55996 – univention-radius-ntlm-auth: OpenSSL has no MD4 support anymore

Bug 55996 - univention-radius-ntlm-auth: OpenSSL has no MD4 support anymore

Summary: univention-radius-ntlm-auth: OpenSSL has no MD4 support anymore

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Radius
Version:	UCS 5.2
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS 5.1
Assignee:	Juan Carlos
QA Contact:	Florian Best

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-04-20 16:22 CEST by Florian Best
Modified:	2025-02-05 15:08 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2023-04-20 16:22:40 CEST

univention-radius-ntlm-auth uses MD4:

services/univention-radius/modules/univention/radius/pyMsChapV2.py
> def md4(data):
>     # type: (bytes) -> bytes
>     md = hashlib.new('md4')
>     md.update(data)
>    return md.digest()
>
> def HashNtPasswordHash(passwordhash):
>     # type: (bytes) -> bytes
>     return md4(passwordhash)

In UCS 5.1 OpenSSL is build without MD4 support, that's why Python's hashlib don't support it anymore.

→ We have to find a replacement for that functionality in radius.

Comment 3 Florian Best

2023-09-21 18:08:02 CEST

See also https://github.com/openssl/openssl/issues/21247

Comment 4 Arvid Requate

2023-09-22 12:54:29 CEST

Maybe we can simply use from samba.crypto import md4_hash_blob instead.

Comment 5 Florian Best

2023-09-22 12:57:48 CEST

(In reply to Arvid Requate from comment #4)
> Maybe we can simply use from samba.crypto import md4_hash_blob instead.

Ok, would be an option. Requires a dependency on python3-samba (do we have this already on non-samba systems?).

Juan Carlos already found a solution via SSL config options:

diff --git services/univention-radius/modules/univention/radius/pyMsChapV2.py services/univention-radius/modules/univention/radius/pyMsChapV2.py
index e9bc4cfff5..dbdbccda97 100644
--- services/univention-radius/modules/univention/radius/pyMsChapV2.py
+++ services/univention-radius/modules/univention/radius/pyMsChapV2.py
@@ -35,9 +35,16 @@
 # /usr/share/common-licenses/AGPL-3; if not, see
 # <https://www.gnu.org/licenses/>.
 
-import hashlib
+# #55996 md4 is now part of the legacy provider. To
+# use it we need to load it before importing hashlib.
+import ctypes
 
-import passlib.crypto.des
+
+ctypes.CDLL("libssl.so").OSSL_PROVIDER_load(None, b"legacy")
+ctypes.CDLL("libssl.so").OSSL_PROVIDER_load(None, b"default")
+import hashlib  # noqa: E402
+
+import passlib.crypto.des  # noqa: E402
 
 
 def md4(data):

Comment 6 Florian Best

2023-10-17 13:15:50 CEST

OK: MD4 implementation of samba is used
OK: python3-samba dependency is added
OK: changelog entry
OK: already in UCS 5.1

Comment 7 Florian Best

2023-10-17 13:17:15 CEST

Comment from Arvid at the issue:
See also:

    https://stackoverflow.com/questions/69938570/md4-hashlib-support-in-python-3-8
    Workaround: https://bugs.launchpad.net/ubuntu/+source/python3.10/+bug/1971580 , confirmed by https://github.com/ecederstrand/exchangelib/issues/608
    Maybe we can simply use from samba.crypto import md4_hash_blob instead.

Comment 8 Florian Best

2024-03-08 10:56:47 CET

univention-radius (8.0.6)
5842ebcb2644 | Bug #55996: replace the non-default enabled md4 from hashlib with md4_hash_blob from samba4.crypto
ca84ac947dda | Bug #55996: load legacy provider before to enable md4 in univention-radius