlib.new('md4') m.digest()
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ====================================================================== Python 3.9.12 (dd85a1aa7d80, Jul 22 2022, 16:05:26) [PyPy 7.3.9 with GCC 12.1.1 20220628 (Red Hat 12.1.1-3)] on linux Type "help", "copyright", "credits" or "license" for more information.
import hashlib m = hashlib.new('md4') m.digest()
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ======================================================================
No exception here, returns all zeros, which is incorrect result, see bellow:
This is CPython and PyPy both with OpenSSL 1.1:
======================================================================
import hashlib m=hashlib.new('md4') m.digest()
b'1\xd6\xcf\xe0\xd1j\xe91\xb7<Y\xd7\xe0\xc0\x89\xc0' ======================================================================
As you can see, PyPy with OpenSSL 3.0 not only does not raise an exception, it returns incorrect results.
Is this a bug? Or is it a known limitation?
Thanks,
participants (1)
-
Miro Hrončok