Proposal:

Currently, we have a bit of different messages when a hash algorithm is not supported. It's annoying because the user does not necessarily know what is what. Also, unfortunately, since OpenSSL 3.0, when a digest is not supported by the FIPS provider, then the reason message only contains "ValueError: [digital envelope routines] unsupported" and not the old "ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS" as functions are now no more indicated in OpenSSL errors.

This is a bit annoying, and especially very confusing in the following cases:

>>> _hashlib.openssl_md5()
Traceback (most recent call last):
  File "<python-input-5>", line 1, in <module>
    _hashlib.openssl_md5()
    ~~~~~~~~~~~~~~~~~~~~^^
_hashlib.UnsupportedDigestmodError: [digital envelope routines] unsupported

>>> import hmac
>>> hmac.new(b"", b"", "shake_128")
...
ValueError: error in OpenSSL function HMAC_Init_ex()

This does not give any information of why it failed. So we need to be better here, for the user at least. On the other hand, with blocked built-in functions, the ValueError is raised by __get_builtin_constructor, which has a better message.

Has this already been discussed elsewhere?

No response given

Links to previous discussion of this feature:

No response

Linked PRs

• gh-136787: raise consistent ValueError for bad hashes #136802