bpo-40695: Limit hashlib builtin hash fallback (GH-20259)

:mod:`hashlib` no longer falls back to builtin hash implementations when OpenSSL provides a hash digest and the algorithm is blocked by security policy. Signed-off-by: Christian Heimes <christian@python.org>
2020-05-25 10:43:10 +02:00 · 2020-05-25 10:43:10 +02:00 · 4cc2f9348c
parent 3f59b55316
commit 4cc2f9348c
2 changed files with 6 additions and 2 deletions
--- a/Lib/hashlib.py
+++ b/Lib/hashlib.py
@ -127,8 +127,9 @@ def __get_openssl_constructor(name):
        # SHA3/shake are available in OpenSSL 1.1.1+
        f = getattr(_hashlib, 'openssl_' + name)
        # Allow the C module to raise ValueError.  The function will be
-        # defined but the hash not actually available thanks to OpenSSL.
-        f()
+        # defined but the hash not actually available.  Don't fall back to
+        # builtin if the current security policy blocks a digest, bpo#40695.
+        f(usedforsecurity=False)
        # Use the C function directly (very fast)
        return f
    except (AttributeError, ValueError):
--- a/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst
+++ b/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst
@ -0,0 +1,3 @@
+:mod:`hashlib` no longer falls back to builtin hash implementations when
+OpenSSL provides a hash digest and the algorithm is blocked by security
+policy.