bpo-40479: Fix hashlib's usedforsecurity for OpenSSL 3.0.0 (GH-30455)

2025-08-22 09:45:06 +00:00 · 2022-01-13 10:46:38 +02:00 · 2022-01-13 10:46:38 +02:00 · 443b308fee
commit 443b308fee
parent a6ca8eee22
9 changed files with 359 additions and 250 deletions
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@ -48,12 +48,15 @@ else:
    builtin_hashlib = None

 try:
-    from _hashlib import HASH, HASHXOF, openssl_md_meth_names
+    from _hashlib import HASH, HASHXOF, openssl_md_meth_names, get_fips_mode
 except ImportError:
    HASH = None
    HASHXOF = None
    openssl_md_meth_names = frozenset()

+    def get_fips_mode():
+        return 0
+
 try:
    import _blake2
 except ImportError:
@ -192,10 +195,7 @@ class HashLibTestCase(unittest.TestCase):

    @property
    def is_fips_mode(self):
-        if hasattr(self._hashlib, "get_fips_mode"):
-            return self._hashlib.get_fips_mode()
-        else:
-            return None
+        return get_fips_mode()

    def test_hash_array(self):
        a = array.array("b", range(10))
@ -1017,7 +1017,7 @@ class KDFTests(unittest.TestCase):
                    self.assertEqual(out, expected,
                                     (digest_name, password, salt, rounds))

-        with self.assertRaisesRegex(ValueError, 'unsupported hash type'):
+        with self.assertRaisesRegex(ValueError, '.*unsupported.*'):
            pbkdf2('unknown', b'pass', b'salt', 1)

        if 'sha1' in supported:
@ -1057,6 +1057,7 @@ class KDFTests(unittest.TestCase):

    @unittest.skipUnless(hasattr(hashlib, 'scrypt'),
                     '   test requires OpenSSL > 1.1')
+    @unittest.skipIf(get_fips_mode(), reason="scrypt is blocked in FIPS mode")
    def test_scrypt(self):
        for password, salt, n, r, p, expected in self.scrypt_test_vectors:
            result = hashlib.scrypt(password, salt=salt, n=n, r=r, p=p)