Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-17864

[FTBFS] rsa_pkcs1_implicit_rejection breaks test_decrypt_invalid_decrypt

    • python-cryptography-3.2.1-7.el8_9
    • None
    • None
    • ZStream
    • rhel-sst-idm-ipa
    • ssg_idm
    • 16
    • 25
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Approved Blocker
    • None
    • None
    • If docs needed, set a value
    • None

      +++ This bug was initially created as a clone of Bug #2203840 +++

      Description of problem:
      rhbz#2153471 introduced a fix for Bleichenbacher timing attacks. The new feature EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION breaks an assumption in upstream test case test_decrypt_invalid_decrypt. The test no longer fails with an exception.

      Version-Release number of selected component (if applicable):
      36.0.1-3.el9

      How reproducible:
      always

      Steps to Reproduce:
      1. Run the upstream test suite (spec file runs the test suite in %check)

      Actual results:
      =================================== FAILURES ===================================
      ________________ TestRSADecryption.test_decrypt_invalid_decrypt ________________

      self = <tests.hazmat.primitives.test_rsa.TestRSADecryption object at 0x7fa9df2d4730>
      backend = <OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>

      @pytest.mark.supported(
      only_if=lambda backend: backend.rsa_padding_supported(
      padding.PKCS1v15()
      ),
      skip_message="Does not support PKCS1v1.5.",
      )
      def test_decrypt_invalid_decrypt(self, backend):
      private_key = RSA_KEY_2048.private_key(backend)
      with pytest.raises(ValueError):
      > private_key.decrypt(b"\x00" * 256, padding.PKCS1v15())
      E Failed: DID NOT RAISE <class 'ValueError'>

      tests/hazmat/primitives/test_rsa.py:1562: Failed

      Expected results:
      No error

      Additional info:
      Issue was detected by OSCI, http://artifacts.osci.redhat.com/baseos-ci/brew-build/52/45/09/52450935/https___baseos-jenkins.rhev-ci-vms.eng.rdu2.redhat.com-ci-artemis/42237/tmpzxfeamhj.01/recipes/1/tasks/4/logs/taskout.log

      Upstream fix: https://github.com/pyca/cryptography/pull/7895

      — Additional comment from Christian Heimes on 2023-05-15 12:02:27 UTC —

      The issue was introduced in openssl-3.0.7-17.el9

      — Additional comment from Christian Heimes on 2023-05-15 12:46:29 UTC —

      c9s PR: https://gitlab.com/redhat/centos-stream/rpms/python-cryptography/-/merge_requests/15

      — Additional comment from Christian Heimes on 2023-05-15 12:54:06 UTC —

      c9s scratch build with fix and openssl-devel-1:3.0.7-17.el9: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=2216605

      — Additional comment from Florence Blanc-Renaud on 2023-05-23 16:47:33 UTC —

      @amore@redhat.com As release lead for RHEL 9.3, can you sync with Christian and check what needs to be done for this BZ?
      openssl-3.0.7-18.el9 is already available in the nightly composes but openssl-3.0.7-19.el9 is currently in gating.

      — Additional comment from Christian Heimes on 2023-05-30 11:05:51 UTC —

      Anuja and I discussed the matter on Slack. The test failure is internal and has no customer-facing implications. A sanity-only check is sufficient. If build with test passes with latest OpenSSL, then the fix works as expected.

      c9s build: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=2275158

      — Additional comment from Christian Heimes on 2023-05-30 12:22:46 UTC —

      The c9s build took a bit longer because there was an outage of the s390x builder.

      rhel-9-main build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=52966821

      — Additional comment from errata-xmlrpc on 2023-05-30 12:24:28 UTC —

      This bug has been added to advisory RHSA-2023:113182 by Christian Heimes (cheimes@redhat.com)

      — Additional comment from errata-xmlrpc on 2023-05-30 12:24:29 UTC —

      Bug report changed to ON_QA status by Errata System.
      A QE request has been submitted for advisory RHSA-2023:113182-03
      https://errata.devel.redhat.com/advisory/113182

      — Additional comment from errata-xmlrpc on 2023-05-30 12:24:40 UTC —

      This bug has been added to advisory RHSA-2023:113182 by Christian Heimes (cheimes@redhat.com)

      — Additional comment from anuja on 2023-06-28 12:51:41 UTC —

      — Additional comment from anuja on 2023-06-28 14:02:14 UTC —

      As per fix test will be marked as skipped.

      tests/hazmat/primitives/test_rsa.py::TestRSADecryption::test_decrypt_invalid_decrypt SKIPPED

      =========================== short test summary info ============================
      SKIPPED [1600] tests/hazmat/primitives/utils.py:501: Does not support counter location: middle_fixed
      SKIPPED [1] tests/utils.py:30: Requires OpenSSL without poly1305 support (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
      SKIPPED [1] tests/utils.py:30: Requires backend without RSA OAEP label support (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
      SKIPPED [1] tests/utils.py:30: Does not support PKCS1v1.5. (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
      SKIPPED [1] tests/utils.py:30: Requires FIPS (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
      SKIPPED [4] tests/hazmat/primitives/test_serialization.py:1919: Requires bcrypt module
      SKIPPED [1] tests/utils.py:30: Requires that bcrypt exists (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
      SKIPPED [1] tests/utils.py:30: Requires backend support for ec.SECP192R1 (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
      SKIPPED [1] tests/utils.py:30: Does not support SM4 ECB (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
      SKIPPED [1] tests/utils.py:30: Does not support SM4 CBC (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
      SKIPPED [1] tests/utils.py:30: Does not support SM4 OFB (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
      SKIPPED [1] tests/utils.py:30: Does not support SM4 CFB (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
      SKIPPED [1] tests/utils.py:30: Does not support SM4 CTR (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
      SKIPPED [1] tests/utils.py:30: Requires OpenSSL without X25519 support (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
      SKIPPED [1] tests/utils.py:30: Requires OpenSSL without X448 support (<OpenSSLBackend(version: OpenSSL 3.0.7 1 Nov 2022, FIPS: False)>)
      ===================== 1007 passed, 1617 skipped in 41.62s ======================

      Based on results marking bug as verified.

      — Additional comment from errata-xmlrpc on 2023-11-07 00:17:51 UTC —

      Bug report changed to RELEASE_PENDING status by Errata System.
      Advisory RHSA-2023:113182-05 has been changed to PUSH_READY status.
      https://errata.devel.redhat.com/advisory/113182

      — Additional comment from errata-xmlrpc on 2023-11-07 08:52:12 UTC —

      Since the problem described in this bug report should be
      resolved in a recent advisory, it has been closed with a
      resolution of ERRATA.

      For information on the advisory (Moderate: python-cryptography security update), and where to find the updated
      files, follow the link below.

      If the solution does not work for you, open a new bug report.

      https://access.redhat.com/errata/RHSA-2023:6615

              cheimes@redhat.com Christian Heimes
              toneata Teodor Oneata
              RH Bugzilla Integration RH Bugzilla Integration
              Anuja More Anuja More
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: