mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-12-23 09:19:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

bpo-40695: Limit hashlib builtin hash fallback (GH-20259)

Browse source 
:mod:`hashlib` no longer falls back to builtin hash implementations when
OpenSSL provides a hash digest and the algorithm is blocked by security
policy.

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 4cc2f9348c)

Co-authored-by: Christian Heimes <christian@python.org>
This commit is contained in:
Miss Islington (bot) 2020-05-25 02:07:35 -07:00 committed by GitHub
parent 82c274e3ba
commit 7015823971
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
Lib/hashlib.py
View file

@ -127,8 +127,9 @@ def __get_openssl_constructor(name):
# SHA3/shake are available in OpenSSL 1.1.1+
f = getattr(_hashlib, 'openssl_' + name)
# Allow the C module to raise ValueError. The function will be
# defined but the hash not actually available thanks to OpenSSL.
f()
# defined but the hash not actually available. Don't fall back to
# builtin if the current security policy blocks a digest, bpo#40695.
f(usedforsecurity=False)
# Use the C function directly (very fast)
return f
except (AttributeError, ValueError):

3
Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst Normal file
View file

@ -0,0 +1,3 @@
:mod:`hashlib` no longer falls back to builtin hash implementations when
OpenSSL provides a hash digest and the algorithm is blocked by security
policy.