Fix detection of FIPS mode for blake2b (#879)

* Fix detection of FIPS mode for blake2b Blake2 algorithms are disabled on FIPS mode on OpenSSL level and preferred on Python level which cause the check of API (attributes) to fail sooner than OpenSSL raises ValueError for unavailable function. * Update test * Add changelog entry Co-authored-by: Brian Rutledge <brian@bhrutledge.com>
pypa · Mar 2, 2022 · dbb040a · dbb040a
1 parent 372528f
commit dbb040a
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/changelog/879.bugfix.rst b/changelog/879.bugfix.rst
@@ -0,0 +1 @@
+Improve detection of disabled BLAKE2 hashing due to FIPS mode.
diff --git a/tests/test_package.py b/tests/test_package.py
@@ -307,9 +307,10 @@ def test_fips_hash_manager_md5(monkeypatch):
     assert hasher.hexdigest() == hashes
 
 
-def test_fips_hash_manager_blake2(monkeypatch):
+@pytest.mark.parametrize("exception_class", [TypeError, ValueError])
+def test_fips_hash_manager_blake2(exception_class, monkeypatch):
     """Generate hexdigest without BLAKE2 when hashlib is using FIPS mode."""
-    replaced_blake2b = pretend.raiser(ValueError("fipsmode"))
+    replaced_blake2b = pretend.raiser(exception_class("fipsmode"))
     monkeypatch.setattr(package_file.hashlib, "blake2b", replaced_blake2b)
 
     filename = "tests/fixtures/twine-1.5.0-py2.py3-none-any.whl"

diff --git a/twine/package.py b/twine/package.py
@@ -265,7 +265,7 @@ def __init__(self, filename: str) -> None:
         self._blake_hasher = None
         try:
             self._blake_hasher = hashlib.blake2b(digest_size=256 // 8)
-        except ValueError:
+        except (ValueError, TypeError):
             # FIPS mode disables blake2
             pass