[Python-checkins] (no subject)

Łukasz Langa webhook-mailer at python.org
Mon Sep 30 03:10:43 EDT 2019 



To: python-checkins at python.org
Subject:
 [3.8] bpo-38270: More fixes for strict crypto policy (GH-16418) (#16437)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

https://github.com/python/cpython/commit/bfca56b3ddb4bb0a98931ebcd1257af2afa9=
b2ae
commit: bfca56b3ddb4bb0a98931ebcd1257af2afa9b2ae
branch: 3.8
author: Christian Heimes <christian at python.org>
committer: =C5=81ukasz Langa <lukasz at langa.pl>
date: 2019-09-30T09:10:38+02:00
summary:

[3.8] bpo-38270: More fixes for strict crypto policy (GH-16418) (#16437)

test_hmac and test_hashlib test built-in hashing implementations and
OpenSSL-based hashing implementations. Add more checks to skip OpenSSL
implementations when a strict crypto policy is active.

Use EVP_DigestInit_ex() instead of EVP_DigestInit() to initialize the
EVP context. The EVP_DigestInit() function clears alls flags and breaks
usedforsecurity flag again.

Signed-off-by: Christian Heimes <christian at python.org>

https://bugs.python.org/issue38270.
(cherry picked from commit 90558158093c0ad893102158fd3c2dd9f864e82e)

Co-authored-by: Christian Heimes <christian at python.org>

files:
M Lib/test/support/__init__.py
M Lib/test/test_hashlib.py
M Lib/test/test_hmac.py
M Modules/_hashopenssl.c

diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
index ad69ec94fb82..2ff7640535e9 100644
--- a/Lib/test/support/__init__.py
+++ b/Lib/test/support/__init__.py
@@ -69,6 +69,11 @@
 except ImportError:
     resource =3D None
=20
+try:
+    import _hashlib
+except ImportError:
+    _hashlib =3D None
+
 __all__ =3D [
     # globals
     "PIPE_MAX_SIZE", "verbose", "max_memuse", "use_resources", "failfast",
@@ -86,8 +91,8 @@
     "create_empty_file", "can_symlink", "fs_is_case_insensitive",
     # unittest
     "is_resource_enabled", "requires", "requires_freebsd_version",
-    "requires_linux_version", "requires_mac_ver", "check_syntax_error",
-    "check_syntax_warning",
+    "requires_linux_version", "requires_mac_ver", "requires_hashdigest",
+    "check_syntax_error", "check_syntax_warning",
     "TransientResource", "time_out", "socket_peer_reset", "ioerror_peer_rese=
t",
     "transient_internet", "BasicTestRunner", "run_unittest", "run_doctest",
     "skip_unless_symlink", "requires_gzip", "requires_bz2", "requires_lzma",
@@ -647,12 +652,16 @@ def wrapper(*args, **kw):
     return decorator
=20
=20
-def requires_hashdigest(digestname):
+def requires_hashdigest(digestname, openssl=3DNone):
     """Decorator raising SkipTest if a hashing algorithm is not available
=20
     The hashing algorithm could be missing or blocked by a strict crypto
     policy.
=20
+    If 'openssl' is True, then the decorator checks that OpenSSL provides
+    the algorithm. Otherwise the check falls back to built-in
+    implementations.
+
     ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for =
FIPS
     ValueError: unsupported hash type md4
     """
@@ -660,7 +669,10 @@ def decorator(func):
         @functools.wraps(func)
         def wrapper(*args, **kwargs):
             try:
-                hashlib.new(digestname)
+                if openssl and _hashlib is not None:
+                    _hashlib.new(digestname)
+                else:
+                    hashlib.new(digestname)
             except ValueError:
                 raise unittest.SkipTest(
                     f"hash digest '{digestname}' is not available."
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index e7cc6ccdc602..8b53d23ef525 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -8,6 +8,7 @@
=20
 import array
 from binascii import unhexlify
+import functools
 import hashlib
 import importlib
 import itertools
@@ -18,6 +19,7 @@
 import warnings
 from test import support
 from test.support import _4G, bigmemtest, import_fresh_module
+from test.support import requires_hashdigest
 from http.client import HTTPException
=20
 # Were we compiled --with-pydebug or with #define Py_DEBUG?
@@ -119,6 +121,7 @@ def _test_algorithm_via_hashlib_new(data=3DNone, _alg=3Da=
lgorithm, **kwargs):
             constructors.add(_test_algorithm_via_hashlib_new)
=20
         _hashlib =3D self._conditional_import_module('_hashlib')
+        self._hashlib =3D _hashlib
         if _hashlib:
             # These two algorithms should always be present when this module
             # is compiled.  If not, something was compiled wrong.
@@ -127,7 +130,13 @@ def _test_algorithm_via_hashlib_new(data=3DNone, _alg=3D=
algorithm, **kwargs):
             for algorithm, constructors in self.constructors_to_test.items():
                 constructor =3D getattr(_hashlib, 'openssl_'+algorithm, None)
                 if constructor:
-                    constructors.add(constructor)
+                    try:
+                        constructor()
+                    except ValueError:
+                        # default constructor blocked by crypto policy
+                        pass
+                    else:
+                        constructors.add(constructor)
=20
         def add_builtin_constructor(name):
             constructor =3D getattr(hashlib, "__get_builtin_constructor")(na=
me)
diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py
index 2c09de8b26fa..1bbf201727d7 100644
--- a/Lib/test/test_hmac.py
+++ b/Lib/test/test_hmac.py
@@ -21,7 +21,7 @@ def wrapper(*args, **kwargs):
=20
 class TestVectorsTestCase(unittest.TestCase):
=20
-    @requires_hashdigest('md5')
+    @requires_hashdigest('md5', openssl=3DTrue)
     def test_md5_vectors(self):
         # Test the HMAC module against test vectors from the RFC.
=20
@@ -79,7 +79,7 @@ def md5test(key, data, digest):
                  b"and Larger Than One Block-Size Data"),
                 "6f630fad67cda0ee1fb1f562db3aa53e")
=20
-    @requires_hashdigest('sha1')
+    @requires_hashdigest('sha1', openssl=3DTrue)
     def test_sha_vectors(self):
         def shatest(key, data, digest):
             h =3D hmac.HMAC(key, data, digestmod=3Dhashlib.sha1)
@@ -272,19 +272,19 @@ def hmactest(key, data, hexdigests):
                                    '134676fb6de0446065c97440fa8c6a58',
                  })
=20
-    @requires_hashdigest('sha224')
+    @requires_hashdigest('sha224', openssl=3DTrue)
     def test_sha224_rfc4231(self):
         self._rfc4231_test_cases(hashlib.sha224, 'sha224', 28, 64)
=20
-    @requires_hashdigest('sha256')
+    @requires_hashdigest('sha256', openssl=3DTrue)
     def test_sha256_rfc4231(self):
         self._rfc4231_test_cases(hashlib.sha256, 'sha256', 32, 64)
=20
-    @requires_hashdigest('sha384')
+    @requires_hashdigest('sha384', openssl=3DTrue)
     def test_sha384_rfc4231(self):
         self._rfc4231_test_cases(hashlib.sha384, 'sha384', 48, 128)
=20
-    @requires_hashdigest('sha512')
+    @requires_hashdigest('sha512', openssl=3DTrue)
     def test_sha512_rfc4231(self):
         self._rfc4231_test_cases(hashlib.sha512, 'sha512', 64, 128)
=20
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index 84906a4da4f5..1513e4e35edc 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -556,7 +556,7 @@ EVPnew(const EVP_MD *digest,
     if ((self =3D newEVPobject()) =3D=3D NULL)
         return NULL;
=20
-    if (!EVP_DigestInit(self->ctx, digest)) {
+    if (!EVP_DigestInit_ex(self->ctx, digest, NULL)) {
         _setException(PyExc_ValueError);
         Py_DECREF(self);
         return NULL;

More information about the Python-checkins mailing list