Skip to content

Commit c1475eb

Browse files
tirantiran
committed
bpo-40479: Fix hashlib issue with OpenSSL 3.0.0
OpenSSL 3.0.0-alpha2 was released today. The FIPS_mode() function has been deprecated and removed. It no longer makes sense with the new provider and context system in OpenSSL 3.0.0. EVP_default_properties_is_fips_enabled() is good enough for our needs in unit tests. It's an internal API, too. Signed-off-by: Christian Heimes <christian@python.org>
1 parent 6e57237 commit c1475eb

File tree

3 files changed

+18
-8
lines changed

3 files changed

+18
-8
lines changed

Misc/NEWS.d/next/Library/2020-05-15-17-38-21.bpo-40479.yamSCh.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
The :mod:`hashlib` now compiles with OpenSSL 3.0.0-alpha2.

Modules/_hashopenssl.c

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1109,19 +1109,25 @@ _hashlib.get_fips_mode -> int
11091109
11101110
Determine the OpenSSL FIPS mode of operation.
11111111
1112+
For OpenSSL 3.0.0 and newer it returns the state of the default provider
1113+
in the default OSSL context. It's not quite the same as FIPS_mode() but good
1114+
enough for unittests.
1115+
11121116
Effectively any non-zero return value indicates FIPS mode;
11131117
values other than 1 may have additional significance.
1114-
1115-
See OpenSSL documentation for the FIPS_mode() function for details.
11161118
[clinic start generated code]*/
11171119

11181120
static int
11191121
_hashlib_get_fips_mode_impl(PyObject *module)
1120-
/*[clinic end generated code: output=87eece1bab4d3fa9 input=c2799c3132a36d6c]*/
1122+
/*[clinic end generated code: output=87eece1bab4d3fa9 input=2db61538c41c6fef]*/
11211123

11221124
{
1125+
int result;
1126+
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1127+
result = EVP_default_properties_is_fips_enabled(NULL);
1128+
#else
11231129
ERR_clear_error();
1124-
int result = FIPS_mode();
1130+
result = FIPS_mode();
11251131
if (result == 0) {
11261132
// "If the library was built without support of the FIPS Object Module,
11271133
// then the function will return 0 with an error code of
@@ -1134,6 +1140,7 @@ _hashlib_get_fips_mode_impl(PyObject *module)
11341140
}
11351141
}
11361142
return result;
1143+
#endif
11371144
}
11381145
#endif // !LIBRESSL_VERSION_NUMBER
11391146

Modules/clinic/_hashopenssl.c.h

Lines changed: 6 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy