Skip to content

[3.10] gh-118224: Load default OpenSSL provider for nonsecurity algorithms (GH-118236) #118240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
xnox wants to merge 2 commits into from
+15 −0
Closed

[3.10] gh-118224: Load default OpenSSL provider for nonsecurity algorithms (GH-118236) #118240

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1c1e963
[3.10] gh-118224: Load default OpenSSL provider for nonsecurity algor…
xnox Apr 24, 2024
f524cb5
Add blurb
xnox Apr 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
[3.10] gh-118224: Load default OpenSSL provider for nonsecurity algor… 
…ithms

When OpenSSL is configured to only load "base+fips" providers into the
Null library context, md5 might not be available at all. In such cases
currently CPython fallsback to internal hashlib implementation is
there is one - as there might not be if one compiles python with
--with-builtin-hashlib-hashes=blake2. With this change "default"
provider is attempted to be loaded to access nonsecurity hashes.
  • Loading branch information
@xnox
xnox committed Apr 24, 2024
commit 1c1e963118bf28c86c72c6bb36fe500a372b4d0b
14 changes: 14 additions & 0 deletions Modules/_hashopenssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@
#define PY_OPENSSL_HAS_BLAKE2 1

#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#include <openssl/provider.h>
#define PY_EVP_MD EVP_MD
#define PY_EVP_MD_fetch(algorithm, properties) EVP_MD_fetch(NULL, algorithm, properties)
#define PY_EVP_MD_up_ref(md) EVP_MD_up_ref(md)
Expand Down Expand Up @@ -217,6 +218,17 @@ typedef struct {
_Py_hashtable_t *hashtable;
} _hashlibstate;

static void try_load_default_provider(void) {
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
/* Load the default config file, and expected providers */
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
if (!OSSL_PROVIDER_available(NULL, "default")) {
/* System is configured without the default provider */
OSSL_PROVIDER_load(NULL, "default");
}
#endif
}

static inline _hashlibstate*
get_hashlib_state(PyObject *module)
{
Expand Down Expand Up @@ -338,6 +350,7 @@ py_digest_by_name(PyObject *module, const char *name, enum Py_hash_type py_ht)
break;
case Py_ht_evp_nosecurity:
if (entry->evp_nosecurity == NULL) {
try_load_default_provider();
entry->evp_nosecurity = PY_EVP_MD_fetch(entry->ossl_name, "-fips");
}
digest = entry->evp_nosecurity;
Expand All @@ -355,6 +368,7 @@ py_digest_by_name(PyObject *module, const char *name, enum Py_hash_type py_ht)
digest = PY_EVP_MD_fetch(name, NULL);
break;
case Py_ht_evp_nosecurity:
try_load_default_provider();
digest = PY_EVP_MD_fetch(name, "-fips");
break;
}
Expand Down