Skip to content

bpo-44048: Fix two hashlib test cases under FIPS mode #26470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 4, 2021
Merged

bpo-44048: Fix two hashlib test cases under FIPS mode #26470

merged 1 commit into from
Jun 4, 2021

Conversation

stratakis
Copy link
Contributor

@stratakis stratakis commented May 31, 2021
edited by bedevere-bot
Loading

test_disallow_instantiation and test_readonly_types try to test all the available
digests, however under FIPS mode, while the algorithms are available, trying to use
them will fail with a ValueError.

https://bugs.python.org/issue44048

@stratakis
bpo-44048: Fix two hashlib test cases under FIPS mode
b116ed3 
test_disallow_instantiation and test_readonly_types try to test all the available
digests, however under FIPS mode, while the algorithms are available, trying to use
them will fail with a ValueError.
@stratakis stratakis requested a review from tiran as a code owner May 31, 2021 16:11
@bedevere-bot bedevere-bot added awaiting review tests Tests in the Lib/test dir labels May 31, 2021
@stratakis
Copy link
Contributor Author

news entry is not required as this is a tests only fix.

erlend-aasland
erlend-aasland reviewed May 31, 2021
View reviewed changes
Lib/test/test_hashlib.py
# In FIPS mode some algorithms are not available raising ValueError
try:
h = constructor()
except ValueError:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe check that the error message contains "unsupported hash type" as well? Ditto for the other test.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ValueError would be in this case: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

However this is specific to OpenSSL in RHEL7 and RHEL8 under FIPS mode. I am not entirely sure what other linux distros would be showing with their downstream FIPS patches (although from the 3.0.0 version of OpenSSL, FIPS compatibility is native so it could be more standardized).

@stratakis stratakis mentioned this pull request Jun 3, 2021
Merged
@pablogsal pablogsal merged commit a46c220 into python:main Jun 4, 2021
@pablogsal
Copy link
Member

@stratakis does this need backport?

@pablogsal pablogsal added the needs backport to 3.10 only security fixes label Jun 4, 2021
@miss-islington
Copy link
Contributor

Thanks @stratakis for the PR, and @pablogsal for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

@bedevere-bot
Copy link

GH-26531 is a backport of this pull request to the 3.10 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.10 only security fixes label Jun 4, 2021
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jun 4, 2021
@stratakis @miss-islington
bpo-44048: Fix two hashlib test cases under FIPS mode (pythonGH-26470)
fb8f677 
test_disallow_instantiation and test_readonly_types try to test all the available
digests, however under FIPS mode, while the algorithms are available, trying to use
them will fail with a ValueError.
(cherry picked from commit a46c220)

Co-authored-by: stratakis <[email protected]>
pablogsal pushed a commit that referenced this pull request Jun 4, 2021
@miss-islington @stratakis
bpo-44048: Fix two hashlib test cases under FIPS mode (GH-26470) (GH-…
3f4d801 
…26531)

test_disallow_instantiation and test_readonly_types try to test all the available
digests, however under FIPS mode, while the algorithms are available, trying to use
them will fail with a ValueError.
(cherry picked from commit a46c220)

Co-authored-by: stratakis <[email protected]>

Co-authored-by: stratakis <[email protected]>
@stratakis stratakis deleted the fips_tests branch June 8, 2021 16:19
@stratakis
Copy link
Contributor Author

Thanks for merging it Pablo. The issue was from 3.10 and onwards and it's now resolved.

@pablogsal pablogsal mentioned this pull request Jul 18, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erlend-aasland erlend-aasland erlend-aasland approved these changes

@pablogsal pablogsal pablogsal approved these changes

@tiran tiran Awaiting requested review from tiran tiran is a code owner

Assignees
No one assigned
Labels
skip news tests Tests in the Lib/test dir
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@stratakis @pablogsal @miss-islington @bedevere-bot @erlend-aasland @the-knights-who-say-ni