summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>2020-05-25 09:07:35 (GMT)
committerGitHub <noreply@github.com>2020-05-25 09:07:35 (GMT)
commit7015823971e7c0cf41cd7d9d9991ed0abdc2f1f4 (patch)
treeafd0a144609fce133426749837a26de5e5bcb1e3
parent82c274e3ba7d011e93805f1552e90baea1752cf1 (diff)
downloadcpython-7015823971e7c0cf41cd7d9d9991ed0abdc2f1f4.zip
cpython-7015823971e7c0cf41cd7d9d9991ed0abdc2f1f4.tar.gz
cpython-7015823971e7c0cf41cd7d9d9991ed0abdc2f1f4.tar.bz2
bpo-40695: Limit hashlib builtin hash fallback (GH-20259)
:mod:`hashlib` no longer falls back to builtin hash implementations when OpenSSL provides a hash digest and the algorithm is blocked by security policy. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 4cc2f9348c6e899b76af811fa3bb6c60de642a28) Co-authored-by: Christian Heimes <christian@python.org>
-rw-r--r--Lib/hashlib.py5
-rw-r--r--Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst3
2 files changed, 6 insertions, 2 deletions
diff --git a/Lib/hashlib.py b/Lib/hashlib.py
index 8d119a4..1b6e502 100644
--- a/Lib/hashlib.py
+++ b/Lib/hashlib.py
@@ -127,8 +127,9 @@ def __get_openssl_constructor(name):
# SHA3/shake are available in OpenSSL 1.1.1+
f = getattr(_hashlib, 'openssl_' + name)
# Allow the C module to raise ValueError. The function will be
- # defined but the hash not actually available thanks to OpenSSL.
- f()
+ # defined but the hash not actually available. Don't fall back to
+ # builtin if the current security policy blocks a digest, bpo#40695.
+ f(usedforsecurity=False)
# Use the C function directly (very fast)
return f
except (AttributeError, ValueError):
diff --git a/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst b/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst
new file mode 100644
index 0000000..643779b
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst
@@ -0,0 +1,3 @@
+:mod:`hashlib` no longer falls back to builtin hash implementations when
+OpenSSL provides a hash digest and the algorithm is blocked by security
+policy.