#118 closed task (fixed)
Use the new hashlib module instead of the deprecated md5 and sha modules
Reported by: | sp | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | 0.4.0 |
Component: | unknown | Version: | |
Keywords: | Cc: |
Description
Both the md5 and sha modules have been deprecated in favor of hashlib in Python 2.5.
I have written a patch that makes use of hashlib instead of md5/sha in foolscap, but it doesn't provide any backwards-compatibility to Python 2.4 and earlier.
The patch is available from my foolscap Mercurial repository at http://bitbucket.org/sp/foolscap.
Change History (5)
comment:1 Changed 16 years ago by
comment:2 Changed 16 years ago by
If I didn't had some persistent clients connected, I would not have caught it :-)
comment:3 Changed 16 years ago by
hm, so yeah, we really need some backwards-compatibility tests, which take a pre-generated cert file, create a Tub from it, and assert that the tubid matches the expected value.
Also, I'd really like to retain py2.4 compatibility. How hard would it be to conditionally import hashlib and fall back to sha if it's unavailable?
Also, while sslverify.py is importing md5, I'm pretty sure that every time we call it, we override the choice of hash algorithm to make it use sha1 instead. If not, we've got a problem, because md5 is even more broken than sha1.
So it might be best to patch our copy of sslverify.py to define an "md5" module that throws an exception any time you try to use it, and then just make sure the digestAlgorithm="sha1" path works for both py2.6 and py2.4 . That would help verify my claim/hope that we aren't using md5 for anything.
comment:4 Changed 16 years ago by
Milestone: | undecided → 0.3.3 |
---|---|
Resolution: | → fixed |
Status: | new → closed |
Ok, I've applied a variant of your patch:
- I added known-value-tests beforehand, to catch problems like the SHA0-vs-SHA1 you saw
- I created a tiny foolscap/hashutil.py module and put the fallback-for-py2.4 logic in it. The new code should work fine on 2.4, 2.5, and 2.6
- I didn't apply the unused-code-cleanup patches to sslverify.py, so we can keep it closer to Twisted's upstream version. I applied the other cleanups, though.
[3550b4119cf7b3de58c72ee62b1299c46195f541] is the main patch. [ff57b9a161b41d86b835c1e9b0b1b1a544c9f5f6] and [2a0aa741a81f8e9a8838de38dfaf137ae3d791dc] have supporting changes.
thanks!
comment:5 Changed 16 years ago by
Milestone: | 0.3.3 → 0.4.0 |
---|
The patched version at http://bitbucket.org/sp/foolscap uses hashlib.new('sha', data), which is not SHA-1, but some weaker hash function (maybe SHA-0?). The unit tests insidiously pass anyway.