bpo-38270: Check for hash digest algorithms and avoid MD5 (GH-16382)
Make it easier to run and test Python on systems with restrict crypto policies:
* add requires_hashdigest to test.support to check if a hash digest algorithm is available and working
* avoid MD5 in test_hmac
* replace MD5 with SHA256 in test_tarfile
* mark network tests that require MD5 for MD5-based digest auth or CRAM-MD5
https://bugs.python.org/issue38270
diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
index 7e32cbc..15324a4 100644
--- a/Lib/test/test_tarfile.py
+++ b/Lib/test/test_tarfile.py
@@ -1,7 +1,7 @@
import sys
import os
import io
-from hashlib import md5
+from hashlib import sha256
from contextlib import contextmanager
from random import Random
import pathlib
@@ -11,7 +11,7 @@
import tarfile
from test import support
-from test.support import script_helper
+from test.support import script_helper, requires_hashdigest
# Check for our compression modules.
try:
@@ -27,8 +27,8 @@
except ImportError:
lzma = None
-def md5sum(data):
- return md5(data).hexdigest()
+def sha256sum(data):
+ return sha256(data).hexdigest()
TEMPDIR = os.path.abspath(support.TESTFN) + "-tardir"
tarextdir = TEMPDIR + '-extract-test'
@@ -39,8 +39,12 @@
tmpname = os.path.join(TEMPDIR, "tmp.tar")
dotlessname = os.path.join(TEMPDIR, "testtar")
-md5_regtype = "65f477c818ad9e15f7feab0c6d37742f"
-md5_sparse = "a54fbc4ca4f4399a90e1b27164012fc6"
+sha256_regtype = (
+ "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce"
+)
+sha256_sparse = (
+ "4f05a776071146756345ceee937b33fc5644f5a96b9780d1c7d6a32cdf164d7b"
+)
class TarTest:
@@ -95,7 +99,7 @@
data = fobj.read()
self.assertEqual(len(data), tarinfo.size,
"regular file extraction failed")
- self.assertEqual(md5sum(data), md5_regtype,
+ self.assertEqual(sha256sum(data), sha256_regtype,
"regular file extraction failed")
def test_fileobj_readlines(self):
@@ -178,7 +182,7 @@
with self.tar.extractfile("ustar/regtype") as fobj:
fobj = io.TextIOWrapper(fobj)
data = fobj.read().encode("iso8859-1")
- self.assertEqual(md5sum(data), md5_regtype)
+ self.assertEqual(sha256sum(data), sha256_regtype)
try:
fobj.seek(100)
except AttributeError:
@@ -543,13 +547,13 @@
self.addCleanup(support.unlink, os.path.join(TEMPDIR, "ustar/lnktype"))
with open(os.path.join(TEMPDIR, "ustar/lnktype"), "rb") as f:
data = f.read()
- self.assertEqual(md5sum(data), md5_regtype)
+ self.assertEqual(sha256sum(data), sha256_regtype)
tar.extract("ustar/symtype", TEMPDIR)
self.addCleanup(support.unlink, os.path.join(TEMPDIR, "ustar/symtype"))
with open(os.path.join(TEMPDIR, "ustar/symtype"), "rb") as f:
data = f.read()
- self.assertEqual(md5sum(data), md5_regtype)
+ self.assertEqual(sha256sum(data), sha256_regtype)
def test_extractall(self):
# Test if extractall() correctly restores directory permissions
@@ -684,7 +688,7 @@
data = fobj.read()
self.assertEqual(len(data), tarinfo.size,
"regular file extraction failed")
- self.assertEqual(md5sum(data), md5_regtype,
+ self.assertEqual(sha256sum(data), sha256_regtype,
"regular file extraction failed")
def test_provoke_stream_error(self):
@@ -796,8 +800,8 @@
def _test_member(self, tarinfo, chksum=None, **kwargs):
if chksum is not None:
with self.tar.extractfile(tarinfo) as f:
- self.assertEqual(md5sum(f.read()), chksum,
- "wrong md5sum for %s" % tarinfo.name)
+ self.assertEqual(sha256sum(f.read()), chksum,
+ "wrong sha256sum for %s" % tarinfo.name)
kwargs["mtime"] = 0o7606136617
kwargs["uid"] = 1000
@@ -812,11 +816,11 @@
def test_find_regtype(self):
tarinfo = self.tar.getmember("ustar/regtype")
- self._test_member(tarinfo, size=7011, chksum=md5_regtype)
+ self._test_member(tarinfo, size=7011, chksum=sha256_regtype)
def test_find_conttype(self):
tarinfo = self.tar.getmember("ustar/conttype")
- self._test_member(tarinfo, size=7011, chksum=md5_regtype)
+ self._test_member(tarinfo, size=7011, chksum=sha256_regtype)
def test_find_dirtype(self):
tarinfo = self.tar.getmember("ustar/dirtype")
@@ -848,28 +852,28 @@
def test_find_sparse(self):
tarinfo = self.tar.getmember("ustar/sparse")
- self._test_member(tarinfo, size=86016, chksum=md5_sparse)
+ self._test_member(tarinfo, size=86016, chksum=sha256_sparse)
def test_find_gnusparse(self):
tarinfo = self.tar.getmember("gnu/sparse")
- self._test_member(tarinfo, size=86016, chksum=md5_sparse)
+ self._test_member(tarinfo, size=86016, chksum=sha256_sparse)
def test_find_gnusparse_00(self):
tarinfo = self.tar.getmember("gnu/sparse-0.0")
- self._test_member(tarinfo, size=86016, chksum=md5_sparse)
+ self._test_member(tarinfo, size=86016, chksum=sha256_sparse)
def test_find_gnusparse_01(self):
tarinfo = self.tar.getmember("gnu/sparse-0.1")
- self._test_member(tarinfo, size=86016, chksum=md5_sparse)
+ self._test_member(tarinfo, size=86016, chksum=sha256_sparse)
def test_find_gnusparse_10(self):
tarinfo = self.tar.getmember("gnu/sparse-1.0")
- self._test_member(tarinfo, size=86016, chksum=md5_sparse)
+ self._test_member(tarinfo, size=86016, chksum=sha256_sparse)
def test_find_umlauts(self):
tarinfo = self.tar.getmember("ustar/umlauts-"
"\xc4\xd6\xdc\xe4\xf6\xfc\xdf")
- self._test_member(tarinfo, size=7011, chksum=md5_regtype)
+ self._test_member(tarinfo, size=7011, chksum=sha256_regtype)
def test_find_ustar_longname(self):
name = "ustar/" + "12345/" * 39 + "1234567/longname"
@@ -877,7 +881,7 @@
def test_find_regtype_oldv7(self):
tarinfo = self.tar.getmember("misc/regtype-old-v7")
- self._test_member(tarinfo, size=7011, chksum=md5_regtype)
+ self._test_member(tarinfo, size=7011, chksum=sha256_regtype)
def test_find_pax_umlauts(self):
self.tar.close()
@@ -885,7 +889,7 @@
encoding="iso8859-1")
tarinfo = self.tar.getmember("pax/umlauts-"
"\xc4\xd6\xdc\xe4\xf6\xfc\xdf")
- self._test_member(tarinfo, size=7011, chksum=md5_regtype)
+ self._test_member(tarinfo, size=7011, chksum=sha256_regtype)
class LongnameTest:
@@ -947,8 +951,8 @@
filename = os.path.join(TEMPDIR, name)
with open(filename, "rb") as fobj:
data = fobj.read()
- self.assertEqual(md5sum(data), md5_sparse,
- "wrong md5sum for %s" % name)
+ self.assertEqual(sha256sum(data), sha256_sparse,
+ "wrong sha256sum for %s" % name)
if self._fs_supports_holes():
s = os.stat(filename)
@@ -2443,7 +2447,7 @@
self.tar.extract(name, TEMPDIR)
with open(os.path.join(TEMPDIR, name), "rb") as f:
data = f.read()
- self.assertEqual(md5sum(data), md5_regtype)
+ self.assertEqual(sha256sum(data), sha256_regtype)
# See issues #1578269, #8879, and #17689 for some history on these skips
@unittest.skipIf(hasattr(os.path, "islink"),