Skip to content

Commit c504f62

Browse files
authored
gh-136547: fix hashlib_helper for blocking and requesting digests (#136762)
- Fix `hashlib_helper.block_algorithm` where the dummy functions were incorrectly defined. - Rename `hashlib_helper.HashAPI` to `hashlib_helper.HashInfo` and add more helper methods. - Simplify `hashlib_helper.requires_*()` functions. - Rewrite some private helpers in `hashlib_helper`. - Remove `find_{builtin,openssl}_hashdigest_constructor()` as they are no more needed and were not meant to be public in the first place. - Fix some tests in `test_hashlib` when FIPS mode is on.
1 parent cc81b4e commit c504f62

File tree

4 files changed

+579
-310
lines changed

4 files changed

+579
-310
lines changed

Lib/hashlib.py

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -136,12 +136,22 @@ def __get_openssl_constructor(name):
136136
# Prefer our builtin blake2 implementation.
137137
return __get_builtin_constructor(name)
138138
try:
139-
# MD5, SHA1, and SHA2 are in all supported OpenSSL versions
140-
# SHA3/shake are available in OpenSSL 1.1.1+
139+
# Fetch the OpenSSL hash function if it exists,
140+
# independently of the context security policy.
141141
f = getattr(_hashlib, 'openssl_' + name)
142-
# Allow the C module to raise ValueError. The function will be
143-
# defined but the hash not actually available. Don't fall back to
144-
# builtin if the current security policy blocks a digest, bpo#40695.
142+
# Check if the context security policy blocks the digest or not
143+
# by allowing the C module to raise a ValueError. The function
144+
# will be defined but the hash will not be available at runtime.
145+
#
146+
# We use "usedforsecurity=False" to prevent falling back to the
147+
# built-in function in case the security policy does not allow it.
148+
#
149+
# Note that this only affects the explicit named constructors,
150+
# and not the algorithms exposed through hashlib.new() which
151+
# can still be resolved to a built-in function even if the
152+
# current security policy does not allow it.
153+
#
154+
# See https://github.com/python/cpython/issues/84872.
145155
f(usedforsecurity=False)
146156
# Use the C function directly (very fast)
147157
return f

0 commit comments

Comments
 (0)