This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: hashlib: OpenSSL hash detection should obey security policy
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.10, Python 3.9
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, gregory.p.smith, miss-islington, ned.deily
Priority: normal Keywords: patch

Created on 2020-05-20 08:07 by christian.heimes, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 20259 merged christian.heimes, 2020-05-20 11:11
PR 20377 merged miss-islington, 2020-05-25 08:43
Messages (5)
msg369428 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-05-20 08:07
The hashlib module prefers hash implementations from OpenSSL. In case OpenSSL is not available or OpenSSL does not provide a hash algorithm, hashlib falls back to builtin implementations for MD5, SHA1, SHA2 family, SHA3/SHAKE family, and Blake2. The __get_openssl_constructor [1] function checks OpenSSL by retrieving the constructor and calling it. The calls fails if OpenSSL doesn't implement the EVP digest.

It also fails when the EVP digest is available but blocked by a security policy. In this case it falls back to the builtin implementation. If the builtin implementation has been removed by the package builder or --with-builtin-hashlib-hashes, then Python considers the hash algorithm as broken.

I propose to change the detection code so that Python uses OpenSSL implementation although it's blocked by the current system policy. 

Current behavior:

$ rpm -qa openssl
$ /configure -C --with-builtin-hashlib-hashes=blake2
$ make -j4
$ ./python
>>> import hashlib
ERROR:root:code for hash md5 was not found.
Traceback (most recent call last):
  File "/root/cpython/Lib/", line 131, in __get_openssl_constructor
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/root/cpython/Lib/", line 251, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/root/cpython/Lib/", line 135, in __get_openssl_constructor
    return __get_builtin_constructor(name)
  File "/root/cpython/Lib/", line 118, in __get_builtin_constructor
    raise ValueError('unsupported hash type ' + name)
ValueError: unsupported hash type md5
>>> hashlib.md5()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AttributeError: module 'hashlib' has no attribute 'md5'

Proposed behavior:

$ ./python
>>> import hashlib
>>> hashlib.md5()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
>>> hashlib.md5(usedforsecurity=False)
<md5 _hashlib.HASH object @ 0x7fb9d44b9b30>

Related issue:

bpo-9216 added the new hash constructor argument "usedforsecurity".
bpo-40637 added a new configure option --with-builtin-hashlib-hashes

msg369861 - (view) Author: miss-islington (miss-islington) Date: 2020-05-25 08:43
New changeset 4cc2f9348c6e899b76af811fa3bb6c60de642a28 by Christian Heimes in branch 'master':
bpo-40695: Limit hashlib builtin hash fallback (GH-20259)
msg369863 - (view) Author: miss-islington (miss-islington) Date: 2020-05-25 09:07
New changeset 7015823971e7c0cf41cd7d9d9991ed0abdc2f1f4 by Miss Islington (bot) in branch '3.9':
bpo-40695: Limit hashlib builtin hash fallback (GH-20259)
msg394167 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2021-05-21 23:01
Is there anything more that needs to be done for this issue?
msg394180 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-05-22 09:17
No, nothing left to do. Thanks for the ping!
Date User Action Args
2022-04-11 14:59:31adminsetgithub: 84872
2021-05-22 09:17:30christian.heimessetstatus: open -> closed
resolution: fixed
messages: + msg394180

stage: patch review -> resolved
2021-05-21 23:01:44ned.deilysetnosy: + ned.deily
messages: + msg394167
2020-05-25 09:07:39miss-islingtonsetmessages: + msg369863
2020-05-25 08:43:24miss-islingtonsetpull_requests: + pull_request19640
2020-05-25 08:43:14miss-islingtonsetnosy: + miss-islington
messages: + msg369861
2020-05-20 11:11:16christian.heimessetkeywords: + patch
stage: patch review
pull_requests: + pull_request19545
2020-05-20 08:07:57christian.heimescreate