python-3.xopensslmacportshashlib

Python 3.9.8, hashlib and RIPEMD160


Running MacOS 10.14.6. Just ran MacPorts update. Took Python 3.9.7 -> 3.9.8 and OpenSSL 1.1.3 -> 3.

Running existing Python code reveals that something broke with hashlib and RIPEMD160 is no longer available (nor Whirlpool and probably other digests).

Traceback (most recent call last):
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/hashlib.py", line 160, in __hash_new
    return _hashlib.new(name, data, **kwargs)
ValueError: [digital envelope routines] initialization error

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "testhash.py", line 3, in <module>
    r160 = hashlib.new('ripemd160')
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/hashlib.py", line 166, in __hash_new
    return __get_builtin_constructor(name)(data)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/hashlib.py", line 123, in __get_builtin_constructor
    raise ValueError('unsupported hash type ' + name)
ValueError: unsupported hash type ripemd160

Can replicate simply with

import hashlib
r160 = hashlib.new('ripemd160')

The method hashlib.algorithms_available shows that hashlib thinks ripemd160 is available:

Available:  {'sha512', 'shake_128', 'ripemd160', 'sha224', 'md5', 'whirlpool', 'blake2b', 'sha3_512', 'md4', 'sha3_256', 'sha256', 'shake_256', 'md5-sha1', 'sha1', 'sha512_224', 'sm3', 'mdc2', 'blake2s', 'sha3_384', 'sha3_224', 'sha512_256', 'sha384'} 
Guaranteed: {'sha3_512', 'sha512', 'sha1', 'shake_128', 'sha3_384', 'sha224', 'md5', 'sha256', 'sha3_224', 'sha3_256', 'shake_256', 'blake2b', 'blake2s', 'sha384'} 

and asking openssl confirms it does have that capability.

Rolling back, same problem. I'd prefer to keep the up-to-date installation. Use of RIPEMD160 is not negotiable.

I have a suspicion that giving ports the correct switches, commands, env vars will convince a recompilation to work but I know not what.

Any ideas on what has happened, how to fix?


Solution

  • All the old crypto functions are still there in OpenSSL3 but now require manual enabling. See issue 16994 of OpenSSL github project for details.

    To quickly enable it, find the directory that holds your OpenSSL config file or a symlink to it, by running the below command:

    openssl version -d
    

    You can now go to the directory and edit the config file (it may be necessary to use sudo):

    nano openssl.cnf
    

    Make sure that the config file contains following lines:

    openssl_conf = openssl_init
    
    [openssl_init]
    providers = provider_sect
    
    [provider_sect]
    default = default_sect
    legacy = legacy_sect
    
    [default_sect]
    activate = 1
    
    [legacy_sect]
    activate = 1
    

    Tested on: OpenSSL 3.0.2, Python 3.10.4, Linux Ubuntu 22.04 LTS aarch64, I have no access to other platforms at the moment.