bpo-40695: Limit hashlib builtin hash fallback (GH-20259) :mod:`hashlib` no longer falls back to builtin hash implementations when OpenSSL provides a hash digest and the algorithm is blocked by security policy. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 4cc2f9348c6e899b76af811fa3bb6c60de642a28) Co-authored-by: Christian Heimes <christian@python.org>

commit: 7015823971e7c0cf41cd7d9d9991ed0abdc2f1f4 [log] [tgz]
author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Mon May 25 02:07:35 2020 -0700
committer: GitHub <noreply@github.com> Mon May 25 02:07:35 2020 -0700
tree: afd0a144609fce133426749837a26de5e5bcb1e3
parent: 82c274e3ba7d011e93805f1552e90baea1752cf1 [diff] [blame]
diff --git a/Lib/hashlib.py b/Lib/hashlib.py
index 8d119a4..1b6e502 100644
--- a/Lib/hashlib.py
+++ b/Lib/hashlib.py

@@ -127,8 +127,9 @@
         # SHA3/shake are available in OpenSSL 1.1.1+
         f = getattr(_hashlib, 'openssl_' + name)
         # Allow the C module to raise ValueError.  The function will be
-        # defined but the hash not actually available thanks to OpenSSL.
-        f()
+        # defined but the hash not actually available.  Don't fall back to
+        # builtin if the current security policy blocks a digest, bpo#40695.
+        f(usedforsecurity=False)
         # Use the C function directly (very fast)
         return f
     except (AttributeError, ValueError):
commit	7015823971e7c0cf41cd7d9d9991ed0abdc2f1f4	[log] [tgz]
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	Mon May 25 02:07:35 2020 -0700
committer	GitHub <noreply@github.com>	Mon May 25 02:07:35 2020 -0700
tree	afd0a144609fce133426749837a26de5e5bcb1e3
parent	82c274e3ba7d011e93805f1552e90baea1752cf1 [diff] [blame]