CRAM-MD5 fails if Python has been built without HMAC-MD5 support

[ouldriw]

Bug report

Bug description:

When using smtplib to send emails in an environment where MD5 is not supported (e.g. FIPS), using SMTP.login to authenticate with an SMTP server will fail with:

  File "/usr/lib64/python3.9/smtplib.py", line 739, in login
    (code, resp) = self.auth(
  File "/usr/lib64/python3.9/smtplib.py", line 652, in auth
    authobject(challenge).encode('ascii'), eol='')
  File "/usr/lib64/python3.9/smtplib.py", line 670, in auth_cram_md5
    return self.user + " " + hmac.HMAC(
  File "/usr/lib64/python3.9/hmac.py", line 60, in _init_
    self._init_hmac(key, msg, digestmod)
  File "/usr/lib64/python3.9/hmac.py", line 69, in _init_hmac
    self._hmac = _hashopenssl.hmac_new(key, msg, digestmod=digestmod)
ValueError: [digital envelope routines] unsupported

The docs for SMTP.login say:
"Each of the authentication methods supported by smtplib are tried in turn if they are advertised as supported by the server."

But the problem here is auth_cram_md5 is always attempted first and the ValueError is not caught so smtplib never moves on to other authentication methods

CPython versions tested on:

3.9

Operating systems tested on:

Linux

Linked PRs

• gh-136134: Fallback to next auth method when CRAM-MD5 fails due to unsupported hash (e.g. FIPS) #136188
• gh-136134: imaplib: fix CRAM-MD5 on FIPS-only environments #136615
• gh-136134: smtplib: fix CRAM-MD5 on FIPS-only environments #136623

[LamentXU123]

Could you produce a python script to reproduce? TiA

Edited: Maybe you could try in on newer version of python. I failed to reproduce it on 3.14 windows (or maybe my bad here, so to make it clearer I look forward to a more precise discription, e.g. what is your script to connect with the SMTP server? Or what is the config of your SMTP server or something) Thank you for your report!

Edited 2: After staring at the code for a while, I think this could be a bug. Maybe adding a Error handling here would be better(?). (I think I still need a more detailed description, a reproducing POC will be great, TiA)

[kannansasientrust]

You can reproduce this on any linux container with fips enabled and a mail server that uses MD5 auth method. Here is how I did it

Dockerfile

$ cat Dockerfile
FROM docker.io/salrashid123/openssl:3.4.0.fips
RUN apt-get update && apt-get install -y python3 python3-venv
WORKDIR /apps
COPY a.py /apps
$

Code

$ cat a.py
import sys
from smtplib import SMTP
 
args = sys.argv[1:]
 
smtp = SMTP()
smtp.connect(args[0], int(args[1]))
smtp.login(args[2], args[3])

Build and run

$ docker build -t python-fips .
$ docker run --entrypoint bash -it python-fips
root@5c050cbf4f8c:/apps# python3 --version
Python 3.11.2
root@5c050cbf4f8c:/apps# python3 a.py mail.smtp2go.com 2525 user@nonexistent.com badpassword
Traceback (most recent call last):
  File "/apps/a.py", line 9, in <module>
    smtp.login(args[2], args[3])
  File "/usr/lib/python3.11/smtplib.py", line 739, in login
    (code, resp) = self.auth(
                   ^^^^^^^^^^
  File "/usr/lib/python3.11/smtplib.py", line 652, in auth
    authobject(challenge).encode('ascii'), eol='')
    ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/smtplib.py", line 670, in auth_cram_md5
    return self.user + " " + hmac.HMAC(
                             ^^^^^^^^^^
  File "/usr/lib/python3.11/hmac.py", line 60, in __init__
    self._init_hmac(key, msg, digestmod)
  File "/usr/lib/python3.11/hmac.py", line 67, in _init_hmac
    self._hmac = _hashopenssl.hmac_new(key, msg, digestmod=digestmod)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ValueError: [digital envelope routines] unsupported
root@5c050cbf4f8c:/apps#

[ZeroIntensity]

cc @picnixz

[picnixz]

It looks like Python is 3.9 but it may still be present in main. In some sense, it can lead to an unavailable service but... I am travelling so I'll take a look in 10 days.

[nogueira-raphael]

I’ve submitted a PR that addresses this issue.

The fix ensures that if CRAM-MD5 fails due to an unsupported hash (as seen in FIPS environments), the login flow falls back to the next supported auth method instead of raising a ValueError.

#136188

I'm not sure if you have another better way to handle with this, but any questions I can change the strategy used to handle with the error.

[picnixz]

I've actually checked stuff more precisely offline and observed that the problem is much more intricate to solve. We can't just raise an arbitrary exception and a similar issue occurs in imaplib. The problem with just raising an exception is that the server is sending a challenge and waiting for a reponse as well. So the current smtplib tests need to be updated.

Sorry but I'll work on this task myself as I actually needed to test it as well.

[nogueira-raphael]

No worries @picnixz you can checkout my branch if you think something there can be used.

[picnixz]

I have already written something locally so it won't be necessary. Sorry for the unnecessary work I've made you do.