From e091b9f20fa8e409003af79f3c468b8225e6dcd3 Mon Sep 17 00:00:00 2001 From: Victor Stinner Date: Thu, 14 Sep 2023 23:24:11 +0200 Subject: [PATCH] gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode (#109423) Use a longer key: FIPS mode requires at least of at least 112 bits. The previous key was only 32 bits. --- Lib/test/test_socket.py | 10 +++++++--- .../2023-09-14-22-58-47.gh-issue-109396.J1a4jR.rst | 3 +++ 2 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 Misc/NEWS.d/next/Tests/2023-09-14-22-58-47.gh-issue-109396.J1a4jR.rst diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py index f35618e0281e70..99c4c5cbc4902d 100644 --- a/Lib/test/test_socket.py +++ b/Lib/test/test_socket.py @@ -6474,12 +6474,16 @@ def test_sha256(self): self.assertEqual(op.recv(512), expected) def test_hmac_sha1(self): - expected = bytes.fromhex("effcdf6ae5eb2fa2d27416d5f184df9c259a7c79") + # gh-109396: In FIPS mode, Linux 6.5 requires a key + # of at least 112 bits. Use a key of 152 bits. + key = b"Python loves AF_ALG" + data = b"what do ya want for nothing?" + expected = bytes.fromhex("193dbb43c6297b47ea6277ec0ce67119a3f3aa66") with self.create_alg('hash', 'hmac(sha1)') as algo: - algo.setsockopt(socket.SOL_ALG, socket.ALG_SET_KEY, b"Jefe") + algo.setsockopt(socket.SOL_ALG, socket.ALG_SET_KEY, key) op, _ = algo.accept() with op: - op.sendall(b"what do ya want for nothing?") + op.sendall(data) self.assertEqual(op.recv(512), expected) # Although it should work with 3.19 and newer the test blocks on diff --git a/Misc/NEWS.d/next/Tests/2023-09-14-22-58-47.gh-issue-109396.J1a4jR.rst b/Misc/NEWS.d/next/Tests/2023-09-14-22-58-47.gh-issue-109396.J1a4jR.rst new file mode 100644 index 00000000000000..71150ecae76434 --- /dev/null +++ b/Misc/NEWS.d/next/Tests/2023-09-14-22-58-47.gh-issue-109396.J1a4jR.rst @@ -0,0 +1,3 @@ +Fix ``test_socket.test_hmac_sha1()`` in FIPS mode. Use a longer key: FIPS +mode requires at least of at least 112 bits. The previous key was only 32 +bits. Patch by Victor Stinner.