[ci-fix] Needs review: apply KMAC key-size requirements on SymCrypt-OpenSSL (refs #129939)#130594
Closed
github-actions[bot] wants to merge 2 commits into
Closed
[ci-fix] Needs review: apply KMAC key-size requirements on SymCrypt-OpenSSL (refs #129939)#130594github-actions[bot] wants to merge 2 commits into
github-actions[bot] wants to merge 2 commits into
Conversation
…129939) SymCrypt-OpenSSL enforces a minimum KMAC key length, but the test driver excluded it from PlatformKeySizeRequirements, leaving MinimalKey empty and causing 'invalid key length' failures in the KMAC known-answer tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Author
There was a problem hiding this comment.
Threat detection produced a warning for this pull request output.
These changes need to be scrutinized before merge and only merged after a careful manual review.
- Detection reason:
parse_error - Review workflow run logs: https://github.com/dotnet/runtime/actions/runs/29216952409
Contributor
|
Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security |
Member
|
This is not the right fix and we need to understand what is going on before proceeding. The issue is assigned to me as I intend to address this after investigating the AZL configuration. |
This was referenced Jul 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Caution
agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.
Details
The threat detection results could not be parsed.
Review the workflow run logs for details.
Workflow artifact: ci-fix
Artifact kind: help
Linked KBE: #129939
Root cause
On CI legs where OpenSSL is backed by SymCrypt (
PlatformDetection.IsSymCryptOpenSsl, e.g. AzureLinux 3), the KMAC known-answer tests fail with an invalid key length error rather than a codegen/PGO miscompile. Insrc/libraries/System.Security.Cryptography/tests/KmacTestDriver.cs:The
&& !PlatformDetection.IsSymCryptOpenSslexclusion assumes SymCrypt-OpenSSL imposes no minimum KMAC key length. It does enforce one, soPlatformKeySizeRequirementsisnullthere,MinimalKeycollapses toArray.Empty<byte>(), and every positive test that keys withMinimalKeyis rejected for being too short.This diagnosis was confirmed by
@AndyAyersMSon the KBE: this is a real test bug on SymCrypt-OpenSSL boxes, not a PGO codegen problem.Candidate change (needs review)
Drop the
!IsSymCryptOpenSslexclusion so SymCrypt-OpenSSL carries the sameKeySizes(4, 512, 1)requirement, giving a non-emptyMinimalKey:This is a test-only, non-muting change (no
[ActiveIssue], skip, or exclusion).What is unverified
System.Security.Cryptographytest build plus execution on a SymCrypt-OpenSSL box exceeds this environment's budget, and SymCrypt-OpenSSL boxes are not available here.CryptographicException_Allocated_KeySize/CryptographicException_OneShot_KeySizetests (they assert aMaxSize + 1key throws). If SymCrypt-OpenSSL does not reject keys above 512, those negative tests could fail and the max bound needs adjusting. The minimum (4) is the part directly responsible for the reported failure.Help wanted
Could a Security-area owner confirm the SymCrypt-OpenSSL KMAC min/max key-length bounds and validate on an affected leg?
Suggested reviewers / area contacts
@bartonjs,@vcsjones—area-System.Security@dotnet/area-system-security@AndyAyersMSfor the root-cause diagnosis on the KBE.Note
This pull request was generated by an AI agent (GitHub Copilot) and should be reviewed by a human before merging.