Fixed DH tests for latest CentOS FIPS OpenSSL (#5604)

* Fixed DH tests for latest CentOS FIPS OpenSSL (1.1.1g)
2026-05-14 20:37:55 +00:00 · 2020-12-08 16:45:30 -05:00 · 2020-12-08 16:45:30 -05:00 · b5278c9085
commit b5278c9085
parent 6693d55cbe
4 changed files with 32 additions and 14 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -88,7 +88,7 @@ jobs:
        IMAGE:
          - {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py27"}
          - {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py36"}
-          - {IMAGE: "pyca/cryptography-runner-centos8-fips", TOXENV: "py36", ENV: "OPENSSL_FORCE_FIPS_MODE=1"}
+          - {IMAGE: "pyca/cryptography-runner-centos8-fips", TOXENV: "py36", FIPS: true}
          - {IMAGE: "pyca/cryptography-runner-stretch", TOXENV: "py27"}
          - {IMAGE: "pyca/cryptography-runner-buster", TOXENV: "py37"}
          - {IMAGE: "pyca/cryptography-runner-bullseye", TOXENV: "py38"}
@ -100,20 +100,20 @@ jobs:
          - {IMAGE: "pyca/cryptography-runner-ubuntu-rolling", TOXENV: "py38-randomorder"}
          - {IMAGE: "pyca/cryptography-runner-fedora", TOXENV: "py39"}
          - {IMAGE: "pyca/cryptography-runner-alpine", TOXENV: "py38"}
-    name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ matrix.IMAGE.ENV }}"
+    name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}"
    steps:
      - uses: actions/checkout@v2
      - run: 'git clone --depth=1 https://github.com/google/wycheproof "$HOME/wycheproof"'
-      - run: 'echo "$ENV_VAR" >> $GITHUB_ENV'
-        if: matrix.IMAGE.ENV
-        env:
-          ENV_VAR: ${{ matrix.IMAGE.ENV }}
+      - run: |
+          echo "OPENSSL_FORCE_FIPS_MODE=1" >> $GITHUB_ENV
+          echo "CFLAGS=-DUSE_OSRANDOM_RNG_FOR_TESTING" >> $GITHUB_ENV
+        if: matrix.IMAGE.FIPS
      - run: 'tox -- --wycheproof-root="$HOME/wycheproof"'
        env:
          TOXENV: ${{ matrix.IMAGE.TOXENV }}
      - uses: ./.github/actions/upload-coverage
        with:
-          name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ matrix.IMAGE.ENV }}"
+          name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}"

  macos:
    runs-on: macos-latest
--- a/tests/hazmat/primitives/test_dh.py
+++ b/tests/hazmat/primitives/test_dh.py
@ -151,6 +151,7 @@ class TestDH(object):
        with pytest.raises(ValueError):
            dh.generate_parameters(7, 512, backend)

+    @pytest.mark.skip_fips(reason="non-FIPS parameters")
    def test_dh_parameters_supported(self, backend):
        valid_p = int(
            b"907c7211ae61aaaba1825ff53b6cb71ac6df9f1a424c033f4a0a41ac42fad3a9"
@ -171,6 +172,12 @@ class TestDH(object):
    )
    def test_dh_parameters_allows_rfc3526_groups(self, backend, vector):
        p = int_from_bytes(binascii.unhexlify(vector["p"]), "big")
+        if (
+            backend._fips_enabled
+            and p.bit_length() < backend._fips_dh_min_modulus
+        ):
+            pytest.skip("modulus too small for FIPS mode")
+
        params = dh.DHParameterNumbers(p, int(vector["g"]))
        param = params.parameters(backend)
        key = param.generate_private_key()
@ -180,6 +187,7 @@ class TestDH(object):
        roundtripped_key = key.private_numbers().private_key(backend)
        assert key.private_numbers() == roundtripped_key.private_numbers()

+    @pytest.mark.skip_fips(reason="non-FIPS parameters")
    @pytest.mark.parametrize(
        "vector",
        load_vectors_from_file(
@ -227,6 +235,7 @@ class TestDH(object):
            deserialized_private, dh.DHPrivateKeyWithSerialization
        )

+    @pytest.mark.skip_fips(reason="FIPS requires specific parameters")
    def test_numbers_unsupported_parameters(self, backend):
        # p is set to P_1536 + 1 because when calling private_key we want it to
        # fail the DH_check call OpenSSL does, but we specifically want it to
@ -415,6 +424,7 @@ class TestDH(object):

        assert int_from_bytes(symkey, "big") == int(vector["k"], 16)

+    @pytest.mark.skip_fips(reason="non-FIPS parameters")
    @pytest.mark.parametrize(
        "vector",
        load_vectors_from_file(
@ -477,6 +487,7 @@ class TestDHPrivateKeySerialization(object):
        with pytest.raises(ValueError):
            key.private_bytes(encoding, fmt, serialization.NoEncryption())

+    @pytest.mark.skip_fips(reason="non-FIPS parameters")
    @pytest.mark.parametrize(
        ("key_path", "loader_func", "encoding", "is_dhx"),
        [
@ -521,6 +532,7 @@ class TestDHPrivateKeySerialization(object):
        )
        assert serialized == key_bytes

+    @pytest.mark.skip_fips(reason="non-FIPS parameters")
    @pytest.mark.parametrize(
        ("key_path", "loader_func", "vec_path", "is_dhx"),
        [
--- a/tests/hazmat/primitives/test_serialization.py
+++ b/tests/hazmat/primitives/test_serialization.py
@ -1757,6 +1757,7 @@ class TestEd448Serialization(object):
 class TestDHSerialization(object):
    """Test all options with least-supported key type."""

+    @pytest.mark.skip_fips(reason="non-FIPS parameters")
    def test_dh_public_key(self, backend):
        data = load_vectors_from_file(
            os.path.join("asymmetric", "DH", "dhkey.pem"),
@ -1788,6 +1789,7 @@ class TestDHSerialization(object):
                with pytest.raises(ValueError):
                    public_key.public_bytes(enc, fmt)

+    @pytest.mark.skip_fips(reason="non-FIPS parameters")
    def test_dh_private_key(self, backend):
        data = load_vectors_from_file(
            os.path.join("asymmetric", "DH", "dhkey.pem"),
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@ -41,6 +41,7 @@ from cryptography.hazmat.backends.interfaces import (
 )
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import (
+    dh,
    dsa,
    ec,
    ed25519,
@ -51,6 +52,7 @@ from cryptography.hazmat.primitives.asymmetric import (
 from cryptography.hazmat.primitives.asymmetric.utils import (
    decode_dss_signature,
 )
+from cryptography.utils import int_from_bytes
 from cryptography.x509.name import _ASN1Type
 from cryptography.x509.oid import (
    AuthorityInformationAccessOID,
@ -65,7 +67,7 @@ from ..hazmat.primitives.fixtures_dsa import DSA_KEY_2048
 from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
 from ..hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
 from ..hazmat.primitives.test_ec import _skip_curve_unsupported
-from ..utils import load_vectors_from_file
+from ..utils import load_nist_vectors, load_vectors_from_file


@utils.register_interface(x509.ExtensionType)
@ -5237,12 +5239,14 @@ class TestSignatureRejection(object):
    """Test if signing rejects DH keys properly."""

    def load_key(self, backend):
-        data = load_vectors_from_file(
-            os.path.join("asymmetric", "DH", "dhkey.pem"),
-            lambda pemfile: pemfile.read(),
-            mode="rb",
-        )
-        return serialization.load_pem_private_key(data, None, backend)
+        vector = load_vectors_from_file(
+            os.path.join("asymmetric", "DH", "rfc3526.txt"),
+            load_nist_vectors,
+        )[1]
+        p = int_from_bytes(binascii.unhexlify(vector["p"]), "big")
+        params = dh.DHParameterNumbers(p, int(vector["g"]))
+        param = params.parameters(backend)
+        return param.generate_private_key()

    def test_crt_signing_check(self, backend):
        issuer_private_key = self.load_key(backend)