From: Christian Heimes Date: Mon, 25 May 2020 08:43:10 +0000 (+0200) Subject: bpo-40695: Limit hashlib builtin hash fallback (GH-20259) X-Git-Tag: v3.10.0a1~835 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4cc2f9348c6e899b76af811fa3bb6c60de642a28;p=thirdparty%2FPython%2Fcpython.git bpo-40695: Limit hashlib builtin hash fallback (GH-20259) :mod:`hashlib` no longer falls back to builtin hash implementations when OpenSSL provides a hash digest and the algorithm is blocked by security policy. Signed-off-by: Christian Heimes --- diff --git a/Lib/hashlib.py b/Lib/hashlib.py index 8d119a4225db..1b6e50247c18 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -127,8 +127,9 @@ def __get_openssl_constructor(name): # SHA3/shake are available in OpenSSL 1.1.1+ f = getattr(_hashlib, 'openssl_' + name) # Allow the C module to raise ValueError. The function will be - # defined but the hash not actually available thanks to OpenSSL. - f() + # defined but the hash not actually available. Don't fall back to + # builtin if the current security policy blocks a digest, bpo#40695. + f(usedforsecurity=False) # Use the C function directly (very fast) return f except (AttributeError, ValueError): diff --git a/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst b/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst new file mode 100644 index 000000000000..643779bab494 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst @@ -0,0 +1,3 @@ +:mod:`hashlib` no longer falls back to builtin hash implementations when +OpenSSL provides a hash digest and the algorithm is blocked by security +policy.