Skip to content

bpo-44048: Fix two hashlib test cases under FIPS mode#26470

Merged
pablogsal merged 1 commit intopython:mainfrom
stratakis:fips_tests
Jun 4, 2021
Merged

bpo-44048: Fix two hashlib test cases under FIPS mode#26470
pablogsal merged 1 commit intopython:mainfrom
stratakis:fips_tests

Conversation

@stratakis
Copy link
Copy Markdown
Contributor

@stratakis stratakis commented May 31, 2021
edited by bedevere-bot
Loading

test_disallow_instantiation and test_readonly_types try to test all the available
digests, however under FIPS mode, while the algorithms are available, trying to use
them will fail with a ValueError.

https://bugs.python.org/issue44048

@stratakis
bpo-44048: Fix two hashlib test cases under FIPS mode
b116ed3 
test_disallow_instantiation and test_readonly_types try to test all the available
digests, however under FIPS mode, while the algorithms are available, trying to use
them will fail with a ValueError.
@stratakis stratakis requested a review from tiran as a code owner May 31, 2021 16:11
@bedevere-bot bedevere-bot added awaiting review tests Tests in the Lib/test dir labels May 31, 2021
@stratakis
Copy link
Copy Markdown
Contributor Author

stratakis commented May 31, 2021

news entry is not required as this is a tests only fix.

erlend-aasland
erlend-aasland reviewed May 31, 2021
View reviewed changes
Lib/test/test_hashlib.py
# In FIPS mode some algorithms are not available raising ValueError
try:
h = constructor()
except ValueError:
Copy link
Copy Markdown
Contributor

@erlend-aasland erlend-aasland May 31, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe check that the error message contains "unsupported hash type" as well? Ditto for the other test.

Copy link
Copy Markdown
Contributor Author

@stratakis stratakis May 31, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ValueError would be in this case: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

However this is specific to OpenSSL in RHEL7 and RHEL8 under FIPS mode. I am not entirely sure what other linux distros would be showing with their downstream FIPS patches (although from the 3.0.0 version of OpenSSL, FIPS compatibility is native so it could be more standardized).

@stratakis stratakis mentioned this pull request Jun 3, 2021
Merged
@pablogsal pablogsal merged commit a46c220 into python:main Jun 4, 2021
@pablogsal
Copy link
Copy Markdown
Member

pablogsal commented Jun 4, 2021

@stratakis does this need backport?

@pablogsal pablogsal added the needs backport to 3.10 only security fixes label Jun 4, 2021
@miss-islington
Copy link
Copy Markdown
Contributor

miss-islington commented Jun 4, 2021

Thanks @stratakis for the PR, and @pablogsal for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

@bedevere-bot
Copy link
Copy Markdown

bedevere-bot commented Jun 4, 2021

GH-26531 is a backport of this pull request to the 3.10 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.10 only security fixes label Jun 4, 2021
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jun 4, 2021
@stratakis @miss-islington
bpo-44048: Fix two hashlib test cases under FIPS mode (pythonGH-26470)
fb8f677 
test_disallow_instantiation and test_readonly_types try to test all the available
digests, however under FIPS mode, while the algorithms are available, trying to use
them will fail with a ValueError.
(cherry picked from commit a46c220)

Co-authored-by: stratakis <cstratak@redhat.com>
pablogsal pushed a commit that referenced this pull request Jun 4, 2021
@miss-islington @stratakis
bpo-44048: Fix two hashlib test cases under FIPS mode (GH-26470) (GH-…
3f4d801 
…26531)

test_disallow_instantiation and test_readonly_types try to test all the available
digests, however under FIPS mode, while the algorithms are available, trying to use
them will fail with a ValueError.
(cherry picked from commit a46c220)

Co-authored-by: stratakis <cstratak@redhat.com>

Co-authored-by: stratakis <cstratak@redhat.com>
@stratakis stratakis deleted the fips_tests branch June 8, 2021 16:19
@stratakis
Copy link
Copy Markdown
Contributor Author

stratakis commented Jun 8, 2021

Thanks for merging it Pablo. The issue was from 3.10 and onwards and it's now resolved.

@pablogsal pablogsal mentioned this pull request Jul 18, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erlend-aasland erlend-aasland erlend-aasland approved these changes

@pablogsal pablogsal pablogsal approved these changes

@tiran tiran Awaiting requested review from tiran

Assignees

No one assigned

Labels

skip news tests Tests in the Lib/test dir

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@stratakis @pablogsal @miss-islington @bedevere-bot @erlend-aasland @the-knights-who-say-ni