Skip to content

gh-136134: Fallback to next auth method when CRAM-MD5 fails due to unsupported hash (e.g. FIPS) #136188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
+74 −4
Closed

gh-136134: Fallback to next auth method when CRAM-MD5 fails due to unsupported hash (e.g. FIPS) #136188

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b379ce4
"gh-136134: Fallback to next auth method when CRAM-MD5 fails due to u…
nogueira-raphael Jul 1, 2025
73014d5
gh-136134: Add code comment explaining CRAM-MD5 fallback and NEWS entry
nogueira-raphael Jul 1, 2025
d2cc372
bpo-136134: Raise SMTPAuthHashUnsupportedError when HMAC fails in CRA…
nogueira-raphael Jul 2, 2025
ba5c991
bpo-136134: Clarify comment on handling unsupported hash in CRAM-MD5
nogueira-raphael Jul 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions Lib/smtplib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -743,6 +743,13 @@ def login(self, user, password, *, initial_response_ok=True):
return (code, resp)
except SMTPAuthenticationError as e:
last_exception = e
except ValueError as e:
# Some environments (e.g., FIPS) disable certain hashing algorithms like MD5,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is too verbose. Just write something like "skip unsupported HMAC-HASH algorithms"

# which are required by CRAM-MD5. This raises a ValueError when trying to use HMAC.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

name of the exception in the comment needs update

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, tks
I’ve updated the comment to reflect the correct exception name

# If this happens, we catch the exception and continue trying the next auth method.
last_exception = e
if 'unsupported' in str(e).lower():
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we care about this specific error? shouldn't the next method be tried regardless of the nature of the error?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, it makes sense to fallback regardless of the error. However, in this case, we handle this specific ValueError to deal with environments where FIPS mode is enabled, which disables certain hashing algorithms like MD5.

In FIPS mode, CRAM-MD5 will raise a ValueError from the underlying OpenSSL implementation (e.g. [digital envelope routines] unsupported). Since this isn't a misconfiguration or a generic programming error, but rather an expected, reproducible environment-specific issue, we explicitly catch it and fallback silently to the next available method (e.g. LOGIN).

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see your point. I had seen the error only on Linux container with a specific version of openssl. My worry is that the fix will be rendered ineffective if openssl changes the error string or returns a different error on a different OS/platform.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so, we are saving the error, and try another method, if none of them resolve, we will return the latest error.
However, I also don't like this kind of fix, I didn't found another better way to solve this.
And the error is not only related with that docker image.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should do it differently. Relying on the content of an exception message is a bad idea as it can evolve in the future. Instead, locate where we call HMAC and wrap that call, then raise an appropriate exception and catch that one instead.

If the call is too deep in the stack we should find another way.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion @picnixz, I’ve applied the proposed approach by wrapping the HMAC call directly and raising a dedicated SMTPAuthHashUnsupportedError instead of relying on the exception message. I agree with this approach.

If there’s anything you’d like to adjust in naming or behavior, I’ll be happy to apply it.

continue

# We could not login successfully. Return result of last attempt.
raise last_exception
Expand Down
57 changes: 56 additions & 1 deletion Lib/test/test_smtplib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
from test.support import threading_helper
from test.support import asyncore
from test.support import smtpd
from unittest.mock import Mock
from unittest.mock import Mock, patch


support.requires_working_socket(module=True)
Expand Down Expand Up @@ -1570,5 +1570,60 @@ def testAUTH_PLAIN_initial_response_auth(self):
self.assertEqual(code, 235)


class TestSMTPLoginValueError(unittest.TestCase):
def broken_hmac(*args, **kwargs):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make it an external function, and mock the entire class instead.

raise ValueError("[digital envelope routines] unsupported")

def test_login_raises_valueerror_when_cram_md5_fails(self):
with patch("hmac.HMAC", self.broken_hmac):
class FakeSMTP(smtplib.SMTP):
def __init__(self):
super().__init__(host='', port=0)
self.esmtp_features = {"auth": "CRAM-MD5"}
self._host = "localhost"

def ehlo_or_helo_if_needed(self):
pass

def has_extn(self, ext):
return ext.lower() == "auth"

def docmd(self, *args, **kwargs):
# Retorna uma challenge base64 válida
return 334, b"Y2hhbGxlbmdl"

smtp = FakeSMTP()
with self.assertRaises(ValueError) as ctx:
smtp.login("user", "pass")
self.assertIn("unsupported", str(ctx.exception).lower())

def test_login_fallbacks_when_cram_md5_raises_valueerror(self):
with patch("hmac.HMAC", self.broken_hmac):
class FakeSMTP(smtplib.SMTP):
def __init__(self):
super().__init__(host='', port=0)
self.esmtp_features = {"auth": "CRAM-MD5 LOGIN"}
self._host = "localhost"

def ehlo_or_helo_if_needed(self):
pass

def has_extn(self, ext):
return ext.lower() == "auth"

def docmd(self, *args, **kwargs):
if args[0] == "AUTH" and args[1].startswith("CRAM-MD5"):
return 334, b"Y2hhbGxlbmdl" # base64('challenge')
return 235, b"Authentication successful"

def auth_login(self, challenge=None):
return "login response"

smtp = FakeSMTP()
code, resp = smtp.login("user", "pass")
self.assertEqual(code, 235)
self.assertEqual(resp, b"Authentication successful")


if __name__ == '__main__':
unittest.main()
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Library/2025-07-01-21-37-17.gh-issue-136134.NhFpu3.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Make smtplib fallback to next auth method if CRAM-MD5 fails due to
unsupported hash (e.g. FIPS). Contributed by Raphael Rodrigues.
Loading