gh-128192: support HTTP sha-256 digest authentication as per RFC-7617

[calvinbui]

as mentioned in the issue, other authentication exist, but i don't see them supported out of the box in hashlib.

this all depends if python wishes to support rfc7616

• Issue: Support HTTP digest authentication algorithm SHA-256 as per RFC-7617 #128192

[ghost]

All commit authors signed the Contributor License Agreement.

[bedevere-app]

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

[ZeroIntensity]

cc @picnixz (cryptography expert)

[picnixz]

A preliminary round of comments. You can also update "RFC 2617" to "RFC 2617/7616" in the AbstractDigestAuthHandler comment.

[picnixz]

In a follow-up PR (or this one), if you want/can, we can add tests for a full communication round where we request HTTP digest authentication.

[calvinbui]

yep, next time!

[picnixz]

We are still missing the What's New entry and the modified NEWS entry.

[calvinbui]

We are still missing the What's New entry and the modified NEWS entry.

my bad, fixed

[picnixz]

We may also need an additional .. versionchanged:: next in the docs to mention SHA-256 in https://docs.python.org/3/library/urllib.request.html#urllib.request.AbstractDigestAuthHandler.

I think we'll also need a follow-up PR to update the docs because they are lacking IMO.

[calvinbui]

We may also need an additional .. versionchanged:: next in the docs to mention SHA-256 in https://docs.python.org/3/library/urllib.request.html#urllib.request.AbstractDigestAuthHandler.

added

I think we'll also need a follow-up PR to update the docs because they are lacking IMO.

what docs were you thinking of? i can make a new gh issue for it, as well as the complete end-to-end http digest auth test

[picnixz]

what docs were you thinking of? i can make a new gh issue for it, as well as the complete end-to-end http digest auth test

None of the methods of AbstractDigestAuthHandler are actually documented so we may want to document them. If someone wants to subclass this interface, they need to know its usage.

For now, let's wait for Gregory's feedback.

[picnixz]

Thank you for your contribution Calvin and Gregory for the merge/2nd review.

[bedevere-bot]

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 RHEL8 FIPS Only Blake2 Builtin Hash 3.x has failed when building commit f9a5a3a.

What do you need to do:

1. Don't panic.
2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
3. Go to the page of the buildbot that failed (https://buildbot.python.org/#/builders/469/builds/9772) and take a look at the build logs.
4. Check if the failure is related to this commit (f9a5a3a) or if it is a false positive.
5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/#/builders/469/builds/9772

Failed tests:

• test_urllib2

Failed subtests:

• test_md5_algorithm - test.test_urllib2.TestDigestAlgorithms.test_md5_algorithm

Summary of the results of the build (if available):

==

Click to see traceback logs

Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.x.cstratak-RHEL8-fips-x86_64.no-builtin-hashes-except-blake2/build/Lib/test/test_urllib2.py", line 1972, in test_md5_algorithm
    self.assertEqual(H("foo"), "acbd18db4cc2f85cedef654fccc4a4d8")
                     ~^^^^^^^
  File "/home/buildbot/buildarea/3.x.cstratak-RHEL8-fips-x86_64.no-builtin-hashes-except-blake2/build/Lib/urllib/request.py", line 1182, in <lambda>
    H = lambda x: hashlib.md5(x.encode("ascii")).hexdigest()
                  ~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

[gpshead]

i'm not surprised at that buildbot error. it is running in an unrealistic config without critical hash functions. we'll ultimately just need to decorate the test to indicate that it requires md5, sha1, and sha256 - skipping it otherwise. (see test_hashlib)

[picnixz]

I'll do it tomorrow (it's almost midnight here and I'm no more on my dev session) or someone else somewhere else can add the decorators. However, maybe we should revert the commit just to avoid other PRs to have the buildbot failure in the meantime?

[gpshead]

No worries. That buildbot is an unstable unsupported configuration, no need to revert anything.

It's there solely so that we can use it to identify and clean up test dependency declaration issues eventually. It doesn't block anything.