From 143dab2e6611876967ee15fc5fbe16d905b26d89 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Mon, 28 Feb 2022 13:04:31 +0100 Subject: [PATCH 1/3] Fix detection of FIPS mode for blake2b Blake2 algorithms are disabled on FIPS mode on OpenSSL level and preferred on Python level which cause the check of API (attributes) to fail sooner than OpenSSL raises ValueError for unavailable function. --- twine/package.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/twine/package.py b/twine/package.py index 168f9665..3ca074fe 100644 --- a/twine/package.py +++ b/twine/package.py @@ -268,7 +268,7 @@ def __init__(self, filename: str) -> None: self._blake_hasher = None try: self._blake_hasher = hashlib.blake2b(digest_size=256 // 8) - except ValueError: + except (ValueError, TypeError): # FIPS mode disables blake2 pass From ed3bcf4e8ab99c001779716667b5f2cf2387de7c Mon Sep 17 00:00:00 2001 From: Brian Rutledge Date: Mon, 28 Feb 2022 08:42:20 -0500 Subject: [PATCH 2/3] Update test --- tests/test_package.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/test_package.py b/tests/test_package.py index 3d2e2799..609c95ea 100644 --- a/tests/test_package.py +++ b/tests/test_package.py @@ -307,9 +307,10 @@ def test_fips_hash_manager_md5(monkeypatch): assert hasher.hexdigest() == hashes -def test_fips_hash_manager_blake2(monkeypatch): +@pytest.mark.parametrize("exception_class", [TypeError, ValueError]) +def test_fips_hash_manager_blake2(exception_class, monkeypatch): """Generate hexdigest without BLAKE2 when hashlib is using FIPS mode.""" - replaced_blake2b = pretend.raiser(ValueError("fipsmode")) + replaced_blake2b = pretend.raiser(exception_class("fipsmode")) monkeypatch.setattr(package_file.hashlib, "blake2b", replaced_blake2b) filename = "tests/fixtures/twine-1.5.0-py2.py3-none-any.whl" From b9a59d5195755db1cc3ea29a61a7ae5129ec1182 Mon Sep 17 00:00:00 2001 From: Brian Rutledge Date: Mon, 28 Feb 2022 08:45:08 -0500 Subject: [PATCH 3/3] Add changelog entry --- changelog/879.bugfix.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/879.bugfix.rst diff --git a/changelog/879.bugfix.rst b/changelog/879.bugfix.rst new file mode 100644 index 00000000..d2ebf007 --- /dev/null +++ b/changelog/879.bugfix.rst @@ -0,0 +1 @@ +Improve detection of disabled BLAKE2 hashing due to FIPS mode.