0.17.0: pytest is failing

[kloczek]

I'm trying to package your module as an rpm package. So I'm using the typical PEP517 based build, install and test cycle used on building packages from non-root account.

• python3 -sBm build -w --no-isolation
• because I'm calling build with --no-isolation I'm using during all processes only locally installed modules
• install .whl file in </install/prefix>
• run pytest with PYTHONPATH pointing to sitearch and sitelib inside </install/prefix>

Here is pytest output:

+ PYTHONPATH=/home/tkloczko/rpmbuild/BUILDROOT/python-ecdsa-0.17.0-5.fc35.x86_64/usr/lib64/python3.8/site-packages:/home/tkloczko/rpmbuild/BUILDROOT/python-ecdsa-0.17.0-5.fc35.x86_64/usr/lib/python3.8/site-packages
+ /usr/bin/pytest -ra
=========================================================================== test session starts ============================================================================
platform linux -- Python 3.8.12, pytest-6.2.5, py-1.11.0, pluggy-1.0.0
rootdir: /home/tkloczko/rpmbuild/BUILD/python-ecdsa-python-ecdsa-0.17.0
plugins: hypothesis-6.36.0
collected 1464 items / 1 error / 1463 selected

================================================================================== ERRORS ==================================================================================
____________________________________________________________ ERROR collecting src/ecdsa/test_malformed_sigs.py _____________________________________________________________
/usr/lib64/python3.8/hashlib.py:157: in __hash_new
    return _hashlib.new(name, data)
E   ValueError: [digital envelope routines] initialization error

During handling of the above exception, another exception occurred:
src/ecdsa/test_malformed_sigs.py:41: in <module>
    hash_and_size = [
src/ecdsa/test_malformed_sigs.py:42: in <listcomp>
    (name, hashlib.new(name).digest_size) for name in algorithms_available
/usr/lib64/python3.8/hashlib.py:163: in __hash_new
    return __get_builtin_constructor(name)(data)
/usr/lib64/python3.8/hashlib.py:120: in __get_builtin_constructor
    raise ValueError('unsupported hash type ' + name)
E   ValueError: unsupported hash type whirlpool
========================================================================= short test summary info ==========================================================================
ERROR src/ecdsa/test_malformed_sigs.py - ValueError: unsupported hash type whirlpool
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Interrupted: 1 error during collection !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
============================================================================= 1 error in 1.17s =============================================================================

[tomato42]

That seems like a misconfigured environment.

The list of tested algorithms is taken from algorithms_available list:

python-ecdsa/src/ecdsa/test_malformed_sigs.py

Line 43 in 3b49fbe

(name, hashlib.new(name).digest_size) for name in algorithms_available

And that list is imported from hashlib:

python-ecdsa/src/ecdsa/test_malformed_sigs.py

Lines 5 to 15 in 3b49fbe

	try:
	from hashlib import algorithms_available
	except ImportError: # pragma: no cover
	algorithms_available = [
	"md5",
	"sha1",
	"sha224",
	"sha256",
	"sha384",
	"sha512",
	]

the fallback doesn't include whirlpool...

So it's the hashlib module that provides incorrect information

[tomato42]

Also, can't reproduce it on a clean Fedora 35 machine:

[root@fedora ~]# python3.8
Python 3.8.12 (default, Aug 30 2021, 00:00:00) 
[GCC 11.2.1 20210728 (Red Hat 11.2.1-1)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from hashlib import algorithms_available 
>>> algorithms_available
{'sha512_224', 'sha3_224', 'sha3_512', 'sm3', 'sha3_384', 'ripemd160', 'md5-sha1', 'sha512', 'sha256', 'sha224', 'sha512_256', 'sha1', 'blake2s', 'sha384', 'md4', 'whirlpool', 'md5', 'sha3_256', 'shake_128', 'blake2b', 'shake_256'}
>>> import hashlib
>>> a = {(name, hashlib.new(name).digest_size) for name in algorithms_available}
>>> a
{('blake2b', 64), ('sm3', 32), ('sha3_384', 48), ('blake2s', 32), ('md5-sha1', 36), ('md5', 16), ('shake_128', 0), ('sha512_256', 32), ('sha3_224', 28), ('sha256', 32), ('sha512_224', 28), ('sha512', 64), ('md4', 16), ('sha224', 28), ('sha3_256', 32), ('ripemd160', 20), ('sha384', 48), ('whirlpool', 64), ('sha1', 20), ('sha3_512', 64), ('shake_256', 0)}

[tomato42]

The compilation date is different... are you sure that you are using the distribution provided python?
Not some local version, compiled against openssl 3.0 instead of the 1.1.1 version?

[tomato42]

The issue is that algorithms like ripemd160 and whirlpool have been relegated to legacy provider in OpenSSL. That means that unless the legacy provider is explicitly loaded, they're not available. But Python should detect that and not list them as available.

I know that there have been quite a few changes around OpenSSL 3.0.0 compatibility: python/cpython#30455 so it's likely that not everything was backported to 3.8 branch.

In general, the upstream Python bug is still open: https://bugs.python.org/issue40479

[panlinux]

This is the python3 bug: python/cpython#91257

It has a few PRs listed in the comments, for different branches.

[tomato42]

For now I've filtered the problematic hashes in 82da89c, but we'll want to re-enable them in the future, when python fixes its bug.

[tomato42]

python/cpython#91257