Skip to content

gh-136547: refactor hashlib_helper for blocking and requesting digests #136762

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

gh-136547: refactor hashlib_helper for blocking and requesting digests #136762

wants to merge 10 commits into from
+545 −295

Conversation

picnixz
Copy link
Member

@picnixz picnixz commented Jul 18, 2025
edited by bedevere-app bot
Loading

I made some mistakes in my previous PR and the design I introduced for requesting hashes could actually be greatly simplified. As those two are tightly coupled, I've decided to do both the fix & refactoring at the same time.

Because of all build possibilities we can have, whether at runtime or not, and because some functions can't be given usedforsecurity, tests easily fail because of the underlying configurations. Default builds where we don't have some FIPS module are easy to test, but when FIPS mode is enabled, it's hard to know what is blocked and what is not.

One really annoying thing is the treatment of BLAKE-2 which always falls back to the built-in implementations. Thus, blocking BLAKE-2 may be quite hard and quite different. Well, if we block BLAKE-2 and we don't have OpenSSL at all, then tests don't pass because hashlib.py can't even be imported. Anywsay, I'm opening a draft for now and I'll continue working on this tomorrow.

@bedevere-app bedevere-app bot mentioned this pull request Jul 18, 2025
Open
picnixz
picnixz commented Jul 18, 2025
View reviewed changes
@picnixz picnixz marked this pull request as ready for review July 19, 2025 17:46
@picnixz picnixz requested review from gpshead and tiran as code owners July 19, 2025 17:46
picnixz
picnixz commented Jul 19, 2025
View reviewed changes
@picnixz picnixz marked this pull request as draft July 19, 2025 17:49
picnixz
picnixz commented Jul 19, 2025
View reviewed changes
Lib/test/support/hashlib_helper.py
# re-import '_hashlib' in case it was mocked
_hashlib = try_import_module("_hashlib")
mod = _hashlib if openssl and _hashlib is not None else hashlib
constructor = partial(mod.new, digestname, **kwargs)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I shouldn't return a partial function with "**kwargs" as it makes it impossible to use otherwise. I should only check if the call will succeed if I were to pass such keywords.

Lib/test/support/hashlib_helper.py
_hashlib = importlib.import_module("_hashlib")
except ImportError as exc:
raise SkipNoHash(digestname, "openssl") from exc
constructor = partial(_hashlib.new, digestname, **kwargs)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead Awaiting requested review from gpshead gpshead is a code owner

@tiran tiran Awaiting requested review from tiran tiran is a code owner

Assignees
No one assigned
Labels
DO-NOT-MERGE skip news
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@picnixz
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy