Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 16d4e6f

Browse filesBrowse files
tirantiran
authored
bpo-40479: Fix hashlib issue with OpenSSL 3.0.0 (GH-20107)
OpenSSL 3.0.0-alpha2 was released today. The FIPS_mode() function has been deprecated and removed. It no longer makes sense with the new provider and context system in OpenSSL 3.0.0. EVP_default_properties_is_fips_enabled() is good enough for our needs in unit tests. It's an internal API, too. Signed-off-by: Christian Heimes <christian@python.org>
1 parent 6e57237 commit 16d4e6f
Copy full SHA for 16d4e6f

File tree

Expand file treeCollapse file tree

3 files changed

+18
-8
lines changed
Filter options
Expand file treeCollapse file tree

3 files changed

+18
-8
lines changed

‎Misc/NEWS.d/next/Library/2020-05-15-17-38-21.bpo-40479.yamSCh.rst

Copy file name to clipboard
+1Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
The :mod:`hashlib` now compiles with OpenSSL 3.0.0-alpha2.

‎Modules/_hashopenssl.c

Copy file name to clipboardExpand all lines: Modules/_hashopenssl.c
+11-4Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1109,19 +1109,25 @@ _hashlib.get_fips_mode -> int
11091109
11101110
Determine the OpenSSL FIPS mode of operation.
11111111
1112+
For OpenSSL 3.0.0 and newer it returns the state of the default provider
1113+
in the default OSSL context. It's not quite the same as FIPS_mode() but good
1114+
enough for unittests.
1115+
11121116
Effectively any non-zero return value indicates FIPS mode;
11131117
values other than 1 may have additional significance.
1114-
1115-
See OpenSSL documentation for the FIPS_mode() function for details.
11161118
[clinic start generated code]*/
11171119

11181120
static int
11191121
_hashlib_get_fips_mode_impl(PyObject *module)
1120-
/*[clinic end generated code: output=87eece1bab4d3fa9 input=c2799c3132a36d6c]*/
1122+
/*[clinic end generated code: output=87eece1bab4d3fa9 input=2db61538c41c6fef]*/
11211123

11221124
{
1125+
int result;
1126+
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1127+
result = EVP_default_properties_is_fips_enabled(NULL);
1128+
#else
11231129
ERR_clear_error();
1124-
int result = FIPS_mode();
1130+
result = FIPS_mode();
11251131
if (result == 0) {
11261132
// "If the library was built without support of the FIPS Object Module,
11271133
// then the function will return 0 with an error code of
@@ -1134,6 +1140,7 @@ _hashlib_get_fips_mode_impl(PyObject *module)
11341140
}
11351141
}
11361142
return result;
1143+
#endif
11371144
}
11381145
#endif // !LIBRESSL_VERSION_NUMBER
11391146

‎Modules/clinic/_hashopenssl.c.h

Copy file name to clipboardExpand all lines: Modules/clinic/_hashopenssl.c.h
+6-4Lines changed: 6 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.