python-devel September 2011

python-devel@lists.fedoraproject.org

3 participants
2 discussions

Cryptographic tweaks in python/python3 in rawhide (F17)
by David Malcolm 14 Sep '11

14 Sep '11

Summary: most users shouldn't see any differences, but rawhide's python should now better support OpenSSL FIPS mode, as of python-2.7.2-14.fc17 and python3-3.2.2-5.fc17 onwards. Long version: I've just built some tweaks to python's cryptographic code in rawhide, aimed at making it play better with FIPS mode. It's actually a forward port of some code that's been in RHEL 6's python 2.6 since RHEL 6.0 (where it was was rhbz#563986). The idea is that in high-security environments, it's possible to set site-wide configuration to deny the use of known insecure cryptographic algorithms. The main example here is MD5. MD5 is past its "use-by date", and should not be used for security purposes. See e.g.: http://www.kb.cert.org/vuls/id/836068 In the past, Fedora build of the python 2 standard library has contained the following modules: Pure python modules: * hashlib (implemented in terms of _hashlib) * md5 (implemented in terms of _hashlib, falling back to _md5) * sha (implemented in terms of _hashlib, falling back to _sha256, _sha512, _sha as appopriate) C module wrapping OpenSSL: * _hashlib Modules with pure C implementations of certain crypto hash algorithms: * _md5 * _sha256 * _sha512 * _sha As of python-2.7.2-14.fc17, I've dropped the final four modules above; instead, all crypto code within our build of python's stdlib is implemented in terms of _hashlib, and thus OpenSSL. Similarly python3-3.2.2-5.fc17 drops the final four modules. There is a slight risk that this will break any code that uses "_md5" etc directly, but such code shouldn't be using those modules: they should use the analogous API entrypoints in either md5/sha or hashlib instead. (Potentially this could lead to hardware acceleration of the hash computation). I've also fixed things so that the remaining modules do the right thing in FIPS mode. In the past, if you ran python with OPENSSL_FORCE_FIPS_MODE=1 in the enviroment, the _hashlib module would segfault when used with a broken crypto hash algorithm. I've now fixed this so that an exception will be raised when using bad algorithms: In normal mode: $ python -c "import hashlib; m = hashlib.md5(); m.update('abc'); print m.hexdigest()" 900150983cd24fb0d6963f7d28e17f72 In FIPS mode: $ OPENSSL_FORCE_FIPS_MODE=1 python -c "import hashlib; m = hashlib.md5(); m.update('abc'); print m.hexdigest()" Traceback (most recent call last): File "<string>", line 1, in <module> ValueError: error:060800A0:digital envelope routines:EVP_DigestInit_ex:unknown cipher (previously, this case would segfault) [Note that you may need to turn off prelinking, and undo any prelinking that may have occurred for FIPS mode to work: sudo prelink -u --all ] If you're using FIPS mode but have some legacy non-security purpose for MD5 (e.g. hash buckets for optimization, not security), I've added a non-standard optional keyword argument: usedforsecurity=True, which you can override to False to mark a callsite as non-security sensitive, and thus keep using MD5 at audited callsites: $ OPENSSL_FORCE_FIPS_MODE=1 python -c "import hashlib; m = hashlib.md5(usedforsecurity=False); m.update('abc'); print m.hexdigest()" 900150983cd24fb0d6963f7d28e17f72 I've sent a version of this upstream for Python 3 as http://bugs.python.org/issue9216 Hope the above makes sense (and that I didn't break anything) Dave

1 0

python-distutils-extra for EPEL?
by Matt Domsch 07 Sep '11

07 Sep '11

Is anyone in the Python SIG interested in maintaining python-distutils-extra in el6? The Fedora maintainer has declined to participate in EPEL, but would welcome someone else doing so. The rawhide copy builds clean in koji against el6 right now, so it shouldn't be that hard to maintain. This is needed by openstack-nova, which the Cloud SIG is in process of packaging for Fedora and EL6. Thanks, Matt -- Matt Domsch Technology Strategist Dell | Office of the CTO

2 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

python-devel September 2011