** Description changed: Hello! When one enables FIPS mode on a Jammy system and then attempts to use paramiko in Python, the module crashes with the following output: --- - root@jipster:~# cat /proc/sys/crypto/fips_enabled - 1 - root@jipster:~# python3 - Python 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] on linux - Type "help", "copyright", "credits" or "license" for more information. - >>> import paramiko - Traceback (most recent call last): - File "<stdin>", line 1, in <module> - File "/usr/lib/python3/dist-packages/paramiko/__init__.py", line 22, in <module> - from paramiko.transport import SecurityOptions, Transport - File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 133, in <module> - class Transport(threading.Thread, ClosingContextManager): - File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 208, in Transport - if KexCurve25519.is_available(): - File "/usr/lib/python3/dist-packages/paramiko/kex_curve25519.py", line 30, in is_available - X25519PrivateKey.generate() - File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/x25519.py", line 46, in generate - return backend.x25519_generate_key() - File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 2317, in x25519_generate_key - evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_X25519) - File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 2305, in _evp_pkey_keygen_gc - self.openssl_assert(evp_pkey_ctx != self._ffi.NULL) - File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 242, in openssl_assert - return binding._openssl_assert(self._lib, ok, errors=errors) - File "/usr/lib/python3/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 77, in _openssl_assert - raise InternalError( - cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=50856204, lib=6, reason=524556, reason_text=b'error:0308010C:digital envelope routines::unsupported')]) + root@jipster:~# cat /proc/sys/crypto/fips_enabled + 1 + root@jipster:~# python3 + Python 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] on linux + Type "help", "copyright", "credits" or "license" for more information. + >>> import paramiko + Traceback (most recent call last): + File "<stdin>", line 1, in <module> + File "/usr/lib/python3/dist-packages/paramiko/__init__.py", line 22, in <module> + from paramiko.transport import SecurityOptions, Transport + File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 133, in <module> + class Transport(threading.Thread, ClosingContextManager): + File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 208, in Transport + if KexCurve25519.is_available(): + File "/usr/lib/python3/dist-packages/paramiko/kex_curve25519.py", line 30, in is_available + X25519PrivateKey.generate() + File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/x25519.py", line 46, in generate + return backend.x25519_generate_key() + File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 2317, in x25519_generate_key + evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_X25519) + File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 2305, in _evp_pkey_keygen_gc + self.openssl_assert(evp_pkey_ctx != self._ffi.NULL) + File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 242, in openssl_assert + return binding._openssl_assert(self._lib, ok, errors=errors) + File "/usr/lib/python3/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 77, in _openssl_assert + raise InternalError( + cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=50856204, lib=6, reason=524556, reason_text=b'error:0308010C:digital envelope routines::unsupported')]) --- In the above trace, it appears to be attempting to generate an x25519 key, which isn't an acceptable alg's in FIPS 140-3 and thus fails to work. 1. root@jipster:~# lsb_release -rd Description: Ubuntu 22.04.4 LTS Release: 22.04 2. root@jipster:~# apt-cache policy python3-paramiko python3-paramiko: - Installed: 2.9.3-0ubuntu1.2 - Candidate: 2.9.3-0ubuntu1.2 + Installed: 2.9.3-0ubuntu1.2 + Candidate: 2.9.3-0ubuntu1.2 3. Expect that one can import the paramiko module successfully for use 4. Module crashes when (presumably) it attempts to use disallowed alg
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072974 Title: python3-paramiko is unusable on Jammy in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/2072974/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
