-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[fix] Aimstack crashing on FIPS enabled servers. #3217
base: main
Are you sure you want to change the base?
Conversation
support for aim hashing library. Signed-off-by: Dushyant Behl <[email protected]>
Code is tested on both FIPS and non FIPS servers and below are the unit test results. On FIPS Server - Before -
After applying the patch
I noticed a few tests failing at the end but am not sure of what exactly is behind those and am looking into if ths was introduced by our patch as I have no way of testing this without our patch on FIPS servers. I am open to any suggestions or fixes related to the patch. |
Signed-off-by: Dushyant Behl <[email protected]>
I noticed that the test data was in a different order in case of different python versions hence added some changes to the test here 891cbd3 ..if you appreciate this as a separate PR please let me know and I am happy to move it separately. |
Hi @SGevorg @alberttorosyan @mihran113 a friendly bump. Can I request you to please review these changes. Thanks! |
This PR tries to solve the issue #3143.
Using Aim on a FIPS compatible server, RHEL 9 FIPS enabled server in our case results in error due to lack of flexibility in the FIPS compatible version of
blake2
hash algorithm used in aim currently.Post further investigation we found out that on our FIPS servers the
hashlib
library usedopenssl
version of the constructors forblake2
which doesn't providedigest_size
argument which is used in Aim to customize the size of hash digest to8 bytes
.In this patch we introduce use of a FIPS compatible hashing algorithm
shake_256
which supports variable lengths digests and is available in FIPS mode under the SHA3 algorithms.Currently the code is written to keep using
blake2
in normal execution mode but if FIPS mode is detected it switches toshake_256
.