bpo-40695: Limit hashlib builtin hash fallback (GH-20259)

:mod:`hashlib` no longer falls back to builtin hash implementations when
OpenSSL provides a hash digest and the algorithm is blocked by security
policy.

Signed-off-by: Christian Heimes <christian@python.org>

diff --git a/Lib/hashlib.py b/Lib/hashlib.py
index 8d119a4225db9694b8b7b0c4f6151c50183c00ff..1b6e50247c1815832b151a54e4add9f8db3c067a 100644 (file)
--- a/Lib/hashlib.py
+++ b/Lib/hashlib.py
@@ -127,8 +127,9 @@ def __get_openssl_constructor(name):
         # SHA3/shake are available in OpenSSL 1.1.1+
         f = getattr(_hashlib, 'openssl_' + name)
         # Allow the C module to raise ValueError.  The function will be
-        # defined but the hash not actually available thanks to OpenSSL.
-        f()
+        # defined but the hash not actually available.  Don't fall back to
+        # builtin if the current security policy blocks a digest, bpo#40695.
+        f(usedforsecurity=False)
         # Use the C function directly (very fast)
         return f
     except (AttributeError, ValueError):

diff --git a/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst b/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst
new file mode 100644 (file)
index 0000000..643779b
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst
@@ -0,0 +1,3 @@
+:mod:`hashlib` no longer falls back to builtin hash implementations when
+OpenSSL provides a hash digest and the algorithm is blocked by security
+policy.