Public bug reported:
Hello! When one enables FIPS mode on a Jammy system and then attempts to
use paramiko in Python, the module crashes with the following output:
---
root@jipster:~# cat /proc/sys/crypto/fips_enabled
1
root@jipster:~# python3
Python 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import paramiko
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3/dist-packages/paramiko/__init__.py", line 22, in
<module>
from paramiko.transport import SecurityOptions, Transport
File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 133, in
<module>
class Transport(threading.Thread, ClosingContextManager):
File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 208, in
Transport
if KexCurve25519.is_available():
File "/usr/lib/python3/dist-packages/paramiko/kex_curve25519.py", line
30, in is_available
X25519PrivateKey.generate()
File
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/x25519.py",
line 46, in generate
return backend.x25519_generate_key()
File
"/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py",
line 2317, in x25519_generate_key
evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_X25519)
File
"/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py",
line 2305, in _evp_pkey_keygen_gc
self.openssl_assert(evp_pkey_ctx != self._ffi.NULL)
File
"/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py",
line 242, in openssl_assert
return binding._openssl_assert(self._lib, ok, errors=errors)
File
"/usr/lib/python3/dist-packages/cryptography/hazmat/bindings/openssl/binding.py",
line 77, in _openssl_assert
raise InternalError(
cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is
commonly encountered when another library is not cleaning up the OpenSSL error
stack. If you are using cryptography with another library that uses OpenSSL try
disabling it before reporting a bug. Otherwise please file an issue at
https://github.com/pyca/cryptography/issues with information on how to
reproduce this. ([_OpenSSLErrorWithText(code=50856204, lib=6, reason=524556,
reason_text=b'error:0308010C:digital envelope routines::unsupported')])
---
In the above trace, it appears to be attempting to generate an x25519
key, which isn't an acceptable alg's in FIPS 140-3 and thus fails to
work.
1. root@jipster:~# lsb_release -rd
Description: Ubuntu 22.04.4 LTS
Release: 22.04
2. root@jipster:~# apt-cache policy python3-paramiko
python3-paramiko:
Installed: 2.9.3-0ubuntu1.2
Candidate: 2.9.3-0ubuntu1.2
3. Expect that one can import the paramiko module successfully for use
4. Module crashes when (presumably) it attempts to use disallowed alg
** Affects: paramiko (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2072974
Title:
python3-paramiko is unusable on Jammy in FIPS mode
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/2072974/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
