mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-12-11 03:20:01 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

gh-136306: fix test_ssl.ContextTests.test_set_groups on FIPS builds (#137405)

Browse source 
X25519 is not a valid curve if OpenSSL is built with FIPS mode,
and ignoring unknown groups in `SSL_CTX_set1_groups_list()`
is only supported since OpenSSL 3.3, so we use two curves that
are known to be FIPS-compliant, namely P-256 and P-384.
This commit is contained in:
Bénédikt Tran 2025-08-05 09:50:34 +02:00 committed by GitHub
parent 001461a292
commit 0af7556b94
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 9 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

11
Lib/test/test_ssl.py
View file

@ -49,6 +49,7 @@ PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
HOST = socket_helper.HOST HOST = socket_helper.HOST
IS_OPENSSL_3_0_0 = ssl.OPENSSL_VERSION_INFO >= (3, 0, 0) IS_OPENSSL_3_0_0 = ssl.OPENSSL_VERSION_INFO >= (3, 0, 0)
CAN_GET_SELECTED_OPENSSL_GROUP = ssl.OPENSSL_VERSION_INFO >= (3, 2) CAN_GET_SELECTED_OPENSSL_GROUP = ssl.OPENSSL_VERSION_INFO >= (3, 2)
CAN_IGNORE_UNKNOWN_OPENSSL_GROUPS = ssl.OPENSSL_VERSION_INFO >= (3, 3)
CAN_GET_AVAILABLE_OPENSSL_GROUPS = ssl.OPENSSL_VERSION_INFO >= (3, 5) CAN_GET_AVAILABLE_OPENSSL_GROUPS = ssl.OPENSSL_VERSION_INFO >= (3, 5)
PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS') PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
@ -964,8 +965,14 @@ class ContextTests(unittest.TestCase):
def test_set_groups(self): def test_set_groups(self):
ctx = ssl.create_default_context() ctx = ssl.create_default_context()
self.assertIsNone(ctx.set_groups('P-256:X25519')) # We use P-256 and P-384 (FIPS 186-4) that are alloed by OpenSSL
self.assertRaises(ssl.SSLError, ctx.set_groups, 'P-256:xxx') # even if FIPS module is enabled. Ignoring unknown groups is only
# supported since OpenSSL 3.3.
self.assertIsNone(ctx.set_groups('P-256:P-384'))
self.assertRaises(ssl.SSLError, ctx.set_groups, 'P-256:foo')
if CAN_IGNORE_UNKNOWN_OPENSSL_GROUPS:
self.assertIsNone(ctx.set_groups('P-256:?foo'))
@unittest.skipUnless(CAN_GET_AVAILABLE_OPENSSL_GROUPS, @unittest.skipUnless(CAN_GET_AVAILABLE_OPENSSL_GROUPS,
"OpenSSL version doesn't support getting groups") "OpenSSL version doesn't support getting groups")