[3.10] bpo-40479: Fix hashlib's usedforsecurity for OpenSSL 3.0.0 (GH-30455) by miss-islington · Pull Request #30573 · python/cpython

python

@@ -48,12 +48,15 @@ builtin_hashlib = None
try: from _hashlib import HASH, HASHXOF, openssl_md_meth_names from _hashlib import HASH, HASHXOF, openssl_md_meth_names, get_fips_mode except ImportError: HASH = None HASHXOF = None openssl_md_meth_names = frozenset()
def get_fips_mode(): return 0
try: import _blake2 except ImportError: @@ -192,10 +195,7 @@ def hash_constructors(self):
@property def is_fips_mode(self): if hasattr(self._hashlib, "get_fips_mode"): return self._hashlib.get_fips_mode() else: return None return get_fips_mode()
def test_hash_array(self): a = array.array("b", range(10)) @@ -1017,7 +1017,7 @@ def _test_pbkdf2_hmac(self, pbkdf2, supported): self.assertEqual(out, expected, (digest_name, password, salt, rounds))
with self.assertRaisesRegex(ValueError, 'unsupported hash type'): with self.assertRaisesRegex(ValueError, '.*unsupported.*'): pbkdf2('unknown', b'pass', b'salt', 1)
if 'sha1' in supported: @@ -1057,6 +1057,7 @@ def test_pbkdf2_hmac_c(self):
@unittest.skipUnless(hasattr(hashlib, 'scrypt'), ' test requires OpenSSL > 1.1') @unittest.skipIf(get_fips_mode(), reason="scrypt is blocked in FIPS mode") def test_scrypt(self): for password, salt, n, r, p, expected in self.scrypt_test_vectors: result = hashlib.scrypt(password, salt=salt, n=n, r=r, p=p)