Opened 16 years ago

Closed 15 years ago

Last modified 15 years ago

#118 closed task (fixed)

Use the new hashlib module instead of the deprecated md5 and sha modules

Reported by: sp Owned by:
Priority: minor Milestone: 0.4.0
Component: unknown Version:
Keywords: Cc:

Description

Both the md5 and sha modules have been deprecated in favor of hashlib in Python 2.5.

I have written a patch that makes use of hashlib instead of md5/sha in foolscap, but it doesn't provide any backwards-compatibility to Python 2.4 and earlier.

The patch is available from my foolscap Mercurial repository at http://bitbucket.org/sp/foolscap.

Change History (5)

comment:1 Changed 16 years ago by ivank

The patched version at http://bitbucket.org/sp/foolscap uses hashlib.new('sha', data), which is not SHA-1, but some weaker hash function (maybe SHA-0?). The unit tests insidiously pass anyway.

comment:2 Changed 16 years ago by ivank

If I didn't had some persistent clients connected, I would not have caught it :-)

comment:3 Changed 16 years ago by Brian Warner

hm, so yeah, we really need some backwards-compatibility tests, which take a pre-generated cert file, create a Tub from it, and assert that the tubid matches the expected value.

Also, I'd really like to retain py2.4 compatibility. How hard would it be to conditionally import hashlib and fall back to sha if it's unavailable?

Also, while sslverify.py is importing md5, I'm pretty sure that every time we call it, we override the choice of hash algorithm to make it use sha1 instead. If not, we've got a problem, because md5 is even more broken than sha1.

So it might be best to patch our copy of sslverify.py to define an "md5" module that throws an exception any time you try to use it, and then just make sure the digestAlgorithm="sha1" path works for both py2.6 and py2.4 . That would help verify my claim/hope that we aren't using md5 for anything.

comment:4 Changed 15 years ago by Brian Warner

Milestone: undecided0.3.3
Resolution: fixed
Status: newclosed

Ok, I've applied a variant of your patch:

  • I added known-value-tests beforehand, to catch problems like the SHA0-vs-SHA1 you saw
  • I created a tiny foolscap/hashutil.py module and put the fallback-for-py2.4 logic in it. The new code should work fine on 2.4, 2.5, and 2.6
  • I didn't apply the unused-code-cleanup patches to sslverify.py, so we can keep it closer to Twisted's upstream version. I applied the other cleanups, though.

[3550b4119cf7b3de58c72ee62b1299c46195f541] is the main patch. [ff57b9a161b41d86b835c1e9b0b1b1a544c9f5f6] and [2a0aa741a81f8e9a8838de38dfaf137ae3d791dc] have supporting changes.

thanks!

comment:5 Changed 15 years ago by Brian Warner

Milestone: 0.3.30.4.0
Note: See TracTickets for help on using tickets.