1708353 – python-cryptography: FTBFS in Fedora rawhide

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1708353 - python-cryptography: FTBFS in Fedora rawhide

Summary: python-cryptography: FTBFS in Fedora rawhide

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	python-cryptography
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Jeremy Cline
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	http://apps.fedoraproject.org/koschei...
Whiteboard:
Depends On:
Blocks:	F31FTBFS PYTHON38 1732841
TreeView+	depends on / blocked

Reported:	2019-05-09 16:59 UTC by Miro Hrončok
Modified:	2019-07-31 22:40 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-11 23:39:17 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	pyca cryptography issues 4884	0	None	None	None	2019-05-10 11:17:41 UTC
Github	pyca cryptography issues 4885	0	None	None	None	2019-05-10 16:56:48 UTC

Description Miro Hrončok 2019-05-09 16:59:32 UTC

Description of problem:
Package python-cryptography fails to build from source in Fedora rawhide.

Version-Release number of selected component (if applicable):
2.6.1-1.fc31

Steps to Reproduce:
koji build --scratch f31 python-cryptography-2.6.1-1.fc31.src.rpm

Additional info:
This package is tracked by Koschei. See:
http://apps.fedoraproject.org/koschei/package/python-cryptography

This blocks the Python 3.8 rebuild.

lib = <module 'lib' (built-in)>, ok = False
    def _openssl_assert(lib, ok):
        if not ok:
            errors = _consume_errors(lib)
            errors_with_text = []
            for err in errors:
                buf = ffi.new("char[]", 256)
                lib.ERR_error_string_n(err.code, buf, len(buf))
                err_text_reason = ffi.string(buf)
    
                errors_with_text.append(
                    _OpenSSLErrorWithText(
                        err.code, err.lib, err.func, err.reason, err_text_reason
                    )
                )
    
            raise InternalError(
                "Unknown OpenSSL error. This error is commonly encountered when "
                "another library is not cleaning up the OpenSSL error stack. If "
                "you are using cryptography with another library that uses "
                "OpenSSL try disabling it before reporting a bug. Otherwise "
                "please file an issue at https://github.com/pyca/cryptography/"
                "issues with information on how to reproduce "
                "this. ({0!r})".format(errors_with_text),
>               errors_with_text
            )
E           InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([])
src/cryptography/hazmat/bindings/openssl/binding.py:78: InternalError


The build stared failing after this:

https://src.fedoraproject.org/rpms/openssl/c/1aaf4073e34a620385e878140b048aadd09c6a85?branch=master

Not sure if that is the direct cause.

Comment 1 Tomas Mraz 2019-05-10 06:03:58 UTC

(In reply to Miro Hrončok from comment #0)

> 
> The build stared failing after this:
> 
> https://src.fedoraproject.org/rpms/openssl/c/
> 1aaf4073e34a620385e878140b048aadd09c6a85?branch=master
> 
> Not sure if that is the direct cause.

That does not seem to me to be like so. From the Koschei it looks like it started after the update to openssl-1.1.1b-6.fc31, the next build. That one brought various changes from the upstream 1.1.1 branch, unfortunately it will be quite hard to isolate which particular change was exactly the cause. If there was some isolated testcase or what exact error is left on the error stack it would definitely help with debugging the issue.

Comment 2 Miro Hrončok 2019-05-10 10:09:53 UTC

My fault (was looking at old version instead of new).

So that is:

https://src.fedoraproject.org/rpms/openssl/c/5c7382cd79a3ba0832c4c77f875c0feb4ea1b13d?branch=master
https://src.fedoraproject.org/rpms/openssl/c/f5bba4a2a3ffffae130376212ff8ccf48ee13974?branch=master

Comment 3 Tomas Mraz 2019-05-10 10:42:19 UTC

It would be super useful to see what the actual openssl error is.

Comment 4 Miro Hrončok 2019-05-10 10:52:29 UTC

I think that code is actually trying to report that back, but all it gets is an empty list from _consume_errors(lib).

Comment 5 Miro Hrončok 2019-05-10 10:55:39 UTC

Working on upstream reproducer over a rawhide docker image, so we can get their help.

Comment 6 Miro Hrončok 2019-05-10 11:17:41 UTC

https://github.com/pyca/cryptography/issues/4884

Comment 7 Miro Hrončok 2019-05-10 11:53:49 UTC

Upstream cryptography guesses crypto/evp/evp_enc.c changes in OpenSSL might be good place to look into.

The Fedora commit says "apply new bugfixes from upstream 1.1.1 branch" - Tomáš, do you please at least have a list of bugs and their fixes? The patch is gigantic.

Comment 8 Miro Hrončok 2019-05-10 12:32:06 UTC

Note: This is one of the 2 major blockers for the Python 3.8 rebuild in a rawhide side tag that is planned after the 3.8.0 beta1 release (scheduled upstream for 2019-05-31).

Comment 9 Tomas Mraz 2019-05-10 12:44:25 UTC

This gigantic patch is basically all the relevant fixes from the current 1.1.1 upstream branch. I.E. not including things fixing Windows or other irrelevant target fixes.

I am just now building a new build that should hopefully fix the AES-CCM related regression.

Comment 10 Tomas Mraz 2019-05-10 12:45:04 UTC

The build is openssl-1.1.1b-9.fc31

Comment 11 Miro Hrončok 2019-05-10 12:51:47 UTC

Thanks.

https://koji.fedoraproject.org/koji/buildinfo?buildID=1266116

Comment 12 Miro Hrončok 2019-05-10 13:05:05 UTC

openssl-libs-1.1.1b-9.fc31 does not fix the issue.

Interesting comment: https://github.com/pyca/cryptography/issues/4884#issuecomment-491279382

Comment 13 Tomas Mraz 2019-05-10 14:55:51 UTC

The openssl-1.1.1b-10.fc31 fixes the C test sample issue for me. Not sure if it fully fixes the python-cryptography build though

Comment 14 Miro Hrončok 2019-05-10 15:27:21 UTC

Most of them. One remains:

=================================== FAILURES ===================================
_________________ test_buffer_protocol_alternate_modes[mode5] __________________

mode = <cryptography.hazmat.primitives.ciphers.modes.XTS object at 0x7f6d75211690>
backend = <cryptography.hazmat.backends.openssl.backend.Backend object at 0x7f6d7efeb650>

    @pytest.mark.parametrize(
        "mode",
        [
            modes.CBC(bytearray(b"\x00" * 16)),
            modes.CTR(bytearray(b"\x00" * 16)),
            modes.OFB(bytearray(b"\x00" * 16)),
            modes.CFB(bytearray(b"\x00" * 16)),
            modes.CFB8(bytearray(b"\x00" * 16)),
            modes.XTS(bytearray(b"\x00" * 16)),
        ]
    )
    @pytest.mark.requires_backend_interface(interface=CipherBackend)
    def test_buffer_protocol_alternate_modes(mode, backend):
        data = bytearray(b"sixteen_byte_msg")
        cipher = base.Cipher(
            algorithms.AES(bytearray(b"\x00" * 32)), mode, backend
        )
>       enc = cipher.encryptor()

tests/hazmat/primitives/test_aes.py:495: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
src/cryptography/hazmat/primitives/ciphers/base.py:121: in encryptor
    self.algorithm, self.mode
src/cryptography/hazmat/backends/openssl/backend.py:295: in create_symmetric_encryption_ctx
    return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT)
src/cryptography/hazmat/backends/openssl/ciphers.py:116: in __init__
    self._backend.openssl_assert(res != 0)
src/cryptography/hazmat/backends/openssl/backend.py:125: in openssl_assert
    return binding._openssl_assert(self._lib, ok)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

lib = <module 'lib' (built-in)>, ok = False

    def _openssl_assert(lib, ok):
        if not ok:
            errors = _consume_errors(lib)
            errors_with_text = []
            for err in errors:
                buf = ffi.new("char[]", 256)
                lib.ERR_error_string_n(err.code, buf, len(buf))
                err_text_reason = ffi.string(buf)
    
                errors_with_text.append(
                    _OpenSSLErrorWithText(
                        err.code, err.lib, err.func, err.reason, err_text_reason
                    )
                )
    
            raise InternalError(
                "Unknown OpenSSL error. This error is commonly encountered when "
                "another library is not cleaning up the OpenSSL error stack. If "
                "you are using cryptography with another library that uses "
                "OpenSSL try disabling it before reporting a bug. Otherwise "
                "please file an issue at https://github.com/pyca/cryptography/"
                "issues with information on how to reproduce "
                "this. ({0!r})".format(errors_with_text),
>               errors_with_text
            )
E           InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=101617856L, lib=6, func=233, reason=192, reason_text='error:060E90C0:digital envelope routines:aesni_xts_init_key:xts duplicated keys')])

src/cryptography/hazmat/bindings/openssl/binding.py:78: InternalError
=========== 1 failed, 100943 passed, 6032 skipped in 323.44 seconds ============


But this one actually has the error.

Comment 15 Tomas Mraz 2019-05-10 16:11:07 UTC

Yes, this one is actually real error in the py-cryptography test. It should not try AES-XTS with both halves of the key being the same.

Comment 16 Miro Hrončok 2019-05-10 16:56:48 UTC

https://github.com/pyca/cryptography/issues/4885

Comment 17 Miro Hrončok 2019-05-13 13:38:13 UTC

https://src.fedoraproject.org/rpms/python-cryptography/pull-request/7

Note You need to log in before you can comment on or make changes to this bug.