-
Bug
-
Resolution: Done
-
Undefined
-
rhel-8.10
-
python-cryptography-3.2.1-7.el8_9
-
None
-
None
-
ZStream
-
rhel-sst-idm-ipa
-
ssg_idm
-
16
-
25
-
None
-
False
-
-
No
-
None
-
Approved Blocker
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
+++ This bug was initially created as a clone of Bug #2203840 +++
Description of problem:
rhbz#2153471 introduced a fix for Bleichenbacher timing attacks. The new feature EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION breaks an assumption in upstream test case test_decrypt_invalid_decrypt. The test no longer fails with an exception.
Version-Release number of selected component (if applicable):
36.0.1-3.el9
How reproducible:
always
Steps to Reproduce:
1. Run the upstream test suite (spec file runs the test suite in %check)
Actual results:
=================================== FAILURES ===================================
________________ TestRSADecryption.test_decrypt_invalid_decrypt ________________
self = <tests.hazmat.primitives.test_rsa.TestRSADecryption object at 0x7fa9df2d4730>
backend = <OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>
@pytest.mark.supported(
only_if=lambda backend: backend.rsa_padding_supported(
padding.PKCS1v15()
),
skip_message="Does not support PKCS1v1.5.",
)
def test_decrypt_invalid_decrypt(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
with pytest.raises(ValueError):
> private_key.decrypt(b"\x00" * 256, padding.PKCS1v15())
E Failed: DID NOT RAISE <class 'ValueError'>
tests/hazmat/primitives/test_rsa.py:1562: Failed
Expected results:
No error
Additional info:
Issue was detected by OSCI, http://artifacts.osci.redhat.com/baseos-ci/brew-build/52/45/09/52450935/https___baseos-jenkins.rhev-ci-vms.eng.rdu2.redhat.com-ci-artemis/42237/tmpzxfeamhj.01/recipes/1/tasks/4/logs/taskout.log
Upstream fix: https://github.com/pyca/cryptography/pull/7895
— Additional comment from Christian Heimes on 2023-05-15 12:02:27 UTC —
The issue was introduced in openssl-3.0.7-17.el9
— Additional comment from Christian Heimes on 2023-05-15 12:46:29 UTC —
c9s PR: https://gitlab.com/redhat/centos-stream/rpms/python-cryptography/-/merge_requests/15
— Additional comment from Christian Heimes on 2023-05-15 12:54:06 UTC —
c9s scratch build with fix and openssl-devel-1:3.0.7-17.el9: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=2216605
— Additional comment from Florence Blanc-Renaud on 2023-05-23 16:47:33 UTC —
@amore@redhat.com As release lead for RHEL 9.3, can you sync with Christian and check what needs to be done for this BZ?
openssl-3.0.7-18.el9 is already available in the nightly composes but openssl-3.0.7-19.el9 is currently in gating.
— Additional comment from Christian Heimes on 2023-05-30 11:05:51 UTC —
Anuja and I discussed the matter on Slack. The test failure is internal and has no customer-facing implications. A sanity-only check is sufficient. If build with test passes with latest OpenSSL, then the fix works as expected.
c9s build: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=2275158
— Additional comment from Christian Heimes on 2023-05-30 12:22:46 UTC —
The c9s build took a bit longer because there was an outage of the s390x builder.
rhel-9-main build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=52966821
— Additional comment from errata-xmlrpc on 2023-05-30 12:24:28 UTC —
This bug has been added to advisory RHSA-2023:113182 by Christian Heimes (cheimes@redhat.com)
— Additional comment from errata-xmlrpc on 2023-05-30 12:24:29 UTC —
Bug report changed to ON_QA status by Errata System.
A QE request has been submitted for advisory RHSA-2023:113182-03
https://errata.devel.redhat.com/advisory/113182
— Additional comment from errata-xmlrpc on 2023-05-30 12:24:40 UTC —
This bug has been added to advisory RHSA-2023:113182 by Christian Heimes (cheimes@redhat.com)
— Additional comment from anuja on 2023-06-28 12:51:41 UTC —
— Additional comment from anuja on 2023-06-28 14:02:14 UTC —
As per fix test will be marked as skipped.
tests/hazmat/primitives/test_rsa.py::TestRSADecryption::test_decrypt_invalid_decrypt SKIPPED
=========================== short test summary info ============================
SKIPPED [1600] tests/hazmat/primitives/utils.py:501: Does not support counter location: middle_fixed
SKIPPED [1] tests/utils.py:30: Requires OpenSSL without poly1305 support (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
SKIPPED [1] tests/utils.py:30: Requires backend without RSA OAEP label support (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
SKIPPED [1] tests/utils.py:30: Does not support PKCS1v1.5. (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
SKIPPED [1] tests/utils.py:30: Requires FIPS (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
SKIPPED [4] tests/hazmat/primitives/test_serialization.py:1919: Requires bcrypt module
SKIPPED [1] tests/utils.py:30: Requires that bcrypt exists (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
SKIPPED [1] tests/utils.py:30: Requires backend support for ec.SECP192R1 (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
SKIPPED [1] tests/utils.py:30: Does not support SM4 ECB (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
SKIPPED [1] tests/utils.py:30: Does not support SM4 CBC (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
SKIPPED [1] tests/utils.py:30: Does not support SM4 OFB (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
SKIPPED [1] tests/utils.py:30: Does not support SM4 CFB (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
SKIPPED [1] tests/utils.py:30: Does not support SM4 CTR (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
SKIPPED [1] tests/utils.py:30: Requires OpenSSL without X25519 support (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
SKIPPED [1] tests/utils.py:30: Requires OpenSSL without X448 support (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
===================== 1007 passed, 1617 skipped in 41.62s ======================
Based on results marking bug as verified.
— Additional comment from errata-xmlrpc on 2023-11-07 00:17:51 UTC —
Bug report changed to RELEASE_PENDING status by Errata System.
Advisory RHSA-2023:113182-05 has been changed to PUSH_READY status.
https://errata.devel.redhat.com/advisory/113182
— Additional comment from errata-xmlrpc on 2023-11-07 08:52:12 UTC —
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: python-cryptography security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
- is cloned by
-
RHEL-17867 [FTBFS] rsa_pkcs1_implicit_rejection breaks test_decrypt_invalid_decrypt
- Closed
- external trackers