From 95e7c4731b797e96c27c97420039f2979fa48041 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 12 Nov 2019 10:56:08 +0100 Subject: [PATCH] FIPS: Don't active osrandom engine Resolves: rhbz#1762667 --- .../hazmat/backends/openssl/backend.py | 12 +-- tests/hazmat/backends/test_openssl.py | 94 +------------------ 2 files changed, 6 insertions(+), 100 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index af14bfaae..c0a02d10d 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -96,7 +96,7 @@ class Backend(object): self._cipher_registry = {} self._register_default_ciphers() - self.activate_osrandom_engine() + # self.activate_osrandom_engine() self._dh_types = [self._lib.EVP_PKEY_DH] if self._lib.Cryptography_HAS_EVP_PKEY_DHX: self._dh_types.append(self._lib.EVP_PKEY_DHX) @@ -136,14 +136,8 @@ class Backend(object): self.openssl_assert(res == 1) def activate_osrandom_engine(self): - # Unregister and free the current engine. - self.activate_builtin_random() - with self._get_osurandom_engine() as e: - # Set the engine as the default RAND provider. - res = self._lib.ENGINE_set_default_RAND(e) - self.openssl_assert(res == 1) - # Reset the RNG to use the new engine. - self._lib.RAND_cleanup() + # osrandom engine is not enabled for FIPS compliance + pass def osrandom_engine_implementation(self): buf = self._ffi.new("char[]", 64) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 31b34cd06..bcd26b615 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -171,63 +171,6 @@ class TestOpenSSL(object): class TestOpenSSLRandomEngine(object): - def setup(self): - # The default RAND engine is global and shared between - # tests. We make sure that the default engine is osrandom - # before we start each test and restore the global state to - # that engine in teardown. - current_default = backend._lib.ENGINE_get_default_RAND() - name = backend._lib.ENGINE_get_name(current_default) - assert name == backend._binding._osrandom_engine_name - - def teardown(self): - # we need to reset state to being default. backend is a shared global - # for all these tests. - backend.activate_osrandom_engine() - current_default = backend._lib.ENGINE_get_default_RAND() - name = backend._lib.ENGINE_get_name(current_default) - assert name == backend._binding._osrandom_engine_name - - @pytest.mark.skipif(sys.executable is None, - reason="No Python interpreter available.") - def test_osrandom_engine_is_default(self, tmpdir): - engine_printer = textwrap.dedent( - """ - import sys - from cryptography.hazmat.backends.openssl.backend import backend - - e = backend._lib.ENGINE_get_default_RAND() - name = backend._lib.ENGINE_get_name(e) - sys.stdout.write(backend._ffi.string(name).decode('ascii')) - res = backend._lib.ENGINE_free(e) - assert res == 1 - """ - ) - engine_name = tmpdir.join('engine_name') - - # If we're running tests via ``python setup.py test`` in a clean - # environment then all of our dependencies are going to be installed - # into either the current directory or the .eggs directory. However the - # subprocess won't know to activate these dependencies, so we'll get it - # to do so by passing our entire sys.path into the subprocess via the - # PYTHONPATH environment variable. - env = os.environ.copy() - env["PYTHONPATH"] = os.pathsep.join(sys.path) - - with engine_name.open('w') as out: - subprocess.check_call( - [sys.executable, "-c", engine_printer], - env=env, - stdout=out, - stderr=subprocess.PIPE, - ) - - osrandom_engine_name = backend._ffi.string( - backend._binding._osrandom_engine_name - ) - - assert engine_name.read().encode('ascii') == osrandom_engine_name - def test_osrandom_sanity_check(self): # This test serves as a check against catastrophic failure. buf = backend._ffi.new("unsigned char[]", 500) @@ -235,32 +178,14 @@ class TestOpenSSLRandomEngine(object): assert res == 1 assert backend._ffi.buffer(buf)[:] != "\x00" * 500 - def test_activate_osrandom_no_default(self): - backend.activate_builtin_random() + def test_osrandom_noop(self): e = backend._lib.ENGINE_get_default_RAND() assert e == backend._ffi.NULL + # noop backend.activate_osrandom_engine() e = backend._lib.ENGINE_get_default_RAND() - name = backend._lib.ENGINE_get_name(e) - assert name == backend._binding._osrandom_engine_name - res = backend._lib.ENGINE_free(e) - assert res == 1 - - def test_activate_builtin_random(self): - e = backend._lib.ENGINE_get_default_RAND() - assert e != backend._ffi.NULL - name = backend._lib.ENGINE_get_name(e) - assert name == backend._binding._osrandom_engine_name - res = backend._lib.ENGINE_free(e) - assert res == 1 - backend.activate_builtin_random() - e = backend._lib.ENGINE_get_default_RAND() - assert e == backend._ffi.NULL - - def test_activate_builtin_random_already_active(self): - backend.activate_builtin_random() - e = backend._lib.ENGINE_get_default_RAND() assert e == backend._ffi.NULL + # noop backend.activate_builtin_random() e = backend._lib.ENGINE_get_default_RAND() assert e == backend._ffi.NULL @@ -282,19 +207,6 @@ class TestOpenSSLRandomEngine(object): if sys.platform == 'win32': assert name == 'CryptGenRandom' - def test_activate_osrandom_already_default(self): - e = backend._lib.ENGINE_get_default_RAND() - name = backend._lib.ENGINE_get_name(e) - assert name == backend._binding._osrandom_engine_name - res = backend._lib.ENGINE_free(e) - assert res == 1 - backend.activate_osrandom_engine() - e = backend._lib.ENGINE_get_default_RAND() - name = backend._lib.ENGINE_get_name(e) - assert name == backend._binding._osrandom_engine_name - res = backend._lib.ENGINE_free(e) - assert res == 1 - class TestOpenSSLRSA(object): def test_generate_rsa_parameters_supported(self): -- 2.23.0