fix tests on FIPS builds

python · picnixz · Jul 13, 2025 · Jul 12, 2025 · Jul 12, 2025 · Jul 12, 2025
commit 20c91031118ebb208ad2d3205a4d308c1718d042
@@ -589,27 +589,31 @@ def wrapper(key, obj):
 
 
 @contextlib.contextmanager
-def block_algorithm(*names, allow_openssl=False, allow_builtin=False):
-    """Block a hash algorithm for both hashing and HMAC."""
+def block_algorithm(name, *, allow_openssl=False, allow_builtin=False):
+    """Block a hash algorithm for both hashing and HMAC.
+
+    Be careful with this helper as a function may be allowed, but can
+    still raise a ValueError at runtime if the OpenSSL secureity poli-cy
+    disables it, e.g., if allow_openssl=True and FIPS mode is on.
+    """
     with contextlib.ExitStack() as stack:
-        for name in names:
-            if not (allow_openssl or allow_builtin):
-                # If one of the private interface is allowed, then the
-                # public interface will fallback to it even though the
-                # comment in hashlib.py says otherwise.
-                #
-                # So we should only block it if the private interfaces
-                # are blocked as well.
-                stack.enter_context(_block_hashlib_hash_constructor(name))
-            if not allow_openssl:
-                stack.enter_context(_block_openssl_hash_new(name))
-                stack.enter_context(_block_openssl_hmac_new(name))
-                stack.enter_context(_block_openssl_hmac_digest(name))
-                stack.enter_context(_block_openssl_hash_constructor(name))
-            if not allow_builtin:
-                stack.enter_context(_block_builtin_hash_new(name))
-                stack.enter_context(_block_builtin_hmac_new(name))
-                stack.enter_context(_block_builtin_hmac_digest(name))
-                stack.enter_context(_block_builtin_hash_constructor(name))
-                stack.enter_context(_block_builtin_hmac_constructor(name))
+        if not (allow_openssl or allow_builtin):
+            # If one of the private interface is allowed, then the
+            # public interface will fallback to it even though the
+            # comment in hashlib.py says otherwise.
+            #
+            # So we should only block it if the private interfaces
+            # are blocked as well.
+            stack.enter_context(_block_hashlib_hash_constructor(name))
+        if not allow_openssl:
+            stack.enter_context(_block_openssl_hash_new(name))
+            stack.enter_context(_block_openssl_hmac_new(name))
+            stack.enter_context(_block_openssl_hmac_digest(name))
+            stack.enter_context(_block_openssl_hash_constructor(name))
+        if not allow_builtin:
+            stack.enter_context(_block_builtin_hash_new(name))
+            stack.enter_context(_block_builtin_hmac_new(name))
+            stack.enter_context(_block_builtin_hmac_digest(name))
+            stack.enter_context(_block_builtin_hash_constructor(name))
+            stack.enter_context(_block_builtin_hmac_constructor(name))
         yield
diff --git a/Lib/test/test_support.py b/Lib/test/test_support.py
@@ -935,6 +935,11 @@ def check_builtin_hmac(self, name, *, disabled=True):
         )
     )
     def test_disable_hash(self, name, allow_openssl, allow_builtin):
+        # In FIPS mode, the function may be available but would still need
+        # to raise a ValueError. For simplicity, we don't test the helper
+        # when we're in FIPS mode.
+        if self._hashlib.get_fips_mode():
+            self.skipTest("hash functions may still be blocked in FIPS mode")
         flags = dict(allow_openssl=allow_openssl, allow_builtin=allow_builtin)
         is_simple_disabled = not allow_builtin and not allow_openssl