From: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> Date: Sat, 12 Jul 2025 16:33:07 +0000 (+0200) Subject: gh-136591: avoid using deprecated features for OpenSSL 3.0+ (#136592) X-Git-Tag: v3.15.0a1~997 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9be3649f5eccfbda1b3c9c3195927951a9ae9b90;p=thirdparty%2FPython%2Fcpython.git gh-136591: avoid using deprecated features for OpenSSL 3.0+ (#136592) Since OpenSSL 3.0, `ERR_func_error_string()` always returns NULL and `EVP_MD_CTX_get0_md()` should be preferred over `EVP_MD_CTX_md()`. --- diff --git a/Misc/NEWS.d/next/Library/2025-07-12-18-05-37.gh-issue-136591.ujXmSN.rst b/Misc/NEWS.d/next/Library/2025-07-12-18-05-37.gh-issue-136591.ujXmSN.rst new file mode 100644 index 000000000000..ccd5bf11f046 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2025-07-12-18-05-37.gh-issue-136591.ujXmSN.rst @@ -0,0 +1,3 @@ +:mod:`!_hashlib`: avoid using deprecated functions +:manpage:`ERR_func_error_string` and :manpage:`EVP_MD_CTX_md` when using +OpenSSL 3.0 and later. Patch by Bénédikt Tran. diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c index 90a7391ebb09..1a6c831e4837 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -64,11 +64,15 @@ #define PY_EVP_MD_fetch(algorithm, properties) EVP_MD_fetch(NULL, algorithm, properties) #define PY_EVP_MD_up_ref(md) EVP_MD_up_ref(md) #define PY_EVP_MD_free(md) EVP_MD_free(md) + +#define PY_EVP_MD_CTX_md(CTX) EVP_MD_CTX_get0_md(CTX) #else #define PY_EVP_MD const EVP_MD #define PY_EVP_MD_fetch(algorithm, properties) EVP_get_digestbyname(algorithm) #define PY_EVP_MD_up_ref(md) do {} while(0) #define PY_EVP_MD_free(md) do {} while(0) + +#define PY_EVP_MD_CTX_md(CTX) EVP_MD_CTX_md(CTX) #endif /* hash alias map and fast lookup @@ -308,6 +312,14 @@ class _hashlib.HMAC "HMACobject *" "&PyType_Type" /* LCOV_EXCL_START */ +/* Thin wrapper around ERR_reason_error_string() returning non-NULL text. */ +static const char * +py_wrapper_ERR_reason_error_string(unsigned long errcode) +{ + const char *reason = ERR_reason_error_string(errcode); + return reason ? reason : "no reason"; +} + /* Set an exception of given type using the given OpenSSL error code. */ static void set_ssl_exception_from_errcode(PyObject *exc_type, unsigned long errcode) @@ -317,8 +329,13 @@ set_ssl_exception_from_errcode(PyObject *exc_type, unsigned long errcode) /* ERR_ERROR_STRING(3) ensures that the messages below are ASCII */ const char *lib = ERR_lib_error_string(errcode); +#ifdef Py_HAS_OPENSSL3_SUPPORT + // Since OpenSSL 3.0, ERR_func_error_string() always returns NULL. + const char *func = NULL; +#else const char *func = ERR_func_error_string(errcode); - const char *reason = ERR_reason_error_string(errcode); +#endif + const char *reason = py_wrapper_ERR_reason_error_string(errcode); if (lib && func) { PyErr_Format(exc_type, "[%s: %s] %s", lib, func, reason); @@ -838,7 +855,7 @@ static PyObject * _hashlib_HASH_get_name(PyObject *op, void *Py_UNUSED(closure)) { HASHobject *self = HASHobject_CAST(op); - const EVP_MD *md = EVP_MD_CTX_md(self->ctx); + const EVP_MD *md = PY_EVP_MD_CTX_md(self->ctx); if (md == NULL) { notify_ssl_error_occurred("missing EVP_MD for HASH context"); return NULL;