MD4 Support for NTLM

[da1910]

Comment:

I'm new to conda and unsure if this is the correct place to report this, but I tried to get NTLM authentication working for a package I maintain, for various reasons we need to use conda-forge as a package source.

Unfortunately it looks like conda is picking up OpenSSL 3.0.5 at this point, which does not appear to have been built with support for MD4. Was this a deliberate decision to omit support for MD4, or is it a flag that must be set to enable support? At the moment our only available approach is to remove conda-forge as a package source, since the main 1.1.1q build of OpenSSL does support the algorithm we need.

[h-vetinari]

Unfortunately it looks like conda is picking up OpenSSL 3.0.5 at this point, which does not appear to have been built with support for MD4. Was this a deliberate decision to omit support for MD4, or is it a flag that must be set to enable support?

We do a build pretty close to the upstream defaults (with the exception of enabling legacy algorithms, that many packages still need). Based on the OpenSSL 3 migration guide,

See "Deprecated low-level encryption functions". MD4 has been moved to the Legacy Provider.

... MD4 should still be available from that legacy provider (though not from the same place as it used to be for 1.1.1, so you'll have to adapt your setup to load the legacy provider first - assuming you're operating in C-land; otherwise, cryptography has these things pretty available, or you could change algorithm).

[h-vetinari]

Also note that OpenSSL 1.1.1 is still widely available (and being built-for) in conda-forge. All OpenSSL-dependent packages are currently being built both for 1.1.1 & 3.0.x

[da1910]

We're exclusively in python land, from what I can work out we get OpenSSL 3 and a version of python compiled against it, which does not have the required algorithm as part of hashlib. Unfortunately for NTLM we're stuck with MD4 (It's definitely not a secure hash algorithm, or encryption standard, but lots of enterprises still use it, particularly for linux users connecting to windows domains).

Workaround for us seems to be to specify OpenSSL < 3 in our recipe, when combined with

conda install package.tar.bz2
conda update --all

We seem to get a working setup

[h-vetinari]

We're exclusively in python land

OpenSSL does not come with python bindings, so how were you using this before OpenSSL 3?

It looks like MD4 is not even in cryptography (the standard library for these things in python).

Normally I would have suggested to open an issue for potential inclusion there, but it turns out that already exists and has been decisively rejected (mostly because it should be available from the python standard library).

Assuming you're using things from the stdlib, then I agree things should work. Please provide the a code sample for how you're using MD4, as well as the outputs of conda list and conda info

[jakirkham]

Sounds like OP is referring to hashlib, the Python builtin module.

As to MD4 and loading legacy API with OpenSSL, this looks similar to upstream issue ( python/cpython#92876 ).

[h-vetinari]

Thanks for the reference @jakirkham. While this should be solved in upstream cpython, it sounds like there's a workaround posted in that issue how to make sure the openssl legacy provider is loaded.

[da1910]

Ah yes, thankyou @jakirkham I was referring to hashlib, if this issue goes as far upstream as CPython then we can work with OpenSSL 1.x.x for the moment.

[jakirkham]

Sounds good. There is a workaround in the upstream issue for OpenSSL 3.

Given there doesn't seem to be anything for us to do in terms of this package atm, would it make sense to close?

[da1910]

Happy to close, would be nice if it worked, but not an issue for the conda feedstock.