add various tests for the HACL* HMAC implementation

picnixz · picnixz · commit 2b544e5bdb8a · 2025-03-17T11:58:15.000+01:00
- create `ThroughBuiltinAPIMixin` similar to `ThroughOpenSSLAPIMixin`
- add tests for RFC test vectors
- add tests for `digestmod` parameter
- add sanity check tests
- add hmac.update() tests
- add hmac.copy() tests
diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py
@@ -47,7 +47,7 @@ def setUpClass(cls):
         cls.hmac = import_fresh_module('hmac', blocked=['_hashlib', '_hmac'])
 
 
-@unittest.skip("no builtin implementation for HMAC for now")
+@hashlib_helper.requires_builtin_hmac()
 class BuiltinModuleMixin(ModuleMixin):
     """Built-in HACL* implementation of HMAC."""
 
@@ -128,6 +128,16 @@ def hmac_digest(self, key, msg=None, digestmod=None):
         return _hashlib.hmac_digest(key, msg, digest=digestmod)
 
 
+class ThroughBuiltinAPIMixin(BuiltinModuleMixin, CreatorMixin, DigestMixin):
+    """Mixin delegating to _hmac.new() and _hmac.compute_digest()."""
+
+    def hmac_new(self, key, msg=None, digestmod=None):
+        return self.hmac.new(key, msg, digestmod=digestmod)
+
+    def hmac_digest(self, key, msg=None, digestmod=None):
+        return self.hmac.compute_digest(key, msg, digest=digestmod)
+
+
 class ObjectCheckerMixin:
     """Mixin for checking HMAC objects (pure Python, OpenSSL or built-in)."""
 
@@ -335,6 +345,10 @@ def hmac_digest_by_name(self, key, msg=None, *, hashname):
         return self.hmac_digest(key, msg, digestmod=openssl_func)
 
 
+class BuiltinAssertersMixin(ThroughBuiltinAPIMixin, AssertersMixin):
+    pass
+
+
 class HashFunctionsTrait:
     """Trait class for 'hashfunc' in hmac_new() and hmac_digest()."""
 
@@ -603,14 +617,23 @@ class OpenSSLRFCTestCase(OpenSSLAssertersMixin,
     """
 
 
+class BuiltinRFCTestCase(BuiltinAssertersMixin,
+                         WithNamedHashFunctions, RFCTestCaseMixin,
+                         unittest.TestCase):
+    """Built-in HACL* implementation of HMAC.
+
+    The underlying hash functions are also HACL*-based.
+    """
+
+
 # TODO(picnixz): once we have a HACL* HMAC, we should also test the Python
 # implementation of HMAC with a HACL*-based hash function. For now, we only
 # test it partially via the '_sha2' module, but for completeness we could
 # also test the RFC test vectors against all possible implementations.
 
 
 class DigestModTestCaseMixin(CreatorMixin, DigestMixin):
-    """Tests for the 'digestmod' parameter."""
+    """Tests for the 'digestmod' parameter for hmac_new() and hmac_digest()."""
 
     def assert_raises_missing_digestmod(self):
         """A context manager catching errors when a digestmod is missing."""
@@ -753,11 +776,15 @@ def raiser():
 class ExtensionConstructorTestCaseMixin(DigestModTestCaseMixin,
                                         ConstructorTestCaseMixin):
 
-    # The underlying C class.
-    obj_type = None
+    @property
+    def obj_type(self):
+        """The underlying (non-instantiable) C class."""
+        raise NotImplementedError
 
-    # The exact exception class raised when a 'digestmod' parameter is invalid.
-    exc_type = None
+    @property
+    def exc_type(self):
+        """The exact exception class raised upon invalid 'digestmod' values."""
+        raise NotImplementedError
 
     def test_internal_types(self):
         # internal C types are immutable and cannot be instantiated
@@ -804,6 +831,24 @@ def test_hmac_digest_digestmod_parameter(self):
                 self.hmac_digest(b'key', b'msg', value)
 
 
+class BuiltinConstructorTestCase(ThroughBuiltinAPIMixin,
+                                 ExtensionConstructorTestCaseMixin,
+                                 unittest.TestCase):
+
+    @property
+    def obj_type(self):
+        return self.hmac.HMAC
+
+    @property
+    def exc_type(self):
+        return self.hmac.UnknownHashError
+
+    def test_hmac_digest_digestmod_parameter(self):
+        for value in [object, 'unknown', 1234, None]:
+            with self.subTest(value=value), self.assert_digestmod_error():
+                self.hmac_digest(b'key', b'msg', value)
+
+
 class SanityTestCaseMixin(CreatorMixin):
     """Sanity checks for HMAC objects and their object interface.
 
@@ -859,6 +904,20 @@ def test_repr(self):
         self.assertStartsWith(repr(h), f"<{self.digestname} HMAC object @")
 
 
+class BuiltinSanityTestCase(ThroughBuiltinAPIMixin, SanityTestCaseMixin,
+                            unittest.TestCase):
+
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        cls.hmac_class = cls.hmac.HMAC
+        cls.digestname = 'sha256'
+
+    def test_repr(self):
+        h = self.hmac_new(b"my secret key", digestmod=self.digestname)
+        self.assertStartsWith(repr(h), f"<{self.digestname} HMAC object @")
+
+
 class UpdateTestCaseMixin:
     """Tests for the update() method (streaming HMAC)."""
 
@@ -890,7 +949,7 @@ class PyUpdateTestCase(UpdateTestCaseMixin, unittest.TestCase):
     @classmethod
     def setUpClass(cls):
         super().setUpClass()
-        cls.hmac = import_fresh_module('hmac', blocked=['_hashlib'])
+        cls.hmac = import_fresh_module('hmac', blocked=['_hashlib', '_hmac'])
 
     def HMAC(self, key, msg=None):
         return self.hmac.HMAC(key, msg, digestmod='sha256')
@@ -900,7 +959,16 @@ def HMAC(self, key, msg=None):
 class OpenSSLUpdateTestCase(UpdateTestCaseMixin, unittest.TestCase):
 
     def HMAC(self, key, msg=None):
-        return hmac.new(key, msg, digestmod='sha256')
+        return _hashlib.hmac_new(key, msg, digestmod='sha256')
+
+
+class BuiltinUpdateTestCase(BuiltinModuleMixin,
+                            UpdateTestCaseMixin, unittest.TestCase):
+
+    def HMAC(self, key, msg=None):
+        # Even if Python does not build '_sha2', the HACL* sources
+        # are still built, making it possible to use SHA-2 hashes.
+        return self.hmac.new(key, msg, digestmod='sha256')
 
 
 class CopyBaseTestCase:
@@ -991,7 +1059,16 @@ def test_realcopy(self):
 class OpenSSLCopyTestCase(ExtensionCopyTestCase, unittest.TestCase):
 
     def init(self, h):
-        h._init_hmac(b"key", b"msg", digestmod="sha256")
+        h._init_openssl_hmac(b"key", b"msg", digestmod="sha256")
+
+
+@hashlib_helper.requires_builtin_hmac()
+class BuiltinCopyTestCase(ExtensionCopyTestCase, unittest.TestCase):
+
+    def init(self, h):
+        # Even if Python does not build '_sha2', the HACL* sources
+        # are still built, making it possible to use SHA-2 hashes.
+        h._init_builtin_hmac(b"key", b"msg", digestmod="sha256")
 
 
 class CompareDigestMixin:
