-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RIPEMD160 does not work #16994
Comments
Load the legacy provider by adding Yes, engines are still supported. |
Could you please clarify: I want RIPEMD160 be available by default, without any special command line flag. How can I do it through, e.g., build process, or, at the very least, via
Excellent. Could you please help understanding what are the meaning and the implications of this message:
and what do I need to do to make that support "available"? UpdateAdding
|
You need to use a config file along these lines:
The migration guide is a good starting place for things like this. Try loading an engine. I'm seeing the same message here and can load them okay. |
@paulidale thank you! Taking care of Remaining question regarding RIPEMD160: do I need to add Re. engine:
I suspect I don't need either of them. I am able to use PKCS#11 engine. But I'm still concerned about that "unavailable" message - it does not look right. |
RIPEMD is there by default but it doesn't hurt including it in the config line. The legacy is built by default. |
Question to the OpenSSL devs -- reading the above.. this looks like a regression to me. Are you guys really happy with this incredibly cumbersome way to use ripemd160? Like I didn't look at the details all I am seeing is that you need like to edit a config file or something for it to work, or something insane. Do you feel this is a quality product for people to use? Really? I mean.. ask yourselves -- if someone handed you OpenSSL 1.1 and it "just worked" mostly.. and then they hand you OpenSSL 3.0 and you have increased complexity for no real benefit to the average user -- is this a good thing? |
The choice as to which algorithms should be placed into the legacy provider is extremely conservative. The algorithms there have all been considered broken for a very long time. Rather than removing them completely, the decision was made to not make them available by default. Honestly, nobody should be using these old algorithms. How many decades do folks need to update their cryptography use? |
These sound like excuses. At the end of the day OpenSSL 3.0 has gotten worse for some percentage of your install base. You are ok with that it seems. I, as a software developer, do not believe in communism. I don't see myself as some central planning komissar that "knows better" than my users. I give my users the tools they need. Like it or not, ripemd160 is used globally by millions of people each day! It is used in some mission-critical systems moving billions of dollars around. Ripemd160 is used in bitcoin, for example, and many other cryptocurrencies to hash public keys (and thus to generate a bitcoin address). Bitcoin, maybe you heard of it: It's a trilliion-dollar blockchain. They can't just hard-fork tomorrow because you don't like ripemd160. Now, bitcoin has its own implementation of ripemd160 internally. But external toolchains in Python, for example, that interface with Bitcoin and other blockchains need easy access to ripemd160, which they get via openssl. Now -- you guys decided to make life harder for all of those people. And for all the package manager devs out there, and for everybody else. In this decision you have generated negative value for the world. All because of ego. You guys are not central planners, despite your liking to believe you are. You should strive to make tools that make life easier for people, not harder. |
Summary: OpenSSL 3 removed `ripemd160`, see [[openssl/openssl#16994 | openssl/openssl#16994]] Thus, the functional tests fail on systems with OpenSSL 3. This is a backport of [[bitcoin/bitcoin#23716 | core#23716]] Test Plan: `ninja check-functional-extended` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D11413
Summary: OpenSSL 3 removed `ripemd160`, see [[openssl/openssl#16994 | openssl/openssl#16994]] Thus, the functional tests fail on systems with OpenSSL 3. This is a backport of [[bitcoin/bitcoin#23716 | core#23716]] Test Plan: `ninja check-functional-extended` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D11413
Summary: OpenSSL 3 removed `ripemd160`, see [[openssl/openssl#16994 | openssl/openssl#16994]] Thus, the functional tests fail on systems with OpenSSL 3. This is a backport of [[bitcoin/bitcoin#23716 | core#23716]] Test Plan: `ninja check-functional-extended` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D11413 Co-authored-by: Pieter Wuille <pieter@wuille.net>
OpenSSL removed ripemd160, which impacts the default impl of hashlib for most python installs (true as of 22.04 LTS) See also: - openssl/openssl#16994 - bitcoin/bitcoin#23710 - petertodd/python-bitcoinlib#277
OpenSSL removed ripemd160, which impacts the default impl of hashlib for most python installs (true as of 22.04 LTS) See also: - openssl/openssl#16994 - bitcoin/bitcoin#23710 - petertodd/python-bitcoinlib#277
OpenSSL removed ripemd160, which impacts the default impl of hashlib for most python installs (true as of 22.04 LTS) See also: - openssl/openssl#16994 - bitcoin/bitcoin#23710 - petertodd/python-bitcoinlib#277
As a cryptographer, it's news to me that RIPEMD-160 is broken. As far as I know there is no feasible attack against either preimage resistance or collision resistance less costly than the generic attacks. The best published cryptanalytic attack against CR only reaches 34 (out of 80) steps, i.e. it is nowhere near being applicable to full RIPEMD-160. Sure, the 160-bit output size is less than preferred for new protocols, and that limits collision-resistance security to 80 bits. But RIPEMD-160 is used in a lot of places where that isn't a particular problem (for example in Bitcoin address hashing). More to the point, disabling it in OpenSSL isn't actually helping. It's just breaking other software (including software that isn't directly using OpenSSL, for example when it's used via Python's hashlib), in ways that inconvenience people who have no ability to change or decide what algorithms are being used. As you can see from all the pingbacks from other projects, this isn't convincing anyone to stop using RIPEMD-160 in existing protocols. They're just using workarounds or switching away from OpenSSL (to be fair, the latter isn't necessarily a bad thing). |
I'm coming here from Debian #10200695.
Aha. So RIPEMD160 is considered broken? Citation Needed!
If it was true, then MD5 and SHA1 should have been moved to the legacy provider many years ago. There are plenty of collisions for these. There is no publicly known collision for RIPEMD160. As it stands, by moving RIPEMD160 to the legacy provider, OpenSSL breaks established crypto software with no known security weaknesses. This should be reverted. |
https://github.com/bitcoin/bitcoin/blob/ad3e9e1f214d739e098c6ebbd300da5df1026a44/test/functional/test_framework/ripemd160.py and use it instead of hashlib (which might not have RIPEMD-160 due to openssl/openssl#16994). Signed-off-by: Daira Hopwood <daira@jacaranda.org>
It's necessary to generate metalinks (one of the alternative hashes used there). See openssl/openssl#16994
I'm commenting because I see some commenters invoking Bitcoin as an excuse for their comments here, I don't have any insight into OpenSSL's process. At best RIPEMD160 provides 80 bits of collision resistance based on size alone. 2^80 work (or a small multiple) is an attack of a scale that it happening over the next decade is not entirely inconceivable, even for well funded private parties and is absolutely credible for state level attackers. Bitcoin itself has performed more than 2^94 sha256 operations -- way more than enough to find a collision in a 160 bit hash with low memory moderate communication algorithms (and sha2-256 has considerably higher area-time costs). The Bitcoin technical community considers RIPEMD160 inadequately secure and has been moving off of it since 2017. The most recent address type doesn't use it at all, and the prior generation only used it for a restricted backwards compatible use case. Bitcoin, of course, already doesn't use libraries like openssl because consensus consistency creates specific reliability demands that OpenSSL doesn't accommodate. As a result I think the use of "bitcoin" as a justification is fairly unconvincing. In particular, I see the parties here citing "bitcoin" are actually affiliated with under-maintained bitcoin competitors and aren't people I would speak positively about. I apologize to the openssl folks that Bitcoins past usage has inspired such rude conduct. I doubt these messages reflect the sentiments of people actually involved in Bitcoin development (they certainly don't reflect the sentiment of this former Bitcoin developer). Sure, RIPEMD160 probably still acceptable in contexts where collisions certainly don't matter and only second-preimage security matters but determining this can be a difficult and failure prone analysis-- e.g. many people might be quick to assume Bitcoin's use of it in addresses is safe but this is obviously untrue when addresses are generated for multiparty applications (multisignature/threshold cryptography), which are widely deployed in the space. Even experts can get this wrong-- as a post up thread claims that collisions are a non-issue in Bitcoin address hashing, which is flatly untrue (but an understandable error). Downstream users are notoriously ill-equipped to make this analysis and cryptographic experts can just copy and paste a standard implementation without showing up on a github issue thread and losing their cool. In general, OpenSSL isn't -- and really has never been-- maintained in a way that is suitable for specialized applications like consensus protocols. It's an SSL library that happened to have an under-developed interface that exposed many internals to the outside world. The historic lack of safe interfaces has resulted in many bugs. RIPEMD160 code is extremely simple and easily imported into projects (particularly because everyone lacks fancy SIMD accelerated versions anyways). SHA3 XKCP's recent debacle aside, mature hash functions are unlikely to have implementation bugs that create problems exacerbated by code duplication. OpenSSL v3 is a new major version. Interface breaks are to be expected. Dealing with changes like this is part of the cost of developing and maintaining software. Discouraging the use of RIPEMD160 (and other older short hash functions) in most application seems like a completely prudent decision to me, particularly if it's not important for OpenSSL's primary applications. Since RIPEMD160's usage is far less widespread than other functions like MD5 and SHA1 outside of specialist applications that can provide their own functions it also seems completely reasonable to deprecate its use more rapidly than these other functions (which should also be discouraged too!). |
This is misleading. A (good) 160-bit has function requires about 2^160 attempts to find a collision except if we store enough values to mount a birthday attack. Basically, a birthday attack is a time-space trade-off: If we store 2^80 sorted values and search them for a collision in each go, then we still need roughly 2^80 such attempts to find a collision. And even Bitcoin is very very far from that. Also, the maintenance argument seems to be a pretext to justify a past mistake. The algorithm's interface is the same as any other hash function based on the Merkle-Damgård construction and as far as I can see it never failed to compile. The decision to remove RIPEMD160 was a mistake. Before removing it, the argument has been made that it's broken – while MD5 and SHA1 were left in. Then the argument has been made that collisions have been found – without evidence. Then, the argument has been made that it is not standardized – but there's ISO/IEC 10118-3. And the argument has been made that it is not used – but there's Bitcoin. Please stop fishing for arguments that the removal was the right thing to do. This discussion only creates fear, uncertainty, and doubt. It is perfectly okay to move away from RIPEMD160 and use more bits. But, for now, after all we know, applications are safe. (And especially so if second preimage is the sole concern.) Alternatively: come up with an attack! |
## High Level Overview of Change This PR switches the Github Actions from running on `ubuntu-latest` (which recently switched to 22.04) to `ubuntu-20.04`, which fixes tests. ### Context of Change Ubuntu 22.04 upgraded OpenSSL to version 3.0, which deprecated ripemd160. Github will not add support to the runner, because they want to run only the default version. openssl/openssl#16994 actions/runner-images#6676 ### Type of Change - [x] Tests (You added tests for code that already exists, or your new feature included in this PR) ## Test Plan CI now passes.
OpenSSL 3.x has disabled RIPEMD160 in its default configuration. digestByName will find the algorithm, but attempts to actually use it fail. See openssl/openssl#16994 for details.
https://github.com/bitcoin/bitcoin/blob/ad3e9e1f214d739e098c6ebbd300da5df1026a44/test/functional/test_framework/ripemd160.py and use it instead of hashlib (which might not have RIPEMD-160 due to openssl/openssl#16994). Signed-off-by: Daira Hopwood <daira@jacaranda.org>
ripemd160 has been removed by ssl. openssl/openssl#16994 Add a pure py ripemd160 to make sure the code can run in any env.
In short: OpenSSL-3 (and master) build normally (config attached), passes all the tests, pretends that RIPEMD is there - but fail to actually use it when asked.
With 3.0.0:
With
master
:Also, are dynamically-loaded engines no longer supported?!
Update
My configurator did not include
enable-rmd160
. Re-testing with it added.The text was updated successfully, but these errors were encountered: