From c8adf9e6d66d43184db1a3ccd5b37fa534f7323c Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Wed, 24 Apr 2024 14:47:10 +0100 Subject: [PATCH 1/2] gh-118224: Load default OpenSSL provider for nonsecurity algorithms When OpenSSL is configured to only load "base+fips" providers into the Null library context, md5 might not be available at all. In such cases currently CPython fallsback to internal hashlib implementation is there is one - as there might not be if one compiles python with --with-builtin-hashlib-hashes=blake2. With this change "default" provider is attempted to be loaded to access nonsecurity hashes. --- Modules/_hashopenssl.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c index d0b46810dc1489..2cc463b279a46f 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -56,6 +56,7 @@ #endif #if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include #define PY_EVP_MD EVP_MD #define PY_EVP_MD_fetch(algorithm, properties) EVP_MD_fetch(NULL, algorithm, properties) #define PY_EVP_MD_up_ref(md) EVP_MD_up_ref(md) @@ -265,6 +266,17 @@ typedef struct { _Py_hashtable_t *hashtable; } _hashlibstate; +static void try_load_default_provider(void) { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + /* Load the default config file, and expected providers */ + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); + if (!OSSL_PROVIDER_available(NULL, "default")) { + /* System is configured without the default provider */ + OSSL_PROVIDER_load(NULL, "default"); + } +#endif +} + static inline _hashlibstate* get_hashlib_state(PyObject *module) { @@ -386,6 +398,7 @@ py_digest_by_name(PyObject *module, const char *name, enum Py_hash_type py_ht) break; case Py_ht_evp_nosecurity: if (entry->evp_nosecurity == NULL) { + try_load_default_provider(); entry->evp_nosecurity = PY_EVP_MD_fetch(entry->ossl_name, "-fips"); } digest = entry->evp_nosecurity; @@ -403,6 +416,7 @@ py_digest_by_name(PyObject *module, const char *name, enum Py_hash_type py_ht) digest = PY_EVP_MD_fetch(name, NULL); break; case Py_ht_evp_nosecurity: + try_load_default_provider(); digest = PY_EVP_MD_fetch(name, "-fips"); break; } From a47a53f1240d0bb9e86e65a6c0d09a81c76520b1 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Wed, 24 Apr 2024 23:28:53 +0100 Subject: [PATCH 2/2] Add blurb --- .../next/Build/2024-04-24-16-58-45.gh-issue-118224.wnjFHn.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Build/2024-04-24-16-58-45.gh-issue-118224.wnjFHn.rst diff --git a/Misc/NEWS.d/next/Build/2024-04-24-16-58-45.gh-issue-118224.wnjFHn.rst b/Misc/NEWS.d/next/Build/2024-04-24-16-58-45.gh-issue-118224.wnjFHn.rst new file mode 100644 index 00000000000000..c63b71ecbafc58 --- /dev/null +++ b/Misc/NEWS.d/next/Build/2024-04-24-16-58-45.gh-issue-118224.wnjFHn.rst @@ -0,0 +1 @@ +Hashlib now supports using default OpenSSL provider instead of builtin fallback for nonsecurity hashes on hosts otherwise only using base and fips providers. This makes build configuration ``--with-builtin-hashlib-hashes=blake2`` fully supported on OpenSSL FIPS hosts.