bpo-40695: Limit hashlib builtin hash fallback (GH-20259)

:mod:`hashlib` no longer falls back to builtin hash implementations when OpenSSL provides a hash digest and the algorithm is blocked by security policy. Signed-off-by: Christian Heimes <christian@python.org>
author: Christian Heimes <christian@python.org> 2020-05-25 10:43:10 +0200
committer: GitHub <noreply@github.com> 2020-05-25 01:43:10 -0700
commit: 4cc2f9348c6e899b76af811fa3bb6c60de642a28 (patch)
tree: cbe9b824f9cd633f2b72f5ffd2809e664c8869ce /Lib/hashlib.py
parent: 3f59b55316f4c6ab451997902579aa69020b537c (diff)
download: cpython-git-4cc2f9348c6e899b76af811fa3bb6c60de642a28.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/Lib/hashlib.py b/Lib/hashlib.py
index 8d119a4225..1b6e50247c 100644
--- a/Lib/hashlib.py
+++ b/Lib/hashlib.py
@@ -127,8 +127,9 @@ def __get_openssl_constructor(name):
         # SHA3/shake are available in OpenSSL 1.1.1+
         f = getattr(_hashlib, 'openssl_' + name)
         # Allow the C module to raise ValueError.  The function will be
-        # defined but the hash not actually available thanks to OpenSSL.
-        f()
+        # defined but the hash not actually available.  Don't fall back to
+        # builtin if the current security policy blocks a digest, bpo#40695.
+        f(usedforsecurity=False)
         # Use the C function directly (very fast)
         return f
     except (AttributeError, ValueError):
author	Christian Heimes <christian@python.org>	2020-05-25 10:43:10 +0200
committer	GitHub <noreply@github.com>	2020-05-25 01:43:10 -0700
commit	4cc2f9348c6e899b76af811fa3bb6c60de642a28 (patch)
tree	cbe9b824f9cd633f2b72f5ffd2809e664c8869ce /Lib/hashlib.py
parent	3f59b55316f4c6ab451997902579aa69020b537c (diff)
download	cpython-git-4cc2f9348c6e899b76af811fa3bb6c60de642a28.tar.gz