diff options
| author | Christian Heimes <christian@python.org> | 2019-09-27 13:03:53 (GMT) |
|---|---|---|
| committer | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2019-09-27 13:03:53 (GMT) |
| commit | 90558158093c0ad893102158fd3c2dd9f864e82e (patch) | |
| tree | 75085b7aaef52d558894a0ec1bc4a31b6f4ef2a2 /Lib/test/support | |
| parent | 5faff977adbe089e1f91a5916ccb2160a22dd292 (diff) | |
| download | cpython-90558158093c0ad893102158fd3c2dd9f864e82e.zip cpython-90558158093c0ad893102158fd3c2dd9f864e82e.tar.gz cpython-90558158093c0ad893102158fd3c2dd9f864e82e.tar.bz2 | |
bpo-38270: More fixes for strict crypto policy (GH-16418)
test_hmac and test_hashlib test built-in hashing implementations and
OpenSSL-based hashing implementations. Add more checks to skip OpenSSL
implementations when a strict crypto policy is active.
Use EVP_DigestInit_ex() instead of EVP_DigestInit() to initialize the
EVP context. The EVP_DigestInit() function clears alls flags and breaks
usedforsecurity flag again.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38270
Diffstat (limited to 'Lib/test/support')
| -rw-r--r-- | Lib/test/support/__init__.py | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py index e401090..d593fc1 100644 --- a/Lib/test/support/__init__.py +++ b/Lib/test/support/__init__.py @@ -69,6 +69,11 @@ try: except ImportError: resource = None +try: + import _hashlib +except ImportError: + _hashlib = None + __all__ = [ # globals "PIPE_MAX_SIZE", "verbose", "max_memuse", "use_resources", "failfast", @@ -86,8 +91,8 @@ __all__ = [ "create_empty_file", "can_symlink", "fs_is_case_insensitive", # unittest "is_resource_enabled", "requires", "requires_freebsd_version", - "requires_linux_version", "requires_mac_ver", "check_syntax_error", - "check_syntax_warning", + "requires_linux_version", "requires_mac_ver", "requires_hashdigest", + "check_syntax_error", "check_syntax_warning", "TransientResource", "time_out", "socket_peer_reset", "ioerror_peer_reset", "transient_internet", "BasicTestRunner", "run_unittest", "run_doctest", "skip_unless_symlink", "requires_gzip", "requires_bz2", "requires_lzma", @@ -649,12 +654,16 @@ def requires_mac_ver(*min_version): return decorator -def requires_hashdigest(digestname): +def requires_hashdigest(digestname, openssl=None, usedforsecurity=True): """Decorator raising SkipTest if a hashing algorithm is not available The hashing algorithm could be missing or blocked by a strict crypto policy. + If 'openssl' is True, then the decorator checks that OpenSSL provides + the algorithm. Otherwise the check falls back to built-in + implementations. The usedforsecurity flag is passed to the constructor. + ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS ValueError: unsupported hash type md4 """ @@ -662,7 +671,10 @@ def requires_hashdigest(digestname): @functools.wraps(func) def wrapper(*args, **kwargs): try: - hashlib.new(digestname) + if openssl and _hashlib is not None: + _hashlib.new(digestname, usedforsecurity=usedforsecurity) + else: + hashlib.new(digestname, usedforsecurity=usedforsecurity) except ValueError: raise unittest.SkipTest( f"hash digest '{digestname}' is not available." |