gh-118224: Load default OpenSSL provider for nonsecurity algorithms#118236
Uh oh!
There was an error while loading. Please reload this page.
Conversation
…thms When OpenSSL is configured to only load "base+fips" providers into the Null library context, md5 might not be available at all. In such cases currently CPython fallsback to internal hashlib implementation is there is one - as there might not be if one compiles python with --with-builtin-hashlib-hashes=blake2. With this change "default" provider is attempted to be loaded to access nonsecurity hashes.
All commit authors signed the Contributor License Agreement. |
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
GH-118238 is a backport of this pull request to the 3.12 branch. |
GH-118239 is a backport of this pull request to the 3.11 branch. |
GH-118240 is a backport of this pull request to the 3.10 branch. |
GH-118264 is a backport of this pull request to the 3.9 branch. |
nineteendo commented Apr 25, 2024
Could you also configure pre-commit? https://devguide.python.org/getting-started/setup-building/#install-pre-commit |
xnox commented May 7, 2024
@nineteendo is there something in particular that you have noticed that pre-commit should have caught? I have now setup pre-commit, redid the commits and the checks executed and resulted in exactly the same commit, without any diff / warnings / comments. Is my .c code style incorrect and pre-commit not catching it? |
nineteendo commented May 7, 2024
This workflow failed: https://github.com/python/cpython/actions/runs/8823736225/job/24224829127#step:4:142 |
yes, after the initial blurb-it there was comment about single ticks; which i replaced with double backticks and rewrote all commits in all branches/backports. Is double-backticks appropriate formatting for the NEWS entry as currently seen on https://github.com/python/cpython/pull/118236/files ? ps. maybe the blurb-it service needs pre-commit checking / checks for single backticks. |
xnox commented May 7, 2024
note, the up to date re-runs of actions are all passing on this pull request. |
nineteendo commented May 7, 2024
Did you do a rebase or delete the old branch? Because I can't find that commit.
Looks like it, '``--[^\`]+``' is used 294 times, and '``--[^\`]+=[^\`]+``' 25 times.
Yeah, I was thinking that too. |
xnox commented May 7, 2024
rebase, all commits are documented in this PR. If you use web-ui or extensive API, you can see these mentions:
You can click on those commits to still see them dangling and not part of any branch or pull request. 7a5adff was the blurb-it service generated entry. a47a53f is the current state of this pull request, which was fixed-up with double backticks. |
xnox commented Nov 26, 2024
a better design is available in: |
2 participants
When OpenSSL is configured to only load "base+fips" providers into the Null library context, md5 might not be available at all. In such cases currently CPython fallsback to internal hashlib implementation is there is one - as there might not be if one compiles python with --with-builtin-hashlib-hashes=blake2. With this change "default" provider is attempted to be loaded to access nonsecurity hashes.
It is FedRAMP/FIPS compliance by-pass. This issue may allow using md5 without specifying "usedforsecurity=False" on systems otherwise configured to be in FIPS-mode only. And is the primary reason why documentation mentions that certain distributions of python remove md5 module altogether.