hashlib suddenly broken

Ned Deily nad at acm.org
Thu Sep 18 16:44:59 EDT 2014 

In article 
<CACwCsY7YfqRL-08qeywmYox8oQh5iwTcx_LCx5maaDzwsMDUeQ at mail.gmail.com>,
 Larry Martell <larry.martell at gmail.com> wrote:
> On Thu, Sep 18, 2014 at 1:22 PM, Larry Martell <larry.martell at gmail.com> 
> wrote:
> > On Thu, Sep 18, 2014 at 11:07 AM, Steven D'Aprano
> > <steve+comp.lang.python at pearwood.info> wrote:
> >> Larry Martell wrote:
> >>> I am on a mac running 10.8.5, python 2.7
> >>> Suddenly, many of my scripts started failing with:
> >>>
> >>> ValueError: unsupported hash type sha1
> >> [...]
> >>> This just started happening yesterday, and I cannot think of anything
> >>> that I've done that could cause this.
[...]
> > So you know how I could check and see if I have SHA-1 and when my SSL
> > was updated?

IIRC, the _sha1 extension module is only built for Python 2.7 if the 
necessary OpenSSL libraries (libssl and libcrypto) are not available 
when Python is built.  They are available on OS X so, normally, you 
won't see an _sha1.so with Pythons there.  hashlib.py first tries to 
import _hashlib.so and check that if it was built with the corresponding 
OpenSSL API and then calls it.  On OS X many Python builds, including 
the Apple system Pythons and the python.org Pythons, are dynamically 
linked to the system OpenSSL libs in /usr/lib.  From your original post, 
I'm assuming you are using the Apple-supplied system Python 2.7 on OS X 
10.8.5.  If so, you should see something like this:

$ sw_vers
ProductName:   Mac OS X
ProductVersion:   10.8.5
BuildVersion:  12F45 
$ /usr/bin/python2.7
Python 2.7.2 (default, Oct 11 2012, 20:14:37)
[GCC 4.2.1 Compatible Apple Clang 4.0 (tags/Apple/clang-418.0.60)] on 
darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import _hashlib
>>> dir(_hashlib)
['__doc__', '__file__', '__name__', '__package__', 'new', 'openssl_md5', 
'openssl_sha1', 'openssl_sha224', 'openssl_sha256', 'openssl_sha384', 
'openssl_sha512']
>>> _hashlib.__file__
'/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/l
ib-dynload/_hashlib.so'
>>> ^D
$ otool -L 
'/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/l
ib-dynload/_hashlib.so'
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/li
b-dynload/_hashlib.so:
   /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current 
version 47.0.0)
   /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current 
version 47.0.0)
   /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current 
version 169.3.0)
$ ls -l /usr/lib/libssl.0.9.8.dylib
-rwxr-xr-x  1 root  wheel  620848 Sep 18 13:13 
/usr/lib/libssl.0.9.8.dylib
$ ls -l /usr/lib/libcrypto.0.9.8.dylib
-rwxr-xr-x  1 root  wheel  2712368 Sep 18 13:13 
/usr/lib/libcrypto.0.9.8.dylib

Note that this was taken *after* installing the latest 10.8.5 Security 
Update for 10.8 (Security Update 2014-004, 
http://support.apple.com/kb/ht6443) which was just released today; that 
includes an updated OpenSSL.  But, I tried this today just before 
installing the update and it worked the same way, with older 
modification dates.  The python.org Python 2.7.x should look very 
similar but with /Library/Frameworks paths instead of 
/System/Library/Frameworks.  Other Pythons (e.g. MacPorts or Homebrew) 
may be using their own copies of OpenSSL libraries.

-- 
 Ned Deily,
 nad at acm.org

More information about the Python-list mailing list