From b8e012000db4fc38e61a5645de2617b797b0df4d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 8 Dec 2020 12:10:26 -0500 Subject: [PATCH 1/6] Fixed DH tests for latest CentOS FIPS OpenSSL --- .github/workflows/ci.yml | 6 +++--- tests/hazmat/primitives/test_dh.py | 12 ++++++++++++ tests/hazmat/primitives/test_serialization.py | 2 ++ tests/x509/test_x509.py | 18 +++++++++++------- 4 files changed, 28 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 10f9eb47d326..5bdbf4f19c2d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -88,7 +88,7 @@ jobs: IMAGE: - {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py27"} - {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py36"} - - {IMAGE: "pyca/cryptography-runner-centos8-fips", TOXENV: "py36", ENV: "OPENSSL_FORCE_FIPS_MODE=1"} + - {IMAGE: "pyca/cryptography-runner-centos8-fips", TOXENV: "py36", ENV: "OPENSSL_FORCE_FIPS_MODE=1\nCFLAGS=-DUSE_OSRANDOM_RNG_FOR_TESTING"} - {IMAGE: "pyca/cryptography-runner-stretch", TOXENV: "py27"} - {IMAGE: "pyca/cryptography-runner-buster", TOXENV: "py37"} - {IMAGE: "pyca/cryptography-runner-bullseye", TOXENV: "py38"} @@ -104,10 +104,10 @@ jobs: steps: - uses: actions/checkout@v2 - run: 'git clone --depth=1 https://github.com/google/wycheproof "$HOME/wycheproof"' - - run: 'echo "$ENV_VAR" >> $GITHUB_ENV' + - run: 'echo -e "$ENV_VARS" >> $GITHUB_ENV' if: matrix.IMAGE.ENV env: - ENV_VAR: ${{ matrix.IMAGE.ENV }} + ENV_VARS: ${{ matrix.IMAGE.ENV }} - run: 'tox -- --wycheproof-root="$HOME/wycheproof"' env: TOXENV: ${{ matrix.IMAGE.TOXENV }} diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index 4c2ee1a63f86..bc5ed8fb0035 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -151,6 +151,7 @@ def test_unsupported_generator_generate_dh(self, backend): with pytest.raises(ValueError): dh.generate_parameters(7, 512, backend) + @pytest.mark.skip_fips(reason="non-FIPS parameters") def test_dh_parameters_supported(self, backend): valid_p = int( b"907c7211ae61aaaba1825ff53b6cb71ac6df9f1a424c033f4a0a41ac42fad3a9" @@ -171,6 +172,12 @@ def test_dh_parameters_supported(self, backend): ) def test_dh_parameters_allows_rfc3526_groups(self, backend, vector): p = int_from_bytes(binascii.unhexlify(vector["p"]), "big") + if ( + backend._fips_enabled + and p.bit_length() < backend._fips_dh_min_modulus + ): + pytest.skip("modulus too small for FIPS mode") + params = dh.DHParameterNumbers(p, int(vector["g"])) param = params.parameters(backend) key = param.generate_private_key() @@ -180,6 +187,7 @@ def test_dh_parameters_allows_rfc3526_groups(self, backend, vector): roundtripped_key = key.private_numbers().private_key(backend) assert key.private_numbers() == roundtripped_key.private_numbers() + @pytest.mark.skip_fips(reason="non-FIPS parameters") @pytest.mark.parametrize( "vector", load_vectors_from_file( @@ -227,6 +235,7 @@ def test_convert_to_numbers(self, backend, with_q): deserialized_private, dh.DHPrivateKeyWithSerialization ) + @pytest.mark.skip_fips(reason="FIPS requires specific parameters") def test_numbers_unsupported_parameters(self, backend): # p is set to P_1536 + 1 because when calling private_key we want it to # fail the DH_check call OpenSSL does, but we specifically want it to @@ -415,6 +424,7 @@ def test_dh_vectors(self, backend, vector): assert int_from_bytes(symkey, "big") == int(vector["k"], 16) + @pytest.mark.skip_fips(reason="non-FIPS parameters") @pytest.mark.parametrize( "vector", load_vectors_from_file( @@ -477,6 +487,7 @@ def test_private_bytes_rejects_invalid(self, encoding, fmt, backend): with pytest.raises(ValueError): key.private_bytes(encoding, fmt, serialization.NoEncryption()) + @pytest.mark.skip_fips(reason="non-FIPS parameters") @pytest.mark.parametrize( ("key_path", "loader_func", "encoding", "is_dhx"), [ @@ -521,6 +532,7 @@ def test_private_bytes_match( ) assert serialized == key_bytes + @pytest.mark.skip_fips(reason="non-FIPS parameters") @pytest.mark.parametrize( ("key_path", "loader_func", "vec_path", "is_dhx"), [ diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py index c21a4fa5ee35..32debd46c7d2 100644 --- a/tests/hazmat/primitives/test_serialization.py +++ b/tests/hazmat/primitives/test_serialization.py @@ -1757,6 +1757,7 @@ def test_openssh_serialization_unsupported(self, backend): class TestDHSerialization(object): """Test all options with least-supported key type.""" + @pytest.mark.skip_fips(reason="non-FIPS parameters") def test_dh_public_key(self, backend): data = load_vectors_from_file( os.path.join("asymmetric", "DH", "dhkey.pem"), @@ -1788,6 +1789,7 @@ def test_dh_public_key(self, backend): with pytest.raises(ValueError): public_key.public_bytes(enc, fmt) + @pytest.mark.skip_fips(reason="non-FIPS parameters") def test_dh_private_key(self, backend): data = load_vectors_from_file( os.path.join("asymmetric", "DH", "dhkey.pem"), diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index f4d93389ac02..146619b9a84b 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -41,6 +41,7 @@ ) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( + dh, dsa, ec, ed25519, @@ -51,6 +52,7 @@ from cryptography.hazmat.primitives.asymmetric.utils import ( decode_dss_signature, ) +from cryptography.utils import int_from_bytes from cryptography.x509.name import _ASN1Type from cryptography.x509.oid import ( AuthorityInformationAccessOID, @@ -65,7 +67,7 @@ from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1 from ..hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 from ..hazmat.primitives.test_ec import _skip_curve_unsupported -from ..utils import load_vectors_from_file +from ..utils import load_nist_vectors, load_vectors_from_file @utils.register_interface(x509.ExtensionType) @@ -5237,12 +5239,14 @@ class TestSignatureRejection(object): """Test if signing rejects DH keys properly.""" def load_key(self, backend): - data = load_vectors_from_file( - os.path.join("asymmetric", "DH", "dhkey.pem"), - lambda pemfile: pemfile.read(), - mode="rb", - ) - return serialization.load_pem_private_key(data, None, backend) + vector = load_vectors_from_file( + os.path.join("asymmetric", "DH", "rfc3526.txt"), + load_nist_vectors, + )[1] + p = int_from_bytes(binascii.unhexlify(vector["p"]), "big") + params = dh.DHParameterNumbers(p, int(vector["g"])) + param = params.parameters(backend) + return param.generate_private_key() def test_crt_signing_check(self, backend): issuer_private_key = self.load_key(backend) From 2bfe95d42dbb92abf18457ffee87a82e5e8be9b1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 8 Dec 2020 14:51:23 -0500 Subject: [PATCH 2/6] poke GHA From c21e5fc65dd3f468adafa2c965cbe92db7ced16e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 8 Dec 2020 15:13:08 -0500 Subject: [PATCH 3/6] hack hack hack --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5bdbf4f19c2d..73fb68b88755 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -88,7 +88,7 @@ jobs: IMAGE: - {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py27"} - {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py36"} - - {IMAGE: "pyca/cryptography-runner-centos8-fips", TOXENV: "py36", ENV: "OPENSSL_FORCE_FIPS_MODE=1\nCFLAGS=-DUSE_OSRANDOM_RNG_FOR_TESTING"} + - {IMAGE: "pyca/cryptography-runner-centos8-fips", TOXENV: "py36", ENV: ["OPENSSL_FORCE_FIPS_MODE=1", "CFLAGS=-DUSE_OSRANDOM_RNG_FOR_TESTING"]} - {IMAGE: "pyca/cryptography-runner-stretch", TOXENV: "py27"} - {IMAGE: "pyca/cryptography-runner-buster", TOXENV: "py37"} - {IMAGE: "pyca/cryptography-runner-bullseye", TOXENV: "py38"} @@ -107,13 +107,13 @@ jobs: - run: 'echo -e "$ENV_VARS" >> $GITHUB_ENV' if: matrix.IMAGE.ENV env: - ENV_VARS: ${{ matrix.IMAGE.ENV }} + ENV_VARS: ${{ join(matrix.IMAGE.ENV, "\n") }} - run: 'tox -- --wycheproof-root="$HOME/wycheproof"' env: TOXENV: ${{ matrix.IMAGE.TOXENV }} - uses: ./.github/actions/upload-coverage with: - name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ matrix.IMAGE.ENV }}" + name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ join(matrix.IMAGE.ENV, ' ') }}" macos: runs-on: macos-latest From 829dc604ceacd26d9cba909afe2f2cba9e3056d0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 8 Dec 2020 15:14:28 -0500 Subject: [PATCH 4/6] hack hack hack --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 73fb68b88755..2258d4d1b7a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -107,7 +107,7 @@ jobs: - run: 'echo -e "$ENV_VARS" >> $GITHUB_ENV' if: matrix.IMAGE.ENV env: - ENV_VARS: ${{ join(matrix.IMAGE.ENV, "\n") }} + ENV_VARS: ${{ join(matrix.IMAGE.ENV, '\n') }} - run: 'tox -- --wycheproof-root="$HOME/wycheproof"' env: TOXENV: ${{ matrix.IMAGE.TOXENV }} From 931df35859d52816113f52dcb450cb9e9093ef92 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 8 Dec 2020 15:15:08 -0500 Subject: [PATCH 5/6] hack hack hack --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2258d4d1b7a6..a198c4335466 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -100,7 +100,7 @@ jobs: - {IMAGE: "pyca/cryptography-runner-ubuntu-rolling", TOXENV: "py38-randomorder"} - {IMAGE: "pyca/cryptography-runner-fedora", TOXENV: "py39"} - {IMAGE: "pyca/cryptography-runner-alpine", TOXENV: "py38"} - name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ matrix.IMAGE.ENV }}" + name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ join(matrix.IMAGE.ENV, ' ') }}" steps: - uses: actions/checkout@v2 - run: 'git clone --depth=1 https://github.com/google/wycheproof "$HOME/wycheproof"' From e136c449fc4545e0f2765791ea6b80e6940818ed Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 8 Dec 2020 15:46:40 -0500 Subject: [PATCH 6/6] hack hack hack --- .github/workflows/ci.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a198c4335466..1e03eaede894 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -88,7 +88,7 @@ jobs: IMAGE: - {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py27"} - {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py36"} - - {IMAGE: "pyca/cryptography-runner-centos8-fips", TOXENV: "py36", ENV: ["OPENSSL_FORCE_FIPS_MODE=1", "CFLAGS=-DUSE_OSRANDOM_RNG_FOR_TESTING"]} + - {IMAGE: "pyca/cryptography-runner-centos8-fips", TOXENV: "py36", FIPS: true} - {IMAGE: "pyca/cryptography-runner-stretch", TOXENV: "py27"} - {IMAGE: "pyca/cryptography-runner-buster", TOXENV: "py37"} - {IMAGE: "pyca/cryptography-runner-bullseye", TOXENV: "py38"} @@ -100,20 +100,20 @@ jobs: - {IMAGE: "pyca/cryptography-runner-ubuntu-rolling", TOXENV: "py38-randomorder"} - {IMAGE: "pyca/cryptography-runner-fedora", TOXENV: "py39"} - {IMAGE: "pyca/cryptography-runner-alpine", TOXENV: "py38"} - name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ join(matrix.IMAGE.ENV, ' ') }}" + name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}" steps: - uses: actions/checkout@v2 - run: 'git clone --depth=1 https://github.com/google/wycheproof "$HOME/wycheproof"' - - run: 'echo -e "$ENV_VARS" >> $GITHUB_ENV' - if: matrix.IMAGE.ENV - env: - ENV_VARS: ${{ join(matrix.IMAGE.ENV, '\n') }} + - run: | + echo "OPENSSL_FORCE_FIPS_MODE=1" >> $GITHUB_ENV + echo "CFLAGS=-DUSE_OSRANDOM_RNG_FOR_TESTING" >> $GITHUB_ENV + if: matrix.IMAGE.FIPS - run: 'tox -- --wycheproof-root="$HOME/wycheproof"' env: TOXENV: ${{ matrix.IMAGE.TOXENV }} - uses: ./.github/actions/upload-coverage with: - name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ join(matrix.IMAGE.ENV, ' ') }}" + name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}" macos: runs-on: macos-latest