[Pkg-openssl-devel] Bug#940547: python-cryptography: Testsuite fails with OpenSSL 1.1.1d

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Tue Sep 17 07:32:28 BST 2019 

Package: python-cryptography
Version: 2.6.1-3
Severity: serious

The upload of latest openssl 1.1.1d triggert three testsuite failures in
python-cryptography [0]

- _________________ test_buffer_protocol_alternate_modes[mode5] __________________

|mode = <cryptography.hazmat.primitives.ciphers.modes.XTS object at 0x7f0c8ceaba50>
|backend = <cryptography.hazmat.backends.openssl.backend.Backend object at 0x7f0c95a29cd0>
|
|    @pytest.mark.parametrize(
|        "mode",
|        [
|            modes.CBC(bytearray(b"\x00" * 16)),
|            modes.CTR(bytearray(b"\x00" * 16)),
|            modes.OFB(bytearray(b"\x00" * 16)),
|            modes.CFB(bytearray(b"\x00" * 16)),
|            modes.CFB8(bytearray(b"\x00" * 16)),
|            modes.XTS(bytearray(b"\x00" * 16)),
|        ]
|    )
|    @pytest.mark.requires_backend_interface(interface=CipherBackend)
|    def test_buffer_protocol_alternate_modes(mode, backend):
|        data = bytearray(b"sixteen_byte_msg")
|        cipher = base.Cipher(
|            algorithms.AES(bytearray(b"\x00" * 32)), mode, backend
|        )
|>       enc = cipher.encryptor()
|
|tests/hazmat/primitives/test_aes.py:495: 
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
|/usr/lib/python2.7/dist-packages/cryptography/hazmat/primitives/ciphers/base.py:121: in encryptor
|    self.algorithm, self.mode
|/usr/lib/python2.7/dist-packages/cryptography/hazmat/backends/openssl/backend.py:295: in create_symmetric_encryption_ctx
|    return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT)
|/usr/lib/python2.7/dist-packages/cryptography/hazmat/backends/openssl/ciphers.py:116: in __init__
|    self._backend.openssl_assert(res != 0)
|/usr/lib/python2.7/dist-packages/cryptography/hazmat/backends/openssl/backend.py:125: in openssl_assert
|    return binding._openssl_assert(self._lib, ok)

This is due to commit 2a5f63c9a61be ("Allow AES XTS decryption using duplicate
keys.").
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a5f63c9a61be

- _____________________ TestDH.test_dh_parameters_supported ______________________

|self = <tests.hazmat.primitives.test_dh.TestDH object at 0x7f0c65bbb3d0>
|backend = <cryptography.hazmat.backends.openssl.backend.Backend object at 0x7f0c95a29cd0>
|
|    def test_dh_parameters_supported(self, backend):
|        assert backend.dh_parameters_supported(23, 5)
|>       assert not backend.dh_parameters_supported(23, 18)
|E       assert not True
|E        +  where True = <bound method Backend.dh_parameters_supported of <cryptography.hazmat.backends.openssl.backend.Backend object at 0x7f0c95a29cd0>>(23, 18)
|E        +    where <bound method Backend.dh_parameters_supported of <cryptography.hazmat.backends.openssl.backend.Backend object at 0x7f0c95a29cd0>> = <cryptography.hazmat.backends.openssl.backend.Backend object at 0x7f0c95a29cd0>.dh_parameters_supported
|
|tests/hazmat/primitives/test_dh.py:161: AssertionError

This is due to commit ddd16c2fe988e ("Change DH parameters to generate the
order q subgroup instead of 2q").
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddd16c2fe988e

- _____________ TestECDSACertificate.test_load_ecdsa_no_named_curve ______________

|self = <tests.x509.test_x509.TestECDSACertificate object at 0x7f0c609e3590>
|backend = <cryptography.hazmat.backends.openssl.backend.Backend object at 0x7f0c95a29cd0>
|
|    def test_load_ecdsa_no_named_curve(self, backend):
|        _skip_curve_unsupported(backend, ec.SECP256R1())
|        cert = _load_cert(
|            os.path.join("x509", "custom", "ec_no_named_curve.pem"),
|            x509.load_pem_x509_certificate,
|            backend
|        )
|        with pytest.raises(NotImplementedError):
|>           cert.public_key()
|E           Failed: DID NOT RAISE <type 'exceptions.NotImplementedError'>
|
|tests/x509/test_x509.py:3722: Failed

This is due to commit 9a43a733801bd ("[ec] Match built-in curves on
EC_GROUP_new_from_ecparameters").
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a43a733801bd


The first two changes in OpenSSL have been made on purporse and I'm not
sure about the last one.
Could someone please comment?

[0] https://ci.debian.net/data/autopkgtest/testing/amd64/p/python-cryptography/2969575/log.gz

Sebastian

More information about the Pkg-openssl-devel mailing list