Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
P
python3.11
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package Registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
staging
rpms
python3.11
Commits
244d3500
Commit
244d3500
authored
2 years ago
by
Rocky Automation
Browse files
Options
Downloads
Patches
Plain Diff
import python3.11-3.11.2-2.el8
parent
b8e378bb
No related branches found
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
SOURCES/00329-fips.patch
+1189
-0
1189 additions, 0 deletions
SOURCES/00329-fips.patch
SPECS/python3.11.spec
+19
-1
19 additions, 1 deletion
SPECS/python3.11.spec
with
1208 additions
and
1 deletion
SOURCES/00329-fips.patch
0 → 100644
+
1189
−
0
View file @
244d3500
From c96f1bea2ffc5c0ca849d5406236c07ea229a64f Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 12 Dec 2019 16:58:31 +0100
Subject: [PATCH 1/7] Expose blake2b and blake2s hashes from OpenSSL
These aren't as powerful as Python's own implementation, but they can be
used under FIPS.
---
Lib/test/test_hashlib.py | 6 ++
Modules/_hashopenssl.c | 37 +++++++++++
Modules/clinic/_hashopenssl.c.h | 106 +++++++++++++++++++++++++++++++-
3 files changed, 148 insertions(+), 1 deletion(-)
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index 67becdd..6607ef7 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -363,6 +363,12 @@
class HashLibTestCase(unittest.TestCase):
# 2 is for hashlib.name(...) and hashlib.new(name, ...)
self.assertGreaterEqual(len(constructors), 2)
for hash_object_constructor in constructors:
+
+ # OpenSSL's blake2s & blake2d don't support `key`
+ _name = hash_object_constructor.__name__
+ if 'key' in kwargs and _name.startswith('openssl_blake2'):
+ return
+
m = hash_object_constructor(data, **kwargs)
computed = m.hexdigest() if not shake else m.hexdigest(length)
self.assertEqual(
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index 3c40f09..e819d02 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -1077,6 +1077,41 @@
_hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj,
}
+/*[clinic input]
+_hashlib.openssl_blake2b
+ string as data_obj: object(py_default="b''") = NULL
+ *
+ usedforsecurity: bool = True
+Returns a blake2b hash object; optionally initialized with a string
+[clinic start generated code]*/
+
+static PyObject *
+_hashlib_openssl_blake2b_impl(PyObject *module, PyObject *data_obj,
+ int usedforsecurity)
+/*[clinic end generated code: output=7a838b1643cde13e input=4ad7fd54268f3689]*/
+
+{
+ return py_evp_fromname(module, Py_hash_blake2b, data_obj, usedforsecurity);
+}
+
+/*[clinic input]
+_hashlib.openssl_blake2s
+ string as data_obj: object(py_default="b''") = NULL
+ *
+ usedforsecurity: bool = True
+Returns a blake2s hash object; optionally initialized with a string
+[clinic start generated code]*/
+
+static PyObject *
+_hashlib_openssl_blake2s_impl(PyObject *module, PyObject *data_obj,
+ int usedforsecurity)
+/*[clinic end generated code: output=4eda6b40757471da input=1ed39481ffa4e26a]*/
+
+{
+ return py_evp_fromname(module, Py_hash_blake2s, data_obj, usedforsecurity);
+}
+
+
#ifdef PY_OPENSSL_HAS_SHA3
/*[clinic input]
@@ -2065,6 +2100,8 @@
static struct PyMethodDef EVP_functions[] = {
_HASHLIB_OPENSSL_SHA256_METHODDEF
_HASHLIB_OPENSSL_SHA384_METHODDEF
_HASHLIB_OPENSSL_SHA512_METHODDEF
+ _HASHLIB_OPENSSL_BLAKE2B_METHODDEF
+ _HASHLIB_OPENSSL_BLAKE2S_METHODDEF
_HASHLIB_OPENSSL_SHA3_224_METHODDEF
_HASHLIB_OPENSSL_SHA3_256_METHODDEF
_HASHLIB_OPENSSL_SHA3_384_METHODDEF
diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h
index 5d84f4a..011026a 100644
--- a/Modules/clinic/_hashopenssl.c.h
+++ b/Modules/clinic/_hashopenssl.c.h
@@ -530,6 +530,110 @@
exit:
return return_value;
}
+PyDoc_STRVAR(_hashlib_openssl_blake2b__doc__,
+"openssl_blake2b($module, /, string=b\'\', *, usedforsecurity=True)\n"
+"--\n"
+"\n"
+"Returns a blake2b hash object; optionally initialized with a string");
+
+#define _HASHLIB_OPENSSL_BLAKE2B_METHODDEF \
+ {"openssl_blake2b", _PyCFunction_CAST(_hashlib_openssl_blake2b), METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_blake2b__doc__},
+
+static PyObject *
+_hashlib_openssl_blake2b_impl(PyObject *module, PyObject *data_obj,
+ int usedforsecurity);
+
+static PyObject *
+_hashlib_openssl_blake2b(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames)
+{
+ PyObject *return_value = NULL;
+ static const char * const _keywords[] = {"string", "usedforsecurity", NULL};
+ static _PyArg_Parser _parser = {NULL, _keywords, "openssl_blake2b", 0};
+ PyObject *argsbuf[2];
+ Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0;
+ PyObject *data_obj = NULL;
+ int usedforsecurity = 1;
+
+ args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf);
+ if (!args) {
+ goto exit;
+ }
+ if (!noptargs) {
+ goto skip_optional_pos;
+ }
+ if (args[0]) {
+ data_obj = args[0];
+ if (!--noptargs) {
+ goto skip_optional_pos;
+ }
+ }
+skip_optional_pos:
+ if (!noptargs) {
+ goto skip_optional_kwonly;
+ }
+ usedforsecurity = PyObject_IsTrue(args[1]);
+ if (usedforsecurity < 0) {
+ goto exit;
+ }
+skip_optional_kwonly:
+ return_value = _hashlib_openssl_blake2b_impl(module, data_obj, usedforsecurity);
+
+exit:
+ return return_value;
+}
+
+PyDoc_STRVAR(_hashlib_openssl_blake2s__doc__,
+"openssl_blake2s($module, /, string=b\'\', *, usedforsecurity=True)\n"
+"--\n"
+"\n"
+"Returns a blake2s hash object; optionally initialized with a string");
+
+#define _HASHLIB_OPENSSL_BLAKE2S_METHODDEF \
+ {"openssl_blake2s", _PyCFunction_CAST(_hashlib_openssl_blake2s), METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_blake2s__doc__},
+
+static PyObject *
+_hashlib_openssl_blake2s_impl(PyObject *module, PyObject *data_obj,
+ int usedforsecurity);
+
+static PyObject *
+_hashlib_openssl_blake2s(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames)
+{
+ PyObject *return_value = NULL;
+ static const char * const _keywords[] = {"string", "usedforsecurity", NULL};
+ static _PyArg_Parser _parser = {NULL, _keywords, "openssl_blake2s", 0};
+ PyObject *argsbuf[2];
+ Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0;
+ PyObject *data_obj = NULL;
+ int usedforsecurity = 1;
+
+ args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf);
+ if (!args) {
+ goto exit;
+ }
+ if (!noptargs) {
+ goto skip_optional_pos;
+ }
+ if (args[0]) {
+ data_obj = args[0];
+ if (!--noptargs) {
+ goto skip_optional_pos;
+ }
+ }
+skip_optional_pos:
+ if (!noptargs) {
+ goto skip_optional_kwonly;
+ }
+ usedforsecurity = PyObject_IsTrue(args[1]);
+ if (usedforsecurity < 0) {
+ goto exit;
+ }
+skip_optional_kwonly:
+ return_value = _hashlib_openssl_blake2s_impl(module, data_obj, usedforsecurity);
+
+exit:
+ return return_value;
+}
+
#if defined(PY_OPENSSL_HAS_SHA3)
PyDoc_STRVAR(_hashlib_openssl_sha3_224__doc__,
@@ -1385,4 +1489,4 @@
exit:
#ifndef _HASHLIB_SCRYPT_METHODDEF
#define _HASHLIB_SCRYPT_METHODDEF
#endif /* !defined(_HASHLIB_SCRYPT_METHODDEF) */
-/*[clinic end generated code: output=69f2374071bff707 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=c6a9af5563972eda input=a9049054013a1b77]*/
--
2.39.1
From 9a7e164840aa35602e1c6dddadd461fafc666a63 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 1 Aug 2019 17:57:05 +0200
Subject: [PATCH 2/7] Use a stronger hash in multiprocessing handshake
Adapted from patch by David Malcolm,
https://bugs.python.org/issue17258
---
Lib/multiprocessing/connection.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
index b08144f..0497557 100644
--- a/Lib/multiprocessing/connection.py
+++ b/Lib/multiprocessing/connection.py
@@ -42,6 +42,10 @@
BUFSIZE = 8192
# A very generous timeout when it comes to local connections...
CONNECTION_TIMEOUT = 20.
+# The hmac module implicitly defaults to using MD5.
+# Support using a stronger algorithm for the challenge/response code:
+HMAC_DIGEST_NAME='sha256'
+
_mmap_counter = itertools.count()
default_family = 'AF_INET'
@@ -735,7 +739,7 @@
def deliver_challenge(connection, authkey):
"Authkey must be bytes, not {0!s}".format(type(authkey)))
message = os.urandom(MESSAGE_LENGTH)
connection.send_bytes(CHALLENGE + message)
- digest = hmac.new(authkey, message, 'md5').digest()
+ digest = hmac.new(authkey, message, HMAC_DIGEST_NAME).digest()
response = connection.recv_bytes(256) # reject large message
if response == digest:
connection.send_bytes(WELCOME)
@@ -751,7 +755,7 @@
def answer_challenge(connection, authkey):
message = connection.recv_bytes(256) # reject large message
assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message
message = message[len(CHALLENGE):]
- digest = hmac.new(authkey, message, 'md5').digest()
+ digest = hmac.new(authkey, message, HMAC_DIGEST_NAME).digest()
connection.send_bytes(digest)
response = connection.recv_bytes(256) # reject large message
if response != WELCOME:
--
2.39.1
From 10b91783a2f22153738c5658a98daf7475ad9a8c Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 25 Jul 2019 17:19:06 +0200
Subject: [PATCH 3/7] Disable Python's hash implementations in FIPS mode,
forcing OpenSSL
---
Lib/hashlib.py | 11 +++++++----
Lib/test/test_hashlib.py | 17 ++++++++++++-----
Modules/_blake2/blake2b_impl.c | 4 ++++
Modules/_blake2/blake2module.c | 3 +++
Modules/_blake2/blake2s_impl.c | 4 ++++
Modules/hashlib.h | 23 +++++++++++++++++++++++
configure.ac | 3 ++-
7 files changed, 55 insertions(+), 10 deletions(-)
diff --git a/Lib/hashlib.py b/Lib/hashlib.py
index b546a3f..8b835a4 100644
--- a/Lib/hashlib.py
+++ b/Lib/hashlib.py
@@ -70,14 +70,17 @@
__all__ = __always_supported + ('new', 'algorithms_guaranteed',
__builtin_constructor_cache = {}
-# Prefer our blake2 implementation
+# Prefer our blake2 implementation (unless in FIPS mode)
# OpenSSL 1.1.0 comes with a limited implementation of blake2b/s. The OpenSSL
# implementations neither support keyed blake2 (blake2 MAC) nor advanced
# features like salt, personalization, or tree hashing. OpenSSL hash-only
# variants are available as 'blake2b512' and 'blake2s256', though.
-__block_openssl_constructor = {
- 'blake2b', 'blake2s',
-}
+import _hashlib
+if _hashlib.get_fips_mode():
+ __block_openssl_constructor = set()
+else:
+ __block_openssl_constructor = {'blake2b', 'blake2s'}
+
def __get_builtin_constructor(name):
cache = __builtin_constructor_cache
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index 6607ef7..01d12f5 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -40,14 +40,15 @@
else:
m.strip() for m in builtin_hashes.strip('"').lower().split(",")
}
-# hashlib with and without OpenSSL backend for PBKDF2
-# only import builtin_hashlib when all builtin hashes are available.
-# Otherwise import prints noise on stderr
+# RHEL: `_hashlib` is always importable and `hashlib` can't be imported
+# without it.
openssl_hashlib = import_fresh_module('hashlib', fresh=['_hashlib'])
-if builtin_hashes == default_builtin_hashes:
+try:
builtin_hashlib = import_fresh_module('hashlib', blocked=['_hashlib'])
-else:
+except ImportError:
builtin_hashlib = None
+else:
+ raise AssertionError('hashlib is importablee without _hashlib')
try:
from _hashlib import HASH, HASHXOF, openssl_md_meth_names, get_fips_mode
@@ -118,6 +119,12 @@
class HashLibTestCase(unittest.TestCase):
except ModuleNotFoundError as error:
if self._warn_on_extension_import and module_name in builtin_hashes:
warnings.warn('Did a C extension fail to compile? %s' % error)
+ except ImportError:
+ if get_fips_mode() and module_name == '_blake2':
+ # blake2b & blake2s disabled under FIPS
+ return None
+ else:
+ raise
return None
def __init__(self, *args, **kwargs):
diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c
index c2cac98..55b1677 100644
--- a/Modules/_blake2/blake2b_impl.c
+++ b/Modules/_blake2/blake2b_impl.c
@@ -98,6 +98,8 @@
py_blake2b_new_impl(PyTypeObject *type, PyObject *data, int digest_size,
BLAKE2bObject *self = NULL;
Py_buffer buf;
+ FAIL_RETURN_IN_FIPS_MODE(PyExc_ValueError, "_blake2");
+
self = new_BLAKE2bObject(type);
if (self == NULL) {
goto error;
@@ -276,6 +278,8 @@
_blake2_blake2b_update(BLAKE2bObject *self, PyObject *data)
{
Py_buffer buf;
+ FAIL_RETURN_IN_FIPS_MODE(PyExc_ValueError, "_blake2");
+
GET_BUFFER_VIEW_OR_ERROUT(data, &buf);
if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE)
diff --git a/Modules/_blake2/blake2module.c b/Modules/_blake2/blake2module.c
index 44d783b..d247e44 100644
--- a/Modules/_blake2/blake2module.c
+++ b/Modules/_blake2/blake2module.c
@@ -13,6 +13,7 @@
#endif
#include "Python.h"
+#include "../hashlib.h"
#include "blake2module.h"
extern PyType_Spec blake2b_type_spec;
@@ -77,6 +78,7 @@
_blake2_free(void *module)
static int
blake2_exec(PyObject *m)
{
+
Blake2State* st = blake2_get_state(m);
st->blake2b_type = (PyTypeObject *)PyType_FromModuleAndSpec(
@@ -145,5 +147,6 @@
static struct PyModuleDef blake2_module = {
PyMODINIT_FUNC
PyInit__blake2(void)
{
+ FAIL_RETURN_IN_FIPS_MODE(PyExc_ImportError, "blake2");
return PyModuleDef_Init(&blake2_module);
}
\ No newline at end of file
diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c
index 1c47328..cd4a202 100644
--- a/Modules/_blake2/blake2s_impl.c
+++ b/Modules/_blake2/blake2s_impl.c
@@ -98,6 +98,8 @@
py_blake2s_new_impl(PyTypeObject *type, PyObject *data, int digest_size,
BLAKE2sObject *self = NULL;
Py_buffer buf;
+ FAIL_RETURN_IN_FIPS_MODE(PyExc_ValueError, "_blake2");
+
self = new_BLAKE2sObject(type);
if (self == NULL) {
goto error;
@@ -276,6 +278,8 @@
_blake2_blake2s_update(BLAKE2sObject *self, PyObject *data)
{
Py_buffer buf;
+ FAIL_RETURN_IN_FIPS_MODE(PyExc_ValueError, "_blake2");
+
GET_BUFFER_VIEW_OR_ERROUT(data, &buf);
if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE)
diff --git a/Modules/hashlib.h b/Modules/hashlib.h
index 56ae7a5..45fb403 100644
--- a/Modules/hashlib.h
+++ b/Modules/hashlib.h
@@ -1,5 +1,11 @@
/* Common code for use by all hashlib related modules. */
+// RHEL: use OpenSSL to turn off unsupported modules under FIPS mode
+// EVP_default_properties_is_fips_enabled() on OpenSSL >= 3.0.0
+#include <openssl/evp.h>
+// FIPS_mode() on OpenSSL < 3.0.0
+#include <openssl/crypto.h>
+
/*
* Given a PyObject* obj, fill in the Py_buffer* viewp with the result
* of PyObject_GetBuffer. Sets an exception and issues the erraction
@@ -57,3 +63,20 @@
* to allow the user to optimize based on the platform they're using. */
#define HASHLIB_GIL_MINSIZE 2048
+__attribute__((__unused__))
+static int
+_Py_hashlib_fips_error(PyObject *exc, char *name) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ if (EVP_default_properties_is_fips_enabled(NULL)) {
+#else
+ if (FIPS_mode()) {
+#endif
+ PyErr_Format(exc, "%s is not available in FIPS mode", name);
+ return 1;
+ }
+ return 0;
+}
+
+#define FAIL_RETURN_IN_FIPS_MODE(exc, name) do { \
+ if (_Py_hashlib_fips_error(exc, name)) return NULL; \
+} while (0)
diff --git a/configure.ac b/configure.ac
index c62a565..861f7a0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -7044,7 +7044,8 @@
PY_STDLIB_MOD([_sha512], [test "$with_builtin_sha512" = yes])
PY_STDLIB_MOD([_sha3], [test "$with_builtin_sha3" = yes])
PY_STDLIB_MOD([_blake2],
[test "$with_builtin_blake2" = yes], [],
- [$LIBB2_CFLAGS], [$LIBB2_LIBS])
+ [$LIBB2_CFLAGS $OPENSSL_INCLUDES],
+ [$LIBB2_LIBS $OPENSSL_LDFLAGS $OPENSSL_LDFLAGS_RPATH $OPENSSL_LIBS])
PY_STDLIB_MOD([_crypt],
[], [test "$ac_cv_crypt_crypt" = yes],
--
2.39.1
From e26066b1c05c9768e38cb6f45d6a01058de55b3f Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Fri, 29 Jan 2021 14:16:21 +0100
Subject: [PATCH 4/7] Use python's fall back crypto implementations only if we
are not in FIPS mode
---
Lib/hashlib.py | 72 +++-------------------------------------
Lib/test/test_hashlib.py | 23 ++++++++++++-
2 files changed, 27 insertions(+), 68 deletions(-)
diff --git a/Lib/hashlib.py b/Lib/hashlib.py
index 8b835a4..d0834c2 100644
--- a/Lib/hashlib.py
+++ b/Lib/hashlib.py
@@ -83,6 +83,8 @@
else:
def __get_builtin_constructor(name):
+ if _hashlib.get_fips_mode():
+ raise ValueError('unsupported hash type ' + name + '(in FIPS mode)')
cache = __builtin_constructor_cache
constructor = cache.get(name)
if constructor is not None:
@@ -178,83 +180,19 @@
try:
except ImportError:
_hashlib = None
new = __py_new
- __get_hash = __get_builtin_constructor
+ raise # importing _hashlib should never fail on RHEL
try:
# OpenSSL's PKCS5_PBKDF2_HMAC requires OpenSSL 1.0+ with HMAC and SHA
from _hashlib import pbkdf2_hmac
except ImportError:
- from warnings import warn as _warn
- _trans_5C = bytes((x ^ 0x5C) for x in range(256))
- _trans_36 = bytes((x ^ 0x36) for x in range(256))
-
- def pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None):
- """Password based key derivation function 2 (PKCS #5 v2.0)
-
- This Python implementations based on the hmac module about as fast
- as OpenSSL's PKCS5_PBKDF2_HMAC for short passwords and much faster
- for long passwords.
- """
- _warn(
- "Python implementation of pbkdf2_hmac() is deprecated.",
- category=DeprecationWarning,
- stacklevel=2
- )
- if not isinstance(hash_name, str):
- raise TypeError(hash_name)
-
- if not isinstance(password, (bytes, bytearray)):
- password = bytes(memoryview(password))
- if not isinstance(salt, (bytes, bytearray)):
- salt = bytes(memoryview(salt))
-
- # Fast inline HMAC implementation
- inner = new(hash_name)
- outer = new(hash_name)
- blocksize = getattr(inner, 'block_size', 64)
- if len(password) > blocksize:
- password = new(hash_name, password).digest()
- password = password + b'\x00' * (blocksize - len(password))
- inner.update(password.translate(_trans_36))
- outer.update(password.translate(_trans_5C))
-
- def prf(msg, inner=inner, outer=outer):
- # PBKDF2_HMAC uses the password as key. We can re-use the same
- # digest objects and just update copies to skip initialization.
- icpy = inner.copy()
- ocpy = outer.copy()
- icpy.update(msg)
- ocpy.update(icpy.digest())
- return ocpy.digest()
-
- if iterations < 1:
- raise ValueError(iterations)
- if dklen is None:
- dklen = outer.digest_size
- if dklen < 1:
- raise ValueError(dklen)
-
- dkey = b''
- loop = 1
- from_bytes = int.from_bytes
- while len(dkey) < dklen:
- prev = prf(salt + loop.to_bytes(4))
- # endianness doesn't matter here as long to / from use the same
- rkey = from_bytes(prev)
- for i in range(iterations - 1):
- prev = prf(prev)
- # rkey = rkey ^ prev
- rkey ^= from_bytes(prev)
- loop += 1
- dkey += rkey.to_bytes(inner.digest_size)
-
- return dkey[:dklen]
+ raise # importing _hashlib should never fail on RHEL
try:
# OpenSSL's scrypt requires OpenSSL 1.1+
from _hashlib import scrypt
except ImportError:
- pass
+ raise # importing _hashlib should never fail on RHEL
def file_digest(fileobj, digest, /, *, _bufsize=2**18):
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index 01d12f5..a7cdb07 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -171,7 +171,13 @@
class HashLibTestCase(unittest.TestCase):
constructors.add(constructor)
def add_builtin_constructor(name):
- constructor = getattr(hashlib, "__get_builtin_constructor")(name)
+ try:
+ constructor = getattr(hashlib, "__get_builtin_constructor")(name)
+ except ValueError:
+ if get_fips_mode():
+ return
+ else:
+ raise
self.constructors_to_test[name].add(constructor)
_md5 = self._conditional_import_module('_md5')
@@ -266,6 +272,20 @@
class HashLibTestCase(unittest.TestCase):
def test_new_upper_to_lower(self):
self.assertEqual(hashlib.new("SHA256").name, "sha256")
+ @unittest.skipUnless(get_fips_mode(), "Builtin constructor only usable in FIPS mode")
+ def test_get_builtin_constructor_fips(self):
+ get_builtin_constructor = getattr(hashlib,
+ '__get_builtin_constructor')
+ with self.assertRaises(ValueError):
+ get_builtin_constructor('md5')
+ with self.assertRaises(ValueError):
+ get_builtin_constructor('sha256')
+ with self.assertRaises(ValueError):
+ get_builtin_constructor('blake2s')
+ with self.assertRaises(ValueError):
+ get_builtin_constructor('test')
+
+ @unittest.skipIf(get_fips_mode(), "No builtin constructors in FIPS mode")
def test_get_builtin_constructor(self):
get_builtin_constructor = getattr(hashlib,
'__get_builtin_constructor')
@@ -1111,6 +1131,7 @@
class KDFTests(unittest.TestCase):
iterations=1, dklen=None)
self.assertEqual(out, self.pbkdf2_results['sha1'][0][0])
+ @unittest.skip("The python implementation of pbkdf2_hmac has been removed")
@unittest.skipIf(builtin_hashlib is None, "test requires builtin_hashlib")
def test_pbkdf2_hmac_py(self):
with warnings_helper.check_warnings():
--
2.39.1
From 9ccbd22b8538fee379717c8b2916dc1ff8b96f07 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Wed, 31 Jul 2019 15:43:43 +0200
Subject: [PATCH 5/7] Test equivalence of hashes for the various digests with
usedforsecurity=True/False
---
Lib/test/test_fips.py | 24 ++++++++++++++++++++
Lib/test/test_hashlib.py | 47 ++++++++++++++++++++++++++++++----------
2 files changed, 60 insertions(+), 11 deletions(-)
create mode 100644 Lib/test/test_fips.py
diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py
new file mode 100644
index 0000000..1f99dd7
--- /dev/null
+++ b/Lib/test/test_fips.py
@@ -0,0 +1,24 @@
+import unittest
+import hashlib, _hashlib
+
+
+
+class HashlibFipsTests(unittest.TestCase):
+
+ @unittest.skipUnless(_hashlib.get_fips_mode(), "Test only when FIPS is enabled")
+ def test_fips_imports(self):
+ """blake2s and blake2b should fail to import in FIPS mode
+ """
+ with self.assertRaises(ValueError, msg='blake2s not available in FIPS'):
+ m = hashlib.blake2s()
+ with self.assertRaises(ValueError, msg='blake2b not available in FIPS'):
+ m = hashlib.blake2b()
+
+ @unittest.skipIf(_hashlib.get_fips_mode(), "blake2 hashes are not available under FIPS")
+ def test_blake2_hashes(self):
+ self.assertEqual(hashlib.blake2b(b'abc').hexdigest(), _hashlib.openssl_blake2b(b'abc').hexdigest())
+ self.assertEqual(hashlib.blake2s(b'abc').hexdigest(), _hashlib.openssl_blake2s(b'abc').hexdigest())
+
+
+if __name__ == "__main__":
+ unittest.main()
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index a7cdb07..c071f28 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -25,6 +25,7 @@
from test.support import os_helper
from test.support import threading_helper
from test.support import warnings_helper
from http.client import HTTPException
+from functools import partial
# Were we compiled --with-pydebug or with #define Py_DEBUG?
COMPILED_WITH_PYDEBUG = hasattr(sys, 'gettotalrefcount')
@@ -60,6 +61,11 @@
except ImportError:
def get_fips_mode():
return 0
+if get_fips_mode():
+ FIPS_DISABLED = {'md5'}
+else:
+ FIPS_DISABLED = set()
+
try:
import _blake2
except ImportError:
@@ -98,6 +104,11 @@
def read_vectors(hash_name):
parts[0] = bytes.fromhex(parts[0])
yield parts
+def _is_blake2_constructor(constructor):
+ if isinstance(constructor, partial):
+ constructor = constructor.func
+ return getattr(constructor, '__name__', '').startswith('openssl_blake2')
+
class HashLibTestCase(unittest.TestCase):
supported_hash_names = ( 'md5', 'MD5', 'sha1', 'SHA1',
@@ -142,15 +153,21 @@
class HashLibTestCase(unittest.TestCase):
continue
self.constructors_to_test[algorithm] = set()
+ def _add_constructor(algorithm, constructor):
+ constructors.add(partial(constructor, usedforsecurity=False))
+ if algorithm not in FIPS_DISABLED:
+ constructors.add(constructor)
+ constructors.add(partial(constructor, usedforsecurity=True))
+
# For each algorithm, test the direct constructor and the use
# of hashlib.new given the algorithm name.
for algorithm, constructors in self.constructors_to_test.items():
- constructors.add(getattr(hashlib, algorithm))
+ _add_constructor(algorithm, getattr(hashlib, algorithm))
def _test_algorithm_via_hashlib_new(data=None, _alg=algorithm, **kwargs):
if data is None:
return hashlib.new(_alg, **kwargs)
return hashlib.new(_alg, data, **kwargs)
- constructors.add(_test_algorithm_via_hashlib_new)
+ _add_constructor(algorithm, _test_algorithm_via_hashlib_new)
_hashlib = self._conditional_import_module('_hashlib')
self._hashlib = _hashlib
@@ -162,13 +179,7 @@
class HashLibTestCase(unittest.TestCase):
for algorithm, constructors in self.constructors_to_test.items():
constructor = getattr(_hashlib, 'openssl_'+algorithm, None)
if constructor:
- try:
- constructor()
- except ValueError:
- # default constructor blocked by crypto policy
- pass
- else:
- constructors.add(constructor)
+ _add_constructor(algorithm, constructor)
def add_builtin_constructor(name):
try:
@@ -346,6 +357,8 @@
class HashLibTestCase(unittest.TestCase):
self.assertIn(h.name, self.supported_hash_names)
else:
self.assertNotIn(h.name, self.supported_hash_names)
+ if not h.name.startswith('blake2') and h.name not in FIPS_DISABLED:
+ self.assertEqual(h.name, hashlib.new(h.name).name)
self.assertEqual(
h.name,
hashlib.new(h.name, usedforsecurity=False).name
@@ -392,8 +405,10 @@
class HashLibTestCase(unittest.TestCase):
for hash_object_constructor in constructors:
# OpenSSL's blake2s & blake2d don't support `key`
- _name = hash_object_constructor.__name__
- if 'key' in kwargs and _name.startswith('openssl_blake2'):
+ if (
+ 'key' in kwargs
+ and _is_blake2_constructor(hash_object_constructor)
+ ):
return
m = hash_object_constructor(data, **kwargs)
@@ -1024,6 +1039,16 @@
class HashLibTestCase(unittest.TestCase):
with self.assertRaisesRegex(TypeError, "immutable type"):
hash_type.value = False
+ @unittest.skipUnless(get_fips_mode(), 'Needs FIPS mode.')
+ def test_usedforsecurity_repeat(self):
+ """Make sure usedforsecurity flag isn't copied to other contexts"""
+ for i in range(3):
+ for cons in hashlib.md5, partial(hashlib.new, 'md5'):
+ self.assertRaises(ValueError, cons)
+ self.assertRaises(ValueError, partial(cons, usedforsecurity=True))
+ self.assertEqual(cons(usedforsecurity=False).hexdigest(),
+ 'd41d8cd98f00b204e9800998ecf8427e')
+
class KDFTests(unittest.TestCase):
--
2.39.1
From c3b8d6ecc76c87e8b05fd2cb212d5dece50ce0b1 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 26 Aug 2019 19:39:48 +0200
Subject: [PATCH 6/7] Guard against Python HMAC in FIPS mode
---
Lib/hmac.py | 13 +++++++++----
Lib/test/test_hmac.py | 10 ++++++++++
2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/Lib/hmac.py b/Lib/hmac.py
index 8b4f920..20ef96c 100644
--- a/Lib/hmac.py
+++ b/Lib/hmac.py
@@ -16,8 +16,9 @@
else:
import hashlib as _hashlib
-trans_5C = bytes((x ^ 0x5C) for x in range(256))
-trans_36 = bytes((x ^ 0x36) for x in range(256))
+if not _hashopenssl.get_fips_mode():
+ trans_5C = bytes((x ^ 0x5C) for x in range(256))
+ trans_36 = bytes((x ^ 0x36) for x in range(256))
# The size of the digests returned by HMAC depends on the underlying
# hashing module used. Use digest_size from the instance of HMAC instead.
@@ -48,17 +49,18 @@
class HMAC:
msg argument. Passing it as a keyword argument is
recommended, though not required for legacy API reasons.
"""
-
if not isinstance(key, (bytes, bytearray)):
raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__)
if not digestmod:
raise TypeError("Missing required parameter 'digestmod'.")
- if _hashopenssl and isinstance(digestmod, (str, _functype)):
+ if _hashopenssl.get_fips_mode() or (_hashopenssl and isinstance(digestmod, (str, _functype))):
try:
self._init_hmac(key, msg, digestmod)
except _hashopenssl.UnsupportedDigestmodError:
+ if _hashopenssl.get_fips_mode():
+ raise
self._init_old(key, msg, digestmod)
else:
self._init_old(key, msg, digestmod)
@@ -69,6 +71,9 @@
class HMAC:
self.block_size = self._hmac.block_size
def _init_old(self, key, msg, digestmod):
+ if _hashopenssl.get_fips_mode():
+ # In FIPS mode, use OpenSSL anyway: raise the appropriate error
+ return self._init_hmac(key, msg, digestmod)
if callable(digestmod):
digest_cons = digestmod
elif isinstance(digestmod, str):
diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py
index 7cf9973..a9e4e39 100644
--- a/Lib/test/test_hmac.py
+++ b/Lib/test/test_hmac.py
@@ -5,6 +5,7 @@
import hashlib
import unittest
import unittest.mock
import warnings
+from _hashlib import get_fips_mode
from test.support import hashlib_helper, check_disallow_instantiation
@@ -339,6 +340,7 @@
class TestVectorsTestCase(unittest.TestCase):
def test_sha512_rfc4231(self):
self._rfc4231_test_cases(hashlib.sha512, 'sha512', 64, 128)
+ #unittest.skipIf(get_fips_mode(), 'MockCrazyHash unacceptable in FIPS mode.')
@hashlib_helper.requires_hashdigest('sha256')
def test_legacy_block_size_warnings(self):
class MockCrazyHash(object):
@@ -351,6 +353,11 @@
class TestVectorsTestCase(unittest.TestCase):
def digest(self):
return self._x.digest()
+ if get_fips_mode():
+ with self.assertRaises(ValueError):
+ hmac.HMAC(b'a', b'b', digestmod=MockCrazyHash)
+ return
+
with warnings.catch_warnings():
warnings.simplefilter('error', RuntimeWarning)
with self.assertRaises(RuntimeWarning):
@@ -443,6 +450,7 @@
class ConstructorTestCase(unittest.TestCase):
with self.assertRaisesRegex(TypeError, "immutable type"):
C_HMAC.value = None
+ @unittest.skipIf(get_fips_mode(), "_sha256 unavailable in FIPS mode")
@unittest.skipUnless(sha256_module is not None, 'need _sha256')
def test_with_sha256_module(self):
h = hmac.HMAC(b"key", b"hash this!", digestmod=sha256_module.sha256)
@@ -471,6 +479,7 @@
class SanityTestCase(unittest.TestCase):
class CopyTestCase(unittest.TestCase):
+ @unittest.skipIf(get_fips_mode(), "_init_old unavailable in FIPS mode")
@hashlib_helper.requires_hashdigest('sha256')
def test_attributes_old(self):
# Testing if attributes are of same type.
@@ -482,6 +491,7 @@
class CopyTestCase(unittest.TestCase):
self.assertEqual(type(h1._outer), type(h2._outer),
"Types of outer don't match.")
+ @unittest.skipIf(get_fips_mode(), "_init_old unavailable in FIPS mode")
@hashlib_helper.requires_hashdigest('sha256')
def test_realcopy_old(self):
# Testing if the copy method created a real copy.
--
2.39.1
From 2b06ee89344e8735cdc8435aadbdf83fe289e934 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Wed, 25 Aug 2021 16:44:43 +0200
Subject: [PATCH 7/7] Disable hash-based PYCs in FIPS mode
If FIPS mode is on, we can't use siphash-based HMAC
(_Py_KeyedHash), so:
- Unchecked hash PYCs can be imported, but not created
- Checked hash PYCs can not be imported nor created
- The default mode is timestamp-based PYCs, even if
SOURCE_DATE_EPOCH is set.
If FIPS mode is off, there are no changes in behavior.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1835169
---
Lib/py_compile.py | 2 ++
Lib/test/support/__init__.py | 14 +++++++++++++
Lib/test/test_cmd_line_script.py | 2 ++
Lib/test/test_compileall.py | 11 +++++++++-
Lib/test/test_imp.py | 2 ++
.../test_importlib/source/test_file_loader.py | 6 ++++++
Lib/test/test_py_compile.py | 11 ++++++++--
Lib/test/test_zipimport.py | 2 ++
Python/import.c | 20 +++++++++++++++++++
9 files changed, 67 insertions(+), 3 deletions(-)
diff --git a/Lib/py_compile.py b/Lib/py_compile.py
index db52725..5fca65e 100644
--- a/Lib/py_compile.py
+++ b/Lib/py_compile.py
@@ -70,7 +70,9 @@
class PycInvalidationMode(enum.Enum):
def _get_default_invalidation_mode():
+ import _hashlib
if (os.environ.get('SOURCE_DATE_EPOCH') and not
+ _hashlib.get_fips_mode() and not
os.environ.get('RPM_BUILD_ROOT')):
return PycInvalidationMode.CHECKED_HASH
else:
diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
index c33f90d..7d40540 100644
--- a/Lib/test/support/__init__.py
+++ b/Lib/test/support/__init__.py
@@ -2225,6 +2225,20 @@
def requires_venv_with_pip():
return unittest.skipUnless(ctypes, 'venv: pip requires ctypes')
+def fails_in_fips_mode(expected_error):
+ import _hashlib
+ if _hashlib.get_fips_mode():
+ def _decorator(func):
+ def _wrapper(self, *args, **kwargs):
+ with self.assertRaises(expected_error):
+ func(self, *args, **kwargs)
+ return _wrapper
+ else:
+ def _decorator(func):
+ return func
+ return _decorator
+
+
@contextlib.contextmanager
def adjust_int_max_str_digits(max_digits):
"""Temporarily change the integer string conversion length limit."""
diff --git a/Lib/test/test_cmd_line_script.py b/Lib/test/test_cmd_line_script.py
index 4dadbc0..7dc7e51 100644
--- a/Lib/test/test_cmd_line_script.py
+++ b/Lib/test/test_cmd_line_script.py
@@ -286,6 +286,7 @@
class CmdLineTest(unittest.TestCase):
self._check_script(zip_name, run_name, zip_name, zip_name, '',
zipimport.zipimporter)
+ @support.fails_in_fips_mode(ImportError)
def test_zipfile_compiled_checked_hash(self):
with os_helper.temp_dir() as script_dir:
script_name = _make_test_script(script_dir, '__main__')
@@ -296,6 +297,7 @@
class CmdLineTest(unittest.TestCase):
self._check_script(zip_name, run_name, zip_name, zip_name, '',
zipimport.zipimporter)
+ @support.fails_in_fips_mode(ImportError)
def test_zipfile_compiled_unchecked_hash(self):
with os_helper.temp_dir() as script_dir:
script_name = _make_test_script(script_dir, '__main__')
diff --git a/Lib/test/test_compileall.py b/Lib/test/test_compileall.py
index 05154c8..c678d4a 100644
--- a/Lib/test/test_compileall.py
+++ b/Lib/test/test_compileall.py
@@ -800,14 +800,23 @@
class CommandLineTestsBase:
out = self.assertRunOK('badfilename')
self.assertRegex(out, b"Can't list 'badfilename'")
- def test_pyc_invalidation_mode(self):
+ @support.fails_in_fips_mode(AssertionError)
+ def test_pyc_invalidation_mode_checked(self):
script_helper.make_script(self.pkgdir, 'f1', '')
pyc = importlib.util.cache_from_source(
os.path.join(self.pkgdir, 'f1.py'))
+
self.assertRunOK('--invalidation-mode=checked-hash', self.pkgdir)
with open(pyc, 'rb') as fp:
data = fp.read()
self.assertEqual(int.from_bytes(data[4:8], 'little'), 0b11)
+
+ @support.fails_in_fips_mode(AssertionError)
+ def test_pyc_invalidation_mode_unchecked(self):
+ script_helper.make_script(self.pkgdir, 'f1', '')
+ pyc = importlib.util.cache_from_source(
+ os.path.join(self.pkgdir, 'f1.py'))
+
self.assertRunOK('--invalidation-mode=unchecked-hash', self.pkgdir)
with open(pyc, 'rb') as fp:
data = fp.read()
diff --git a/Lib/test/test_imp.py b/Lib/test/test_imp.py
index 4bb0390..ff62483 100644
--- a/Lib/test/test_imp.py
+++ b/Lib/test/test_imp.py
@@ -350,6 +350,7 @@
class ImportTests(unittest.TestCase):
import _frozen_importlib
self.assertEqual(_frozen_importlib.__spec__.origin, "frozen")
+ @support.fails_in_fips_mode(ImportError)
def test_source_hash(self):
self.assertEqual(_imp.source_hash(42, b'hi'), b'\xfb\xd9G\x05\xaf$\x9b~')
self.assertEqual(_imp.source_hash(43, b'hi'), b'\xd0/\x87C\xccC\xff\xe2')
@@ -369,6 +370,7 @@
class ImportTests(unittest.TestCase):
res = script_helper.assert_python_ok(*args)
self.assertEqual(res.out.strip().decode('utf-8'), expected)
+ @support.fails_in_fips_mode(ImportError)
def test_find_and_load_checked_pyc(self):
# issue 34056
with os_helper.temp_cwd():
diff --git a/Lib/test/test_importlib/source/test_file_loader.py b/Lib/test/test_importlib/source/test_file_loader.py
index 378dcbe..7b223a1 100644
--- a/Lib/test/test_importlib/source/test_file_loader.py
+++ b/Lib/test/test_importlib/source/test_file_loader.py
@@ -16,6 +16,7 @@
import types
import unittest
import warnings
+from test import support
from test.support.import_helper import make_legacy_pyc, unload
from test.test_py_compile import without_source_date_epoch
@@ -238,6 +239,7 @@
class SimpleTest(abc.LoaderTests):
loader.load_module('bad name')
@util.writes_bytecode_files
+ @support.fails_in_fips_mode(ImportError)
def test_checked_hash_based_pyc(self):
with util.create_modules('_temp') as mapping:
source = mapping['_temp']
@@ -269,6 +271,7 @@
class SimpleTest(abc.LoaderTests):
)
@util.writes_bytecode_files
+ @support.fails_in_fips_mode(ImportError)
def test_overridden_checked_hash_based_pyc(self):
with util.create_modules('_temp') as mapping, \
unittest.mock.patch('_imp.check_hash_based_pycs', 'never'):
@@ -294,6 +297,7 @@
class SimpleTest(abc.LoaderTests):
self.assertEqual(mod.state, 'old')
@util.writes_bytecode_files
+ @support.fails_in_fips_mode(ImportError)
def test_unchecked_hash_based_pyc(self):
with util.create_modules('_temp') as mapping:
source = mapping['_temp']
@@ -324,6 +328,7 @@
class SimpleTest(abc.LoaderTests):
)
@util.writes_bytecode_files
+ @support.fails_in_fips_mode(ImportError)
def test_overridden_unchecked_hash_based_pyc(self):
with util.create_modules('_temp') as mapping, \
unittest.mock.patch('_imp.check_hash_based_pycs', 'always'):
@@ -433,6 +438,7 @@
class BadBytecodeTest:
del_source=del_source)
test('_temp', mapping, bc_path)
+ @support.fails_in_fips_mode(ImportError)
def _test_partial_hash(self, test, *, del_source=False):
with util.create_modules('_temp') as mapping:
bc_path = self.manipulate_bytecode(
diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py
index e53f5d9..7266212 100644
--- a/Lib/test/test_py_compile.py
+++ b/Lib/test/test_py_compile.py
@@ -141,13 +141,16 @@
class PyCompileTestsBase:
importlib.util.cache_from_source(bad_coding)))
def test_source_date_epoch(self):
+ import _hashlib
py_compile.compile(self.source_path, self.pyc_path)
self.assertTrue(os.path.exists(self.pyc_path))
self.assertFalse(os.path.exists(self.cache_path))
with open(self.pyc_path, 'rb') as fp:
flags = importlib._bootstrap_external._classify_pyc(
fp.read(), 'test', {})
- if os.environ.get('SOURCE_DATE_EPOCH'):
+ if _hashlib.get_fips_mode():
+ expected_flags = 0b00
+ elif os.environ.get('SOURCE_DATE_EPOCH'):
expected_flags = 0b11
else:
expected_flags = 0b00
@@ -178,7 +181,8 @@
class PyCompileTestsBase:
# Specifying optimized bytecode should lead to a path reflecting that.
self.assertIn('opt-2', py_compile.compile(self.source_path, optimize=2))
- def test_invalidation_mode(self):
+ @support.fails_in_fips_mode(ImportError)
+ def test_invalidation_mode_checked(self):
py_compile.compile(
self.source_path,
invalidation_mode=py_compile.PycInvalidationMode.CHECKED_HASH,
@@ -187,6 +191,9 @@
class PyCompileTestsBase:
flags = importlib._bootstrap_external._classify_pyc(
fp.read(), 'test', {})
self.assertEqual(flags, 0b11)
+
+ @support.fails_in_fips_mode(ImportError)
+ def test_invalidation_mode_unchecked(self):
py_compile.compile(
self.source_path,
invalidation_mode=py_compile.PycInvalidationMode.UNCHECKED_HASH,
diff --git a/Lib/test/test_zipimport.py b/Lib/test/test_zipimport.py
index 59a5200..81fadb3 100644
--- a/Lib/test/test_zipimport.py
+++ b/Lib/test/test_zipimport.py
@@ -190,6 +190,7 @@
class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
TESTMOD + pyc_ext: (NOW, test_pyc)}
self.doTest(pyc_ext, files, TESTMOD)
+ @support.fails_in_fips_mode(ImportError)
def testUncheckedHashBasedPyc(self):
source = b"state = 'old'"
source_hash = importlib.util.source_hash(source)
@@ -204,6 +205,7 @@
class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
self.assertEqual(mod.state, 'old')
self.doTest(None, files, TESTMOD, call=check)
+ @support.fails_in_fips_mode(ImportError)
@unittest.mock.patch('_imp.check_hash_based_pycs', 'always')
def test_checked_hash_based_change_pyc(self):
source = b"state = 'old'"
diff --git a/Python/import.c b/Python/import.c
index 07a8b90..e97b47b 100644
--- a/Python/import.c
+++ b/Python/import.c
@@ -2437,6 +2437,26 @@
static PyObject *
_imp_source_hash_impl(PyObject *module, long key, Py_buffer *source)
/*[clinic end generated code: output=edb292448cf399ea input=9aaad1e590089789]*/
{
+ PyObject *_hashlib = PyImport_ImportModule("_hashlib");
+ if (_hashlib == NULL) {
+ return NULL;
+ }
+ PyObject *fips_mode_obj = PyObject_CallMethod(_hashlib, "get_fips_mode", NULL);
+ Py_DECREF(_hashlib);
+ if (fips_mode_obj == NULL) {
+ return NULL;
+ }
+ int fips_mode = PyObject_IsTrue(fips_mode_obj);
+ Py_DECREF(fips_mode_obj);
+ if (fips_mode < 0) {
+ return NULL;
+ }
+ if (fips_mode) {
+ PyErr_SetString(
+ PyExc_ImportError,
+ "hash-based PYC validation (siphash24) not available in FIPS mode");
+ return NULL;
+ };
union {
uint64_t x;
char data[sizeof(uint64_t)];
--
2.39.1
This diff is collapsed.
Click to expand it.
SPECS/python3.11.spec
+
19
−
1
View file @
244d3500
...
...
@@ -20,7 +20,7 @@ URL: https://www.python.org/
#global prerel ...
%global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}}
Release:
1
%{?dist}
Release:
2
%{?dist}
License: Python
...
...
@@ -307,6 +307,21 @@ Patch251: 00251-change-user-install-location.patch
# Ideally, we should talk to upstream and explain why we don't want this
Patch328: 00328-pyc-timestamp-invalidation-mode.patch
# 00329 #
# Support OpenSSL FIPS mode
# - In FIPS mode, OpenSSL wrappers are always used in hashlib
# - The "usedforsecurity" keyword argument can be used to the various digest
# algorithms in hashlib so that you can whitelist a callsite with
# "usedforsecurity=False"
# - OpenSSL wrappers for the hashes blake2{b512,s256},
# - In FIPS mode, the blake2 hashes use OpenSSL wrappers
# and do not offer extended functionality (keys, tree hashing, custom digest size)
#
# - In FIPS mode, hmac.HMAC can only be instantiated with an OpenSSL wrapper
# or a string with OpenSSL hash name as the "digestmod" argument.
# The argument must be specified (instead of defaulting to ‘md5’).
Patch329: 00329-fips.patch
# 00371 # c1754d9c2750f89cb702e1b63a99201f5f7cff00
# Revert "bpo-1596321: Fix threading._shutdown() for the main thread (GH-28549) (GH-28589)"
#
...
...
@@ -1784,6 +1799,9 @@ fi
# ======================================================
%changelog
* Thu Feb 16 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.11.2-2
- Support OpenSSL FIPS mode
* Thu Feb 09 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.11.2-1
- Update to 3.11.2
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment