diff --git a/00146-hashlib-fips.patch b/00146-hashlib-fips.patch index 18b6a44..221ab50 100644 --- a/00146-hashlib-fips.patch +++ b/00146-hashlib-fips.patch @@ -1,7 +1,6 @@ -diff -up Python-3.2.2/Lib/hashlib.py.hashlib-fips Python-3.2.2/Lib/hashlib.py ---- Python-3.2.2/Lib/hashlib.py.hashlib-fips 2011-09-03 12:16:41.000000000 -0400 -+++ Python-3.2.2/Lib/hashlib.py 2011-09-14 01:55:48.090252006 -0400 -@@ -23,6 +23,16 @@ the zlib module. +--- Python-3.4.0a4/Lib/hashlib.py.hashlib-fips 2013-11-07 13:29:43.046881440 +0100 ++++ Python-3.4.0a4/Lib/hashlib.py 2013-11-07 13:42:04.438486289 +0100 +@@ -23,6 +23,16 @@ Choose your hash function wisely. Some have known collision weaknesses. sha384 and sha512 will be slow on 32 bit platforms. @@ -18,7 +17,27 @@ diff -up Python-3.2.2/Lib/hashlib.py.hashlib-fips Python-3.2.2/Lib/hashlib.py Hash objects have these methods: - update(arg): Update the hash object with the bytes in arg. Repeated calls are equivalent to a single call with the concatenation of all -@@ -96,33 +106,36 @@ def __get_openssl_constructor(name): +@@ -64,6 +74,19 @@ + 'algorithms_available', 'pbkdf2_hmac') + + ++import functools ++def __ignore_usedforsecurity(func): ++ """Used for sha3_* functions. Until OpenSSL implements them, we want ++ to use them from Python _sha3 module, but we want them to accept ++ usedforsecurity argument too.""" ++ # TODO: remove this function when OpenSSL implements sha3 ++ @functools.wraps(func) ++ def inner(*args, **kwargs): ++ if 'usedforsecurity' in kwargs: ++ kwargs.pop('usedforsecurity') ++ return func(*args, **kwargs) ++ return inner ++ + def __get_builtin_constructor(name): + try: + if name in ('SHA1', 'sha1'): +@@ -109,34 +132,41 @@ f = getattr(_hashlib, 'openssl_' + name) # Allow the C module to raise ValueError. The function will be # defined but the hash not actually available thanks to OpenSSL. @@ -30,16 +49,17 @@ diff -up Python-3.2.2/Lib/hashlib.py.hashlib-fips Python-3.2.2/Lib/hashlib.py # Use the C function directly (very fast) return f except (AttributeError, ValueError): -- return __get_builtin_constructor(name) -+ raise ++ # TODO: We want to just raise here when OpenSSL implements sha3 ++ # because we want to make sure that Fedora uses everything from OpenSSL + return __get_builtin_constructor(name) -+def __py_new(name, data=b'', usedforsecurity=True): -+ """new(name, data=b'', usedforsecurity=True) - Return a new hashing object using -+ the named algorithm; optionally initialized with data (which must be bytes). -def __py_new(name, data=b''): - """new(name, data=b'') - Return a new hashing object using the named algorithm; - optionally initialized with data (which must be bytes). ++def __py_new(name, data=b'', usedforsecurity=True): ++ """new(name, data=b'', usedforsecurity=True) - Return a new hashing object using ++ the named algorithm; optionally initialized with data (which must be bytes). + The 'usedforsecurity' keyword argument does nothing, and is for compatibilty + with the OpenSSL implementation """ @@ -64,16 +84,34 @@ diff -up Python-3.2.2/Lib/hashlib.py.hashlib-fips Python-3.2.2/Lib/hashlib.py - # hash, try using our builtin implementations. - # This allows for SHA224/256 and SHA384/512 support even though - # the OpenSSL library prior to 0.9.8 doesn't provide them. -- return __get_builtin_constructor(name)(data) -- -+ raise ++ # TODO: We want to just raise here when OpenSSL implements sha3 ++ # because we want to make sure that Fedora uses everything from OpenSSL + return __get_builtin_constructor(name)(data) +- try: import _hashlib -diff -up Python-3.2.2/Lib/test/test_hashlib.py.hashlib-fips Python-3.2.2/Lib/test/test_hashlib.py ---- Python-3.2.2/Lib/test/test_hashlib.py.hashlib-fips 2011-09-03 12:16:43.000000000 -0400 -+++ Python-3.2.2/Lib/test/test_hashlib.py 2011-09-14 01:45:48.462251974 -0400 -@@ -22,6 +22,20 @@ from test.support import _4G, precisionb + new = __hash_new +@@ -216,7 +246,10 @@ + # try them all, some may not work due to the OpenSSL + # version not supporting that algorithm. + try: +- globals()[__func_name] = __get_hash(__func_name) ++ func = __get_hash(__func_name) ++ if 'sha3_' in __func_name: ++ func = __ignore_usedforsecurity(func) ++ globals()[__func_name] = func + except ValueError: + import logging + logging.exception('code for hash %s was not found.', __func_name) +@@ -224,3 +257,4 @@ + # Cleanup locals() + del __always_supported, __func_name, __get_hash + del __py_new, __hash_new, __get_openssl_constructor ++del __ignore_usedforsecurity +--- Python-3.4.0a4/Lib/test/test_hashlib.py.hashlib-fips 2013-11-07 13:43:08.763454594 +0100 ++++ Python-3.4.0a4/Lib/test/test_hashlib.py 2013-11-07 13:55:23.233038101 +0100 +@@ -26,6 +26,20 @@ c_hashlib = import_fresh_module('hashlib', fresh=['_hashlib']) py_hashlib = import_fresh_module('hashlib', blocked=['_hashlib']) @@ -94,7 +132,7 @@ diff -up Python-3.2.2/Lib/test/test_hashlib.py.hashlib-fips Python-3.2.2/Lib/tes def hexstr(s): assert isinstance(s, bytes), repr(s) h = "0123456789abcdef" -@@ -31,6 +44,16 @@ def hexstr(s): +@@ -34,6 +48,16 @@ r += h[(i >> 4) & 0xF] + h[i & 0xF] return r @@ -111,7 +149,7 @@ diff -up Python-3.2.2/Lib/test/test_hashlib.py.hashlib-fips Python-3.2.2/Lib/tes class HashLibTestCase(unittest.TestCase): supported_hash_names = ( 'md5', 'MD5', 'sha1', 'SHA1', -@@ -59,11 +82,11 @@ class HashLibTestCase(unittest.TestCase) +@@ -66,11 +90,11 @@ # For each algorithm, test the direct constructor and the use # of hashlib.new given the algorithm name. for algorithm, constructors in self.constructors_to_test.items(): @@ -126,12 +164,13 @@ diff -up Python-3.2.2/Lib/test/test_hashlib.py.hashlib-fips Python-3.2.2/Lib/tes constructors.add(_test_algorithm_via_hashlib_new) _hashlib = self._conditional_import_module('_hashlib') -@@ -75,22 +98,7 @@ class HashLibTestCase(unittest.TestCase) +@@ -82,22 +106,9 @@ for algorithm, constructors in self.constructors_to_test.items(): constructor = getattr(_hashlib, 'openssl_'+algorithm, None) if constructor: - constructors.add(constructor) -- ++ constructors.add(suppress_fips(constructor)) + - _md5 = self._conditional_import_module('_md5') - if _md5: - self.constructors_to_test['md5'].add(_md5.md5) @@ -146,51 +185,11 @@ diff -up Python-3.2.2/Lib/test/test_hashlib.py.hashlib-fips Python-3.2.2/Lib/tes - if _sha512: - self.constructors_to_test['sha384'].add(_sha512.sha384) - self.constructors_to_test['sha512'].add(_sha512.sha512) -+ constructors.add(suppress_fips(constructor)) ++ # TODO: remove this after sha3 is available through OpenSSL _sha3 = self._conditional_import_module('_sha3') if _sha3: self.constructors_to_test['sha3_224'].add(_sha3.sha3_224) -@@ -138,7 +146,7 @@ class HashLibTestCase(unittest.TestCase) - - def test_hexdigest(self): - for cons in self.hash_constructors: -- h = cons() -+ h = cons(usedforsecurity=False) - assert isinstance(h.digest(), bytes), name - self.assertEqual(hexstr(h.digest()), h.hexdigest()) - -@@ -149,12 +157,12 @@ class HashLibTestCase(unittest.TestCase) - cees = b'c' * 126 - - for name in self.supported_hash_names: -- m1 = cons() -+ m1 = cons(usedforsecurity=False) - m1.update(aas) - m1.update(bees) - m1.update(cees) - -- m2 = cons() -+ m2 = cons(usedforsecurity=False) - m2.update(aas + bees + cees) - self.assertEqual(m1.digest(), m2.digest()) - -@@ -324,13 +332,13 @@ class HashLibTestCase(unittest.TestCase) - # for multithreaded operation (which is hardwired to 2048). - gil_minsize = 2048 - -- m = hashlib.md5() -+ m = hashlib.md5(usedforsecurity=False) - m.update(b'1') - m.update(b'#' * gil_minsize) - m.update(b'1') - self.assertEqual(m.hexdigest(), 'cb1e1a2cbc80be75e19935d621fb9b21') - -- m = hashlib.md5(b'x' * gil_minsize) -+ m = hashlib.md5(b'x' * gil_minsize, usedforsecurity=False) - self.assertEqual(m.hexdigest(), 'cfb767f225d58469c5de3632a8803958') - - @unittest.skipUnless(threading, 'Threading required for this test.') -@@ -370,6 +378,67 @@ class HashLibTestCase(unittest.TestCase) +@@ -547,6 +558,65 @@ self.assertEqual(expected_hash, hasher.hexdigest()) @@ -246,31 +245,36 @@ diff -up Python-3.2.2/Lib/test/test_hashlib.py.hashlib-fips Python-3.2.2/Lib/tes + m = _hashlib.new('md5', usedforsecurity=False) + m.update(b'abc\n') + self.assertEquals(m.hexdigest(), "0bee89b07a248e27c83fc3d5951213c1") -+ ++ + m = _hashlib.openssl_md5(b'abc\n', usedforsecurity=False) + self.assertEquals(m.hexdigest(), "0bee89b07a248e27c83fc3d5951213c1") + + m = _hashlib.new('md5', b'abc\n', usedforsecurity=False) + self.assertEquals(m.hexdigest(), "0bee89b07a248e27c83fc3d5951213c1") -+ -+ + - def test_main(): - support.run_unittest(HashLibTestCase) -diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_hashopenssl.c ---- Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips 2011-09-03 12:16:46.000000000 -0400 -+++ Python-3.2.2/Modules/_hashopenssl.c 2011-09-14 00:52:41.225252001 -0400 -@@ -37,6 +37,8 @@ - #endif + class KDFTests(unittest.TestCase): + +@@ -628,6 +698,7 @@ + with self.assertRaisesRegex(ValueError, 'unsupported hash type'): + pbkdf2('unknown', b'pass', b'salt', 1) + ++ @unittest.skip('skipped on Fedora, as we always use OpenSSL pbkdf2_hmac') + def test_pbkdf2_hmac_py(self): + self._test_pbkdf2_hmac(py_hashlib.pbkdf2_hmac) + +--- Python-3.4.0a4/Modules/_hashopenssl.c.hashlib-fips 2013-11-07 13:55:47.466025086 +0100 ++++ Python-3.4.0a4/Modules/_hashopenssl.c 2013-11-07 14:14:32.745272791 +0100 +@@ -19,6 +19,8 @@ + /* EVP is the preferred interface to hashing in OpenSSL */ +#include +#include #include + #include /* We use the object interface to discover what hashes OpenSSL supports. */ - #include -@@ -68,11 +70,19 @@ typedef struct { +@@ -48,11 +50,19 @@ static PyTypeObject EVPtype; @@ -294,7 +298,7 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ DEFINE_CONSTS_FOR_NEW(md5) DEFINE_CONSTS_FOR_NEW(sha1) -@@ -117,6 +127,48 @@ EVP_hash(EVPobject *self, const void *vp +@@ -125,6 +135,48 @@ } } @@ -343,7 +347,7 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ /* Internal methods for a hash object */ static void -@@ -303,15 +355,16 @@ EVP_repr(EVPobject *self) +@@ -309,15 +361,16 @@ static int EVP_tp_init(EVPobject *self, PyObject *args, PyObject *kwds) { @@ -363,7 +367,7 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ return -1; } -@@ -332,7 +385,12 @@ EVP_tp_init(EVPobject *self, PyObject *a +@@ -338,7 +391,12 @@ PyBuffer_Release(&view); return -1; } @@ -377,7 +381,7 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ self->name = name_obj; Py_INCREF(self->name); -@@ -416,7 +474,8 @@ static PyTypeObject EVPtype = { +@@ -422,7 +480,8 @@ static PyObject * EVPnew(PyObject *name_obj, const EVP_MD *digest, const EVP_MD_CTX *initial_ctx, @@ -387,7 +391,7 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ { EVPobject *self; -@@ -431,7 +490,12 @@ EVPnew(PyObject *name_obj, +@@ -437,7 +495,12 @@ if (initial_ctx) { EVP_MD_CTX_copy(&self->ctx, initial_ctx); } else { @@ -401,7 +405,7 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ } if (cp && len) { -@@ -455,21 +519,29 @@ PyDoc_STRVAR(EVP_new__doc__, +@@ -461,21 +524,29 @@ An optional string argument may be provided and will be\n\ automatically hashed.\n\ \n\ @@ -435,7 +439,7 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ return NULL; } -@@ -483,7 +555,8 @@ EVP_new(PyObject *self, PyObject *args, +@@ -489,7 +560,8 @@ digest = EVP_get_digestbyname(name); @@ -445,7 +449,7 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ if (data_obj) PyBuffer_Release(&view); -@@ -547,58 +620,115 @@ generate_hash_name_list(void) +@@ -744,57 +816,115 @@ /* @@ -462,7 +466,7 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ #define GEN_CONSTRUCTOR(NAME) \ static PyObject * \ - EVP_new_ ## NAME (PyObject *self, PyObject *args) \ -+ EVP_new_ ## NAME (PyObject *self, PyObject *args, PyObject *kwdict) \ ++ EVP_new_ ## NAME (PyObject *self, PyObject *args, PyObject *kwdict) \ { \ - PyObject *data_obj = NULL; \ - Py_buffer view = { 0 }; \ @@ -488,8 +492,8 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ + return implement_specific_EVP_new(self, args, kwdict, \ + "|Oi:" #NAME, \ + &cached_info_ ## NAME ); \ - } - ++ } ++ +static PyObject * +implement_specific_EVP_new(PyObject *self, PyObject *args, PyObject *kwdict, + const char *format, @@ -534,8 +538,8 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ + } else { + PyErr_SetString(PyExc_ValueError, "Error initializing hash"); + } -+ } -+ + } + + if (data_obj) + PyBuffer_Release(&view); + @@ -561,10 +565,9 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ - EVP_DigestInit(CONST_new_ ## NAME ## _ctx_p, EVP_get_digestbyname(#NAME)); \ - } \ - } \ --} while (0); +/* + Macro/function pair to set up the constructors. - ++ + Try to initialize a context for each hash twice, once with + EVP_MD_CTX_FLAG_NON_FIPS_ALLOW and once without. + @@ -573,7 +576,7 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ +*/ +#define INIT_CONSTRUCTOR_CONSTANTS(NAME) do { \ + init_constructor_constant(&cached_info_ ## NAME, #NAME); \ -+} while (0); + } while (0); +static void +init_constructor_constant(EVPCachedInfo *cached_info, const char *name) +{ @@ -595,11 +598,11 @@ diff -up Python-3.2.2/Modules/_hashopenssl.c.hashlib-fips Python-3.2.2/Modules/_ + } + } +} -+ ++ + GEN_CONSTRUCTOR(md5) GEN_CONSTRUCTOR(sha1) - #ifdef _OPENSSL_SUPPORTS_SHA2 -@@ -641,12 +774,10 @@ PyInit__hashlib(void) +@@ -845,12 +974,10 @@ { PyObject *m, *openssl_md_meth_names; diff --git a/python3.spec b/python3.spec index e2fae48..ef695e9 100644 --- a/python3.spec +++ b/python3.spec @@ -381,8 +381,10 @@ Patch143: 00143-tsc-on-ppc.patch # - don't build the _md5 and _sha* modules; rely on the _hashlib implementation # of hashlib # (rhbz#563986) -# TODO: figure out how to update properly for sha3 -# Patch146: 00146-hashlib-fips.patch +# Note: for now we're using sha3 from Python tarball, not from OpenSSL, since +# OpenSSL didn't implement it yet. When OpenSSL implements it again, +# we will need to rm -rf Modules/_sha3 in prep and adapt the patch. +Patch146: 00146-hashlib-fips.patch # 00147 # # Add a sys._debugmallocstats() function @@ -841,7 +843,7 @@ done %patch143 -p1 -b .tsc-on-ppc # 00144: not for python3 # 00145: not for python3 -#patch146 -p1 +%patch146 -p1 # 00147: upstream as of Python 3.3.0 # 00148: upstream as of Python 3.2.3 # 00149: upstream as of Python 3.2.3