https://github.com/python/cpython/commit/9be3649f5eccfbda1b3c9c3195927951a9ae9b90
commit: 9be3649f5eccfbda1b3c9c3195927951a9ae9b90
branch: main
author: Bénédikt Tran <[email protected]>
committer: picnixz <[email protected]>
date: 2025-07-12T16:33:07Z
summary:
gh-136591: avoid using deprecated features for OpenSSL 3.0+ (#136592)
Since OpenSSL 3.0, `ERR_func_error_string()` always returns NULL and
`EVP_MD_CTX_get0_md()` should be preferred over `EVP_MD_CTX_md()`.
files:
A Misc/NEWS.d/next/Library/2025-07-12-18-05-37.gh-issue-136591.ujXmSN.rst
M Modules/_hashopenssl.c
diff --git
a/Misc/NEWS.d/next/Library/2025-07-12-18-05-37.gh-issue-136591.ujXmSN.rst
b/Misc/NEWS.d/next/Library/2025-07-12-18-05-37.gh-issue-136591.ujXmSN.rst
new file mode 100644
index 00000000000000..ccd5bf11f0467a
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2025-07-12-18-05-37.gh-issue-136591.ujXmSN.rst
@@ -0,0 +1,3 @@
+:mod:`!_hashlib`: avoid using deprecated functions
+:manpage:`ERR_func_error_string` and :manpage:`EVP_MD_CTX_md` when using
+OpenSSL 3.0 and later. Patch by Bénédikt Tran.
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index 90a7391ebb09af..1a6c831e48377b 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -64,11 +64,15 @@
#define PY_EVP_MD_fetch(algorithm, properties) EVP_MD_fetch(NULL, algorithm,
properties)
#define PY_EVP_MD_up_ref(md) EVP_MD_up_ref(md)
#define PY_EVP_MD_free(md) EVP_MD_free(md)
+
+#define PY_EVP_MD_CTX_md(CTX) EVP_MD_CTX_get0_md(CTX)
#else
#define PY_EVP_MD const EVP_MD
#define PY_EVP_MD_fetch(algorithm, properties) EVP_get_digestbyname(algorithm)
#define PY_EVP_MD_up_ref(md) do {} while(0)
#define PY_EVP_MD_free(md) do {} while(0)
+
+#define PY_EVP_MD_CTX_md(CTX) EVP_MD_CTX_md(CTX)
#endif
/* hash alias map and fast lookup
@@ -308,6 +312,14 @@ class _hashlib.HMAC "HMACobject *" "&PyType_Type"
/* LCOV_EXCL_START */
+/* Thin wrapper around ERR_reason_error_string() returning non-NULL text. */
+static const char *
+py_wrapper_ERR_reason_error_string(unsigned long errcode)
+{
+ const char *reason = ERR_reason_error_string(errcode);
+ return reason ? reason : "no reason";
+}
+
/* Set an exception of given type using the given OpenSSL error code. */
static void
set_ssl_exception_from_errcode(PyObject *exc_type, unsigned long errcode)
@@ -317,8 +329,13 @@ set_ssl_exception_from_errcode(PyObject *exc_type,
unsigned long errcode)
/* ERR_ERROR_STRING(3) ensures that the messages below are ASCII */
const char *lib = ERR_lib_error_string(errcode);
+#ifdef Py_HAS_OPENSSL3_SUPPORT
+ // Since OpenSSL 3.0, ERR_func_error_string() always returns NULL.
+ const char *func = NULL;
+#else
const char *func = ERR_func_error_string(errcode);
- const char *reason = ERR_reason_error_string(errcode);
+#endif
+ const char *reason = py_wrapper_ERR_reason_error_string(errcode);
if (lib && func) {
PyErr_Format(exc_type, "[%s: %s] %s", lib, func, reason);
@@ -838,7 +855,7 @@ static PyObject *
_hashlib_HASH_get_name(PyObject *op, void *Py_UNUSED(closure))
{
HASHobject *self = HASHobject_CAST(op);
- const EVP_MD *md = EVP_MD_CTX_md(self->ctx);
+ const EVP_MD *md = PY_EVP_MD_CTX_md(self->ctx);
if (md == NULL) {
notify_ssl_error_occurred("missing EVP_MD for HASH context");
return NULL;
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
