Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test_socket.LinuxKernelCryptoAPI.test_hmac_sha1() fails on "AMD64 RHEL8 FIPS Only Blake2 Builtin Hash 3.x" buildbot #109396

Closed
vstinner opened this issue Sep 14, 2023 · 3 comments
Labels
tests Tests in the Lib/test dir type-bug An unexpected behavior, bug, or error

Comments

@vstinner
Copy link
Member

vstinner commented Sep 14, 2023

Bug report

When FIPS is enabled in Linux, LinuxKernelCryptoAPI.test_hmac_sha1() fails with OSError: [Errno 22] Invalid argument.

test.pythoninfo:

fips.linux_crypto_fips_enabled: 1
fips.openssl_fips_mode: 1

Error:

ERROR: test_hmac_sha1 (test.test_socket.LinuxKernelCryptoAPI.test_hmac_sha1)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.x.cstratak-RHEL8-fips-x86_64.no-builtin-hashes-except-blake2/build/Lib/test/test_socket.py", line 6479, in test_hmac_sha1
    algo.setsockopt(socket.SOL_ALG, socket.ALG_SET_KEY, b"Jefe")
OSError: [Errno 22] Invalid argument

build: https://buildbot.python.org/all/#/builders/469/builds/5995

Linked PRs

@vstinner vstinner added type-bug An unexpected behavior, bug, or error tests Tests in the Lib/test dir labels Sep 14, 2023
@vstinner
Copy link
Member Author

cc @stratakis

@vstinner
Copy link
Member Author

It seems like hmac in FIPS mode requires a key of at least 112 bits (14 bytes), whereas the test uses a key of 32 bits (4 bytes). See hmac_setkey() in the master branch of the Linux kernel:

	if (fips_enabled && (keylen < 112 / 8))
		return -EINVAL;

https://github.com/torvalds/linux/blob/9fdfb15a3dbf818e06be514f4abbfc071004cbe7/crypto/hmac.c#L55-L56

vstinner added a commit to vstinner/cpython that referenced this issue Sep 14, 2023
Use a longer key: FIPS mode requires at least of at least 112 bits.
The previous key was only 32 bits.
vstinner added a commit to vstinner/cpython that referenced this issue Sep 14, 2023
Use a longer key: FIPS mode requires at least of at least 112 bits.
The previous key was only 32 bits.
vstinner added a commit that referenced this issue Sep 14, 2023
Use a longer key: FIPS mode requires at least of at least 112 bits.
The previous key was only 32 bits.
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 14, 2023
…nGH-109423)

Use a longer key: FIPS mode requires at least of at least 112 bits.
The previous key was only 32 bits.
(cherry picked from commit e091b9f)

Co-authored-by: Victor Stinner <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 14, 2023
…nGH-109423)

Use a longer key: FIPS mode requires at least of at least 112 bits.
The previous key was only 32 bits.
(cherry picked from commit e091b9f)

Co-authored-by: Victor Stinner <[email protected]>
Yhg1s pushed a commit that referenced this issue Sep 14, 2023
…09423) (#109426)

gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode (GH-109423)

Use a longer key: FIPS mode requires at least of at least 112 bits.
The previous key was only 32 bits.
(cherry picked from commit e091b9f)

Co-authored-by: Victor Stinner <[email protected]>
vstinner added a commit that referenced this issue Sep 14, 2023
…09423) (#109427)

gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode (GH-109423)

Use a longer key: FIPS mode requires at least of at least 112 bits.
The previous key was only 32 bits.
(cherry picked from commit e091b9f)

Co-authored-by: Victor Stinner <[email protected]>
miss-islington added a commit to miss-islington/cpython that referenced this issue Oct 8, 2024
…pythonGH-109423) (pythonGH-109427)

pythongh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode (pythonGH-109423)

Use a longer key: FIPS mode requires at least of at least 112 bits.
The previous key was only 32 bits.
(cherry picked from commit e091b9f)

(cherry picked from commit f7bfac4)

Co-authored-by: Miss Islington (bot) <[email protected]>
Co-authored-by: Victor Stinner <[email protected]>
miss-islington added a commit to miss-islington/cpython that referenced this issue Oct 8, 2024
…pythonGH-109423) (pythonGH-109427)

pythongh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode (pythonGH-109423)

Use a longer key: FIPS mode requires at least of at least 112 bits.
The previous key was only 32 bits.
(cherry picked from commit e091b9f)

(cherry picked from commit f7bfac4)

Co-authored-by: Miss Islington (bot) <[email protected]>
Co-authored-by: Victor Stinner <[email protected]>
@encukou
Copy link
Member

encukou commented Oct 8, 2024

This fails on 3.10 & 3.9 buildbots, so let's backport there too.

pablogsal pushed a commit that referenced this issue Oct 22, 2024
…09423) (#125106)

[3.11] gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode (GH-109423) (GH-109427)

gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode (GH-109423)

Use a longer key: FIPS mode requires at least of at least 112 bits.
The previous key was only 32 bits.
(cherry picked from commit e091b9f)

(cherry picked from commit f7bfac4)

Co-authored-by: Victor Stinner <[email protected]>
Co-authored-by: Petr Viktorin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
tests Tests in the Lib/test dir type-bug An unexpected behavior, bug, or error
Projects
None yet
Development

No branches or pull requests

2 participants