From 4cc2f9348c6e899b76af811fa3bb6c60de642a28 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 25 May 2020 10:43:10 +0200 Subject: [PATCH] bpo-40695: Limit hashlib builtin hash fallback (GH-20259) :mod:`hashlib` no longer falls back to builtin hash implementations when OpenSSL provides a hash digest and the algorithm is blocked by security policy. Signed-off-by: Christian Heimes --- Lib/hashlib.py | 5 +++-- .../next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst | 3 +++ 2 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst diff --git a/Lib/hashlib.py b/Lib/hashlib.py index 8d119a4225d..1b6e50247c1 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -127,8 +127,9 @@ def __get_openssl_constructor(name): # SHA3/shake are available in OpenSSL 1.1.1+ f = getattr(_hashlib, 'openssl_' + name) # Allow the C module to raise ValueError. The function will be - # defined but the hash not actually available thanks to OpenSSL. - f() + # defined but the hash not actually available. Don't fall back to + # builtin if the current security policy blocks a digest, bpo#40695. + f(usedforsecurity=False) # Use the C function directly (very fast) return f except (AttributeError, ValueError): diff --git a/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst b/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst new file mode 100644 index 00000000000..643779bab49 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst @@ -0,0 +1,3 @@ +:mod:`hashlib` no longer falls back to builtin hash implementations when +OpenSSL provides a hash digest and the algorithm is blocked by security +policy.