]> git.ipfire.org Git - thirdparty/Python/cpython.git/commitdiff
projects / thirdparty / Python / cpython.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 850189a)
[3.10] gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode (GH-109423) (#125106)
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Tue, 22 Oct 2024 11:10:53 +0000 (13:10 +0200)
committerGitHub <noreply@github.com>
Tue, 22 Oct 2024 11:10:53 +0000 (12:10 +0100)
[3.11] gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode (GH-109423) (GH-109427)

gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode (GH-109423)

Use a longer key: FIPS mode requires at least of at least 112 bits.
The previous key was only 32 bits.
(cherry picked from commit e091b9f20fa8e409003af79f3c468b8225e6dcd3)

(cherry picked from commit f7bfac4b3dd30920f97a542fd78c355ce62aa267)

Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Lib/test/test_socket.py patch | blob | blame | history
Misc/NEWS.d/next/Tests/2023-09-14-22-58-47.gh-issue-109396.J1a4jR.rst [new file with mode: 0644] patch | blob

diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
index 4c8f55d3e1352b2098bd03605b104bbae375dc77..0050298b4164951c31119ff04857ebc6f624f0c1 100644 (file)
--- a/Lib/test/test_socket.py
+++ b/Lib/test/test_socket.py
@@ -6409,12 +6409,16 @@ class LinuxKernelCryptoAPI(unittest.TestCase):
                 self.assertEqual(op.recv(512), expected)
 
     def test_hmac_sha1(self):
-        expected = bytes.fromhex("effcdf6ae5eb2fa2d27416d5f184df9c259a7c79")
+        # gh-109396: In FIPS mode, Linux 6.5 requires a key
+        # of at least 112 bits. Use a key of 152 bits.
+        key = b"Python loves AF_ALG"
+        data = b"what do ya want for nothing?"
+        expected = bytes.fromhex("193dbb43c6297b47ea6277ec0ce67119a3f3aa66")
         with self.create_alg('hash', 'hmac(sha1)') as algo:
-            algo.setsockopt(socket.SOL_ALG, socket.ALG_SET_KEY, b"Jefe")
+            algo.setsockopt(socket.SOL_ALG, socket.ALG_SET_KEY, key)
             op, _ = algo.accept()
             with op:
-                op.sendall(b"what do ya want for nothing?")
+                op.sendall(data)
                 self.assertEqual(op.recv(512), expected)
 
     # Although it should work with 3.19 and newer the test blocks on
diff --git a/Misc/NEWS.d/next/Tests/2023-09-14-22-58-47.gh-issue-109396.J1a4jR.rst b/Misc/NEWS.d/next/Tests/2023-09-14-22-58-47.gh-issue-109396.J1a4jR.rst
new file mode 100644 (file)
index 0000000..71150ec
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2023-09-14-22-58-47.gh-issue-109396.J1a4jR.rst
@@ -0,0 +1,3 @@
+Fix ``test_socket.test_hmac_sha1()`` in FIPS mode. Use a longer key: FIPS
+mode requires at least of at least 112 bits. The previous key was only 32
+bits. Patch by Victor Stinner.
Mirror of https://github.com/python/cpython.git