Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tests: Avoid MD5 or check for MD5 availablity #82451

Closed
tiran opened this issue Sep 25, 2019 · 11 comments
Closed

Tests: Avoid MD5 or check for MD5 availablity #82451

tiran opened this issue Sep 25, 2019 · 11 comments
Assignees
Labels
3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes pending The issue will be closed if no feedback is provided performance Performance or resource usage tests Tests in the Lib/test dir

Comments

@tiran
Copy link
Member

tiran commented Sep 25, 2019

BPO 38270
Nosy @vstinner, @tiran, @ned-deily, @encukou, @ambv, @stratakis, @miss-islington
PRs
  • bpo-38270: Check for hash digest algorithms and avoid MD5 #16382
  • [3.8] bpo-38270: Check for hash digest algorithms and avoid MD5 (GH-16382) #16393
  • bpo-38270: More fixes for strict crypto policy #16418
  • [3.8] bpo-38270: More fixes for strict crypto policy (GH-16418) #16437
  • bpo-38270: Fix indentation of test_hmac assertions #17446
  • [3.8] bpo-38270: Fix indentation of test_hmac assertions (GH-17446) #17450
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
    closed_at = None
    created_at = <Date 2019-09-25.10:09:58.731>
    labels = ['3.8', '3.7', 'tests', '3.9', 'performance']
    title = 'Tests: Avoid MD5 or check for MD5 availablity'
    updated_at = <Date 2019-12-05.16:51:37.334>
    user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2019-12-05.16:51:37.334>
    actor = 'miss-islington'
    assignee = 'christian.heimes'
    closed = False
    closed_date = None
    closer = None
    components = ['Tests']
    creation = <Date 2019-09-25.10:09:58.731>
    creator = 'christian.heimes'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 38270
    keywords = ['patch']
    message_count = 10.0
    messages = ['353162', '353204', '353216', '353358', '353548', '353553', '354497', '357571', '357754', '357866']
    nosy_count = 7.0
    nosy_names = ['vstinner', 'christian.heimes', 'ned.deily', 'petr.viktorin', 'lukasz.langa', 'cstratak', 'miss-islington']
    pr_nums = ['16382', '16393', '16418', '16437', '17446', '17450']
    priority = 'high'
    resolution = None
    stage = 'patch review'
    status = 'open'
    superseder = None
    type = 'resource usage'
    url = 'https://bugs.python.org/issue38270'
    versions = ['Python 3.7', 'Python 3.8', 'Python 3.9']

    @tiran
    Copy link
    Member Author

    tiran commented Sep 25, 2019

    MD5 hash digest algorithm has known security issues and is getting blocked on systems with strict security policies.

    Python uses MD5 in several unittests. These tests should either avoid MD5 and use SHA256 instead. Or tests that really require MD5 should check for the availability of MD5 and skip these tests. The latter are network-related tests that check for digest auth or CRAM-MD5 auth.

    Avoidable use of MD5:

    • test_hmac tests for default constructor
    • test_tarfile checksum

    Tests that require MD5:

    • test_urllib2_localnet digest auth
    • CRAM-MD5 in test_imaplib, test_poplib, test_smtplib

    @tiran tiran added 3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes labels Sep 25, 2019
    @tiran tiran self-assigned this Sep 25, 2019
    @tiran tiran added tests Tests in the Lib/test dir performance Performance or resource usage labels Sep 25, 2019
    @miss-islington
    Copy link
    Contributor

    New changeset c64a1a6 by Miss Islington (bot) (Christian Heimes) in branch 'master':
    bpo-38270: Check for hash digest algorithms and avoid MD5 (GH-16382)
    c64a1a6

    @miss-islington
    Copy link
    Contributor

    New changeset 66cd041 by Miss Islington (bot) in branch '3.8':
    [3.8] bpo-38270: Check for hash digest algorithms and avoid MD5 (GH-16382) (GH-16393)
    66cd041

    @miss-islington
    Copy link
    Contributor

    New changeset 9055815 by Miss Islington (bot) (Christian Heimes) in branch 'master':
    bpo-38270: More fixes for strict crypto policy (GH-16418)
    9055815

    @ambv
    Copy link
    Contributor

    ambv commented Sep 30, 2019

    New changeset bfca56b by Łukasz Langa (Christian Heimes) in branch '3.8':
    [3.8] bpo-38270: More fixes for strict crypto policy (GH-16418) (bpo-16437)
    bfca56b

    @vstinner
    Copy link
    Member

    Can we close the issue?

    @tiran tiran closed this as completed Oct 1, 2019
    @ned-deily
    Copy link
    Member

    It looks like Christian originally requested autobackports to both 3.8 and 3.7 but both failed due to git checkout errors. He then manually restarted the 3.8 backport but it looks like the 3.7 one did not get restarted. Christian, was that intentional or just an oversight? If the latter, you should try the 3.7 backport again.

    @encukou
    Copy link
    Member

    encukou commented Nov 27, 2019

    The change silently disables 2 tests, see comment here:
    66cd041#diff-ba7d7a4a1a0050e1f497b71b5cd50afcR365

    (I think it's better to reopen this bug, than to open a new one, so all the fixes are in one place. Do you agree?)

    @encukou encukou reopened this Nov 27, 2019
    @miss-islington
    Copy link
    Contributor

    New changeset 8943318 by Miss Islington (bot) (stratakis) in branch 'master':
    bpo-38270: Fix indentation of test_hmac assertions (GH-17446)
    8943318

    @miss-islington
    Copy link
    Contributor

    New changeset cfdaf92 by Miss Islington (bot) in branch '3.8':
    [3.8] bpo-38270: Fix indentation of test_hmac assertions (GH-17446) (GH-17450)
    cfdaf92

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    @iritkatriel
    Copy link
    Member

    Is there anything left to do here?

    @iritkatriel iritkatriel added the pending The issue will be closed if no feedback is provided label Sep 9, 2022
    @iritkatriel iritkatriel closed this as not planned Won't fix, can't repro, duplicate, stale Sep 27, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes pending The issue will be closed if no feedback is provided performance Performance or resource usage tests Tests in the Lib/test dir
    Projects
    None yet
    Development

    No branches or pull requests

    7 participants