Skip to content

gh-135234: improve _hashlib exceptions when reporting an OpenSSL function failure #135250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 19 commits into from
Jun 9, 2025
Merged

gh-135234: improve _hashlib exceptions when reporting an OpenSSL function failure #135250

Changes from 1 commit
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
eb3cb2e
add helpers for setting exceptions
picnixz Jun 8, 2025
e242865
refactor `get_openssl_evp_md_by_utf8name` error branches
picnixz Jun 8, 2025
ac6dea4
refactor `HASH.{digest,hexdigest}` computations
picnixz Jun 8, 2025
4bc2808
refactor `_hashlib_HASH_copy_locked` and `locked_HMAC_CTX_copy`
picnixz Jun 8, 2025
14b87df
set remaining exceptions after an OpenSSL failure
picnixz Jun 8, 2025
e5b2ef3
blurb
picnixz Jun 8, 2025
5b41242
wrap OpenSSL context allocators
picnixz Jun 8, 2025
2a8cf55
fix compilation, remove unused functions and update messages
picnixz Jun 8, 2025
ea2ce0e
update wrappers
picnixz Jun 8, 2025
43739c5
align exception messages
picnixz Jun 8, 2025
e226431
context allocators can only set an ERR_R_MALLOC_FAILURE error
picnixz Jun 8, 2025
7201e0a
update exception message for `get_openssl_evp_md_by_utf8name`
picnixz Jun 8, 2025
f8c2aed
refactor logic for mapping NIDs to EVP_MD objects
picnixz Jun 8, 2025
380f5a0
Update Modules/_hashopenssl.c
picnixz Jun 8, 2025
7036df8
remove TODO
picnixz Jun 8, 2025
b7f0947
Merge branch 'refactor/hashlib/evp-nid-interface-134531' into feat/ha…
picnixz Jun 8, 2025
a1066fe
pull main
picnixz Jun 8, 2025
76c7dd2
Merge branch 'main' into feat/hashlib/smart-exceptions-135234
picnixz Jun 8, 2025
35e6d1e
Update Misc/NEWS.d/next/Library/2025-06-08-11-11-07.gh-issue-135234.w…
picnixz Jun 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
set remaining exceptions after an OpenSSL failure
  • Loading branch information
@picnixz
picnixz committed Jun 8, 2025
commit 14b87df1b0f7c63f9555b3e265baf085f11a787c
49 changes: 23 additions & 26 deletions Modules/_hashopenssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -439,7 +439,7 @@ notify_ssl_error_occurred_in(const char *funcname)
"error in OpenSSL function: %s", funcname);
}

/* Same as notify_smart_ssl_error_occurred() for failed OpenSSL functions. */
/* Same as notify_ssl_error_occurred() with smart exception types. */
static inline void
notify_smart_ssl_error_occurred_in(const char *funcname)
{
Expand Down Expand Up @@ -609,7 +609,7 @@ new_hash_object(PyTypeObject *type)
retval->ctx = EVP_MD_CTX_new();
if (retval->ctx == NULL) {
Py_DECREF(retval);
PyErr_NoMemory();
notify_smart_ssl_error_occurred_in(Py_STRINGIFY(EVP_MD_CTX_new));
return NULL;
}

Expand All @@ -627,7 +627,7 @@ _hashlib_HASH_hash(HASHobject *self, const void *vp, Py_ssize_t len)
else
process = Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int);
if (!EVP_DigestUpdate(self->ctx, (const void*)cp, process)) {
notify_ssl_error_occurred();
notify_ssl_error_occurred_in(Py_STRINGIFY(EVP_DigestUpdate));
return -1;
}
len -= process;
Expand Down Expand Up @@ -681,7 +681,6 @@ _hashlib_HASH_copy_impl(HASHobject *self)

if (_hashlib_HASH_copy_locked(self, newobj->ctx) < 0) {
Py_DECREF(newobj);
notify_ssl_error_occurred();
return NULL;
}
return (PyObject *)newobj;
Expand All @@ -692,7 +691,7 @@ _hashlib_HASH_digest_compute(HASHobject *self, unsigned char *digest)
{
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
if (ctx == NULL) {
notify_ssl_error_occurred_in(Py_STRINGIFY(EVP_MD_CTX_new));
notify_smart_ssl_error_occurred_in(Py_STRINGIFY(EVP_MD_CTX_new));
return -1;
}
if (_hashlib_HASH_copy_locked(self, ctx) < 0) {
Expand Down Expand Up @@ -809,7 +808,7 @@ _hashlib_HASH_get_name(PyObject *op, void *Py_UNUSED(closure))
HASHobject *self = HASHobject_CAST(op);
const EVP_MD *md = EVP_MD_CTX_md(self->ctx);
if (md == NULL) {
notify_ssl_error_occurred();
notify_ssl_error_occurred("missing EVP_MD");
return NULL;
}
return get_openssl_evp_md_name(md);
Expand Down Expand Up @@ -899,7 +898,7 @@ _hashlib_HASHXOF_digest_impl(HASHobject *self, Py_ssize_t length)
temp_ctx = EVP_MD_CTX_new();
if (temp_ctx == NULL) {
Py_DECREF(retval);
PyErr_NoMemory();
notify_smart_ssl_error_occurred_in(Py_STRINGIFY(EVP_MD_CTX_new));
return NULL;
}

Expand All @@ -910,6 +909,7 @@ _hashlib_HASHXOF_digest_impl(HASHobject *self, Py_ssize_t length)
(unsigned char*)PyBytes_AS_STRING(retval),
length))
{
notify_ssl_error_occurred_in(Py_STRINGIFY(EVP_DigestFinalXOF));
goto error;
}

Expand All @@ -919,7 +919,6 @@ _hashlib_HASHXOF_digest_impl(HASHobject *self, Py_ssize_t length)
error:
Py_DECREF(retval);
EVP_MD_CTX_free(temp_ctx);
notify_ssl_error_occurred();
return NULL;
}

Expand Down Expand Up @@ -948,7 +947,7 @@ _hashlib_HASHXOF_hexdigest_impl(HASHobject *self, Py_ssize_t length)
temp_ctx = EVP_MD_CTX_new();
if (temp_ctx == NULL) {
PyMem_Free(digest);
PyErr_NoMemory();
notify_smart_ssl_error_occurred_in(Py_STRINGIFY(EVP_MD_CTX_new));
return NULL;
}

Expand All @@ -957,6 +956,7 @@ _hashlib_HASHXOF_hexdigest_impl(HASHobject *self, Py_ssize_t length)
goto error;
}
if (!EVP_DigestFinalXOF(temp_ctx, digest, length)) {
notify_ssl_error_occurred_in(Py_STRINGIFY(EVP_DigestFinalXOF));
goto error;
}

Expand All @@ -969,7 +969,6 @@ _hashlib_HASHXOF_hexdigest_impl(HASHobject *self, Py_ssize_t length)
error:
PyMem_Free(digest);
EVP_MD_CTX_free(temp_ctx);
notify_ssl_error_occurred();
return NULL;
}

Expand Down Expand Up @@ -1073,7 +1072,7 @@ _hashlib_HASH(PyObject *module, const char *digestname, PyObject *data_obj,

int result = EVP_DigestInit_ex(self->ctx, digest, NULL);
if (!result) {
notify_ssl_error_occurred();
notify_ssl_error_occurred_in(Py_STRINGIFY(EVP_DigestInit_ex));
Py_CLEAR(self);
goto exit;
}
Expand Down Expand Up @@ -1482,7 +1481,7 @@ pbkdf2_hmac_impl(PyObject *module, const char *hash_name,

if (!retval) {
Py_CLEAR(key_obj);
notify_ssl_error_occurred();
notify_ssl_error_occurred_in(Py_STRINGIFY(PKCS5_PBKDF2_HMAC));
goto end;
}

Expand Down Expand Up @@ -1580,7 +1579,7 @@ _hashlib_scrypt_impl(PyObject *module, Py_buffer *password, Py_buffer *salt,

if (!retval) {
Py_CLEAR(key_obj);
notify_ssl_error_occurred();
notify_ssl_error_occurred_in(Py_STRINGIFY(EVP_PBE_scrypt));
return NULL;
}
return key_obj;
Expand Down Expand Up @@ -1637,7 +1636,7 @@ _hashlib_hmac_singleshot_impl(PyObject *module, Py_buffer *key,
PY_EVP_MD_free(evp);

if (result == NULL) {
notify_ssl_error_occurred();
notify_ssl_error_occurred_in(Py_STRINGIFY(HMAC));
return NULL;
}
return PyBytes_FromStringAndSize((const char*)md, md_len);
Expand Down Expand Up @@ -1698,14 +1697,14 @@ _hashlib_hmac_new_impl(PyObject *module, Py_buffer *key, PyObject *msg_obj,
ctx = HMAC_CTX_new();
if (ctx == NULL) {
PY_EVP_MD_free(digest);
PyErr_NoMemory();
notify_smart_ssl_error_occurred_in(Py_STRINGIFY(HMAC_CTX_new));
goto error;
}

r = HMAC_Init_ex(ctx, key->buf, (int)key->len, digest, NULL /* impl */);
PY_EVP_MD_free(digest);
if (r == 0) {
notify_ssl_error_occurred();
notify_ssl_error_occurred_in(Py_STRINGIFY(HMAC_Init_ex));
goto error;
}

Expand Down Expand Up @@ -1791,7 +1790,7 @@ _hmac_update(HMACobject *self, PyObject *obj)
PyBuffer_Release(&view);

if (r == 0) {
notify_ssl_error_occurred();
notify_ssl_error_occurred_in(Py_STRINGIFY(HMAC_Update));
return 0;
}
return 1;
Expand All @@ -1811,7 +1810,8 @@ _hashlib_HMAC_copy_impl(HMACobject *self)

HMAC_CTX *ctx = HMAC_CTX_new();
if (ctx == NULL) {
return PyErr_NoMemory();
notify_smart_ssl_error_occurred_in(Py_STRINGIFY(HMAC_CTX_new));
return NULL;
}
if (locked_HMAC_CTX_copy(ctx, self) < 0) {
HMAC_CTX_free(ctx);
Expand Down Expand Up @@ -1883,7 +1883,7 @@ _hmac_digest(HMACobject *self, unsigned char *buf, unsigned int len)
{
HMAC_CTX *temp_ctx = HMAC_CTX_new();
if (temp_ctx == NULL) {
(void)PyErr_NoMemory();
notify_smart_ssl_error_occurred_in(Py_STRINGIFY(HMAC_CTX_new));
return 0;
}
if (locked_HMAC_CTX_copy(temp_ctx, self) < 0) {
Expand All @@ -1893,7 +1893,7 @@ _hmac_digest(HMACobject *self, unsigned char *buf, unsigned int len)
int r = HMAC_Final(temp_ctx, buf, &len);
HMAC_CTX_free(temp_ctx);
if (r == 0) {
notify_ssl_error_occurred();
notify_ssl_error_occurred_in(Py_STRINGIFY(HMAC_Final));
return 0;
}
return 1;
Expand Down Expand Up @@ -2113,16 +2113,13 @@ _hashlib_get_fips_mode_impl(PyObject *module)
#else
ERR_clear_error();
int result = FIPS_mode();
if (result == 0) {
if (result == 0 && ERR_peek_last_error()) {
// "If the library was built without support of the FIPS Object Module,
// then the function will return 0 with an error code of
// CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0x0f06d065)."
// But 0 is also a valid result value.
unsigned long errcode = ERR_peek_last_error();
if (errcode) {
notify_ssl_error_occurred();
return -1;
}
notify_ssl_error_occurred();
return -1;
}
return result;
#endif
Expand Down
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy