bpo-40695: Limit hashlib builtin hash fallback (GH-20259)

miss-islington · tiran · web-flow · commit 7015823971e7 · 2020-05-25T02:07:35.000-07:00
:mod:`hashlib` no longer falls back to builtin hash implementations when OpenSSL provides a hash digest and the algorithm is blocked by security policy. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 4cc2f93) Co-authored-by: Christian Heimes <christian@python.org>
diff --git a/Lib/hashlib.py b/Lib/hashlib.py
@@ -127,8 +127,9 @@ def __get_openssl_constructor(name):
         # SHA3/shake are available in OpenSSL 1.1.1+
         f = getattr(_hashlib, 'openssl_' + name)
         # Allow the C module to raise ValueError.  The function will be
-        # defined but the hash not actually available thanks to OpenSSL.
-        f()
+        # defined but the hash not actually available.  Don't fall back to
+        # builtin if the current security policy blocks a digest, bpo#40695.
+        f(usedforsecurity=False)
         # Use the C function directly (very fast)
         return f
     except (AttributeError, ValueError):
diff --git a/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst b/Misc/NEWS.d/next/Library/2020-05-20-13-03-28.bpo-40695.lr4aIS.rst
@@ -0,0 +1,3 @@
+:mod:`hashlib` no longer falls back to builtin hash implementations when
+OpenSSL provides a hash digest and the algorithm is blocked by security
+policy.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+:mod:`hashlib` no longer falls back to builtin hash implementations when
	`2`	`+OpenSSL provides a hash digest and the algorithm is blocked by security`
	`3`	`+policy.`