From acec9595dcf0350f9f335e50ef4ec745800a77af Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2020 11:58:20 +0000 Subject: import python38-3.8.3-3.module+el8.3.0+7680+79e7e61a --- diff --git a/.gitignore b/.gitignore index 0a63432..b50fd1a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/Python-3.8.0.tar.xz +SOURCES/Python-3.8.3.tar.xz diff --git a/.python38.metadata b/.python38.metadata index f6fe148..6c2bce0 100644 --- a/.python38.metadata +++ b/.python38.metadata @@ -1 +1 @@ -7720e0384558c598107cf046c48165fd7e1f5b2c SOURCES/Python-3.8.0.tar.xz +3bafa40df1cd069c112761c388a9f2e94b5d33dd SOURCES/Python-3.8.3.tar.xz diff --git a/SOURCES/00001-rpath.patch b/SOURCES/00001-rpath.patch index d9dd3ce..15f95a9 100644 --- a/SOURCES/00001-rpath.patch +++ b/SOURCES/00001-rpath.patch @@ -1,4 +1,4 @@ -From 8ecb6d320c03242ca94bf2e99d9d80510d5011e1 Mon Sep 17 00:00:00 2001 +From 08c67bfedd07ebec54f5087b59045b8c78fa2a6d Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Wed, 13 Jan 2010 21:25:18 +0000 Subject: [PATCH] 00001: Fixup distutils/unixccompiler.py to remove standard @@ -9,7 +9,7 @@ Subject: [PATCH] 00001: Fixup distutils/unixccompiler.py to remove standard 1 file changed, 9 insertions(+) diff --git a/Lib/distutils/unixccompiler.py b/Lib/distutils/unixccompiler.py -index d10a78da31..4df4b67810 100644 +index 4d7a6de740..353086a648 100644 --- a/Lib/distutils/unixccompiler.py +++ b/Lib/distutils/unixccompiler.py @@ -82,6 +82,15 @@ class UnixCCompiler(CCompiler): @@ -29,5 +29,5 @@ index d10a78da31..4df4b67810 100644 include_dirs=None, extra_preargs=None, extra_postargs=None): fixed_args = self._fix_compile_args(None, macros, include_dirs) -- -2.21.0 +2.26.2 diff --git a/SOURCES/00102-lib64.patch b/SOURCES/00102-lib64.patch index f1f0c8d..5acaf5c 100644 --- a/SOURCES/00102-lib64.patch +++ b/SOURCES/00102-lib64.patch @@ -1,4 +1,4 @@ -From b9f1dd6be195cc3b11a80e6f0dde2096dd8b9855 Mon Sep 17 00:00:00 2001 +From be6b9803109c3702dbff0ed8b0953913206008ca Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Wed, 13 Jan 2010 21:25:18 +0000 Subject: [PATCH] 00102: Change the various install paths to use /usr/lib64/ @@ -139,10 +139,10 @@ index b9e2fafbc0..0ae6d35b69 100644 'scripts': '{userbase}/bin', 'data': '{userbase}', diff --git a/Lib/test/test_site.py b/Lib/test/test_site.py -index 41c4229919..543c88432a 100644 +index 1bbc697936..9a7e80dfa0 100644 --- a/Lib/test/test_site.py +++ b/Lib/test/test_site.py -@@ -266,8 +266,8 @@ class HelperFunctionsTests(unittest.TestCase): +@@ -267,8 +267,8 @@ class HelperFunctionsTests(unittest.TestCase): dirs = site.getsitepackages() if os.sep == '/': # OS X, Linux, FreeBSD, etc @@ -154,7 +154,7 @@ index 41c4229919..543c88432a 100644 'site-packages') self.assertEqual(dirs[0], wanted) diff --git a/Makefile.pre.in b/Makefile.pre.in -index 502317aa0c..4ad3df1122 100644 +index a914a9c70f..406a441082 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in @@ -143,7 +143,7 @@ LIBDIR= @libdir@ @@ -198,10 +198,10 @@ index b727f66953..a0c5fb6139 100644 return DECODE_LOCALE_ERR("EXEC_PREFIX define", len); } diff --git a/configure b/configure -index 2a933cdbeb..bec365124e 100755 +index 8886561645..78867c6ffc 100755 --- a/configure +++ b/configure -@@ -15182,9 +15182,9 @@ fi +@@ -15214,9 +15214,9 @@ fi if test x$PLATFORM_TRIPLET = x; then @@ -214,10 +214,10 @@ index 2a933cdbeb..bec365124e 100755 diff --git a/configure.ac b/configure.ac -index a189d42c2c..154a0aa5cc 100644 +index d8de9d4943..477a5ff1cb 100644 --- a/configure.ac +++ b/configure.ac -@@ -4668,9 +4668,9 @@ fi +@@ -4689,9 +4689,9 @@ fi dnl define LIBPL after ABIFLAGS and LDVERSION is defined. AC_SUBST(PY_ENABLE_SHARED) if test x$PLATFORM_TRIPLET = x; then @@ -230,7 +230,7 @@ index a189d42c2c..154a0aa5cc 100644 AC_SUBST(LIBPL) diff --git a/setup.py b/setup.py -index 20d7f35652..024a1035c0 100644 +index b168ed4082..8628b9d1cd 100644 --- a/setup.py +++ b/setup.py @@ -649,7 +649,7 @@ class PyBuildExt(build_ext): @@ -257,5 +257,5 @@ index 20d7f35652..024a1035c0 100644 libraries=readline_libs)) else: -- -2.21.0 +2.26.2 diff --git a/SOURCES/00111-no-static-lib.patch b/SOURCES/00111-no-static-lib.patch index 361af70..ed8ca3e 100644 --- a/SOURCES/00111-no-static-lib.patch +++ b/SOURCES/00111-no-static-lib.patch @@ -1,4 +1,4 @@ -From f6df02cde47874f10e183ead483c90941bb8076f Mon Sep 17 00:00:00 2001 +From 50236468e82a7a19ed3dd7e13cb922e7d3e0ff7f Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Mon, 18 Jan 2010 17:59:07 +0000 Subject: [PATCH] 00111: Don't try to build a libpythonMAJOR.MINOR.a @@ -21,7 +21,7 @@ Co-authored-by: Miro Hrončok 1 file changed, 2 insertions(+), 19 deletions(-) diff --git a/Makefile.pre.in b/Makefile.pre.in -index 4ad3df1122..72d202d71b 100644 +index 406a441082..917303dd92 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in @@ -562,7 +562,7 @@ clinic: check-clean-src $(srcdir)/Modules/_blake2/blake2s_impl.c @@ -74,5 +74,5 @@ index 4ad3df1122..72d202d71b 100644 $(INSTALL_DATA) Programs/python.o $(DESTDIR)$(LIBPL)/python.o $(INSTALL_DATA) $(srcdir)/Modules/config.c.in $(DESTDIR)$(LIBPL)/config.c.in -- -2.21.0 +2.26.2 diff --git a/SOURCES/00189-use-rpm-wheels.patch b/SOURCES/00189-use-rpm-wheels.patch index 83487e3..8d44707 100644 --- a/SOURCES/00189-use-rpm-wheels.patch +++ b/SOURCES/00189-use-rpm-wheels.patch @@ -1,40 +1,45 @@ -From e5c11f104e1d2543ac3ba4b3f0a7989821e57947 Mon Sep 17 00:00:00 2001 +From 36f1f2b4620b13bdc7ac1c349253ac07960c33b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 15 Aug 2018 15:36:29 +0200 Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels We keep them in /usr/share/python-wheels --- - Lib/ensurepip/__init__.py | 26 +++++++++++++++++--------- - 1 file changed, 17 insertions(+), 9 deletions(-) + Lib/ensurepip/__init__.py | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py -index fc0edec6e3..4d17e413db 100644 +index 566fb2a096..47da08d3d5 100644 --- a/Lib/ensurepip/__init__.py +++ b/Lib/ensurepip/__init__.py -@@ -1,16 +1,27 @@ +@@ -1,6 +1,7 @@ +import distutils.version +import glob import os import os.path -import pkgutil import sys + import runpy import tempfile - +@@ -8,10 +9,24 @@ import tempfile __all__ = ["version", "bootstrap"] +_WHEEL_DIR = "/usr/share/python38-wheels/" -_SETUPTOOLS_VERSION = "41.2.0" ++_wheels = {} -_PIP_VERSION = "19.2.3" +def _get_most_recent_wheel_version(pkg): + prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg)) -+ suffix = "-py2.py3-none-any.whl" -+ pattern = "{}*{}".format(prefix, suffix) -+ versions = (p[len(prefix):-len(suffix)] for p in glob.glob(pattern)) -+ return str(max(versions, key=distutils.version.LooseVersion)) ++ _wheels[pkg] = {} ++ for suffix in "-py2.py3-none-any.whl", "-py3-none-any.whl": ++ pattern = "{}*{}".format(prefix, suffix) ++ for path in glob.glob(pattern): ++ version_str = path[len(prefix):-len(suffix)] ++ _wheels[pkg][version_str] = os.path.basename(path) ++ return str(max(_wheels[pkg], key=distutils.version.LooseVersion)) + + +_SETUPTOOLS_VERSION = _get_most_recent_wheel_version("setuptools") @@ -43,16 +48,18 @@ index fc0edec6e3..4d17e413db 100644 _PROJECTS = [ ("setuptools", _SETUPTOOLS_VERSION), -@@ -96,12 +107,9 @@ def _bootstrap(*, root=None, upgrade=False, user=False, +@@ -105,13 +120,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False, + # additional paths that need added to sys.path additional_paths = [] for project, version in _PROJECTS: - wheel_name = "{}-{}-py2.py3-none-any.whl".format(project, version) +- wheel_name = "{}-{}-py2.py3-none-any.whl".format(project, version) - whl = pkgutil.get_data( - "ensurepip", - "_bundled/{}".format(wheel_name), - ) - with open(os.path.join(tmpdir, wheel_name), "wb") as fp: - fp.write(whl) ++ wheel_name = _wheels[project][version] + with open(os.path.join(_WHEEL_DIR, wheel_name), "rb") as sfp: + with open(os.path.join(tmpdir, wheel_name), "wb") as fp: + fp.write(sfp.read()) @@ -60,5 +67,5 @@ index fc0edec6e3..4d17e413db 100644 additional_paths.append(os.path.join(tmpdir, wheel_name)) -- -2.21.0 +2.26.2 diff --git a/SOURCES/00251-change-user-install-location.patch b/SOURCES/00251-change-user-install-location.patch index 1e0ddbb..e993c42 100644 --- a/SOURCES/00251-change-user-install-location.patch +++ b/SOURCES/00251-change-user-install-location.patch @@ -1,4 +1,4 @@ -From 76330e0a8798b3b03160edc7e8d42d3dbee756fd Mon Sep 17 00:00:00 2001 +From 197b8de27ebcd17fc5dd51426a639950c6f6c284 Mon Sep 17 00:00:00 2001 From: Michal Cyprian Date: Mon, 26 Jun 2017 16:32:56 +0200 Subject: [PATCH] 00251: Change user install location @@ -60,5 +60,5 @@ index 22d53fa562..9513526109 100644 if os.path.isdir(sitedir): addsitedir(sitedir, known_paths) -- -2.21.0 +2.26.2 diff --git a/SOURCES/00274-fix-arch-names.patch b/SOURCES/00274-fix-arch-names.patch index f383a58..26654f2 100644 --- a/SOURCES/00274-fix-arch-names.patch +++ b/SOURCES/00274-fix-arch-names.patch @@ -1,4 +1,4 @@ -From 64c67dbfa789f242e8ffd1ac88bafb4df2842401 Mon Sep 17 00:00:00 2001 +From 3172104314227af128f3ce68e9650663a7c1268c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 28 Aug 2017 17:16:46 +0200 Subject: [PATCH] 00274: Upstream uses Debian-style architecture naming, change @@ -29,10 +29,10 @@ index ba37cf99e2..52a9ec6662 100755 ppc64le | powerpc64little) basic_machine=powerpc64le-unknown diff --git a/configure.ac b/configure.ac -index 154a0aa5cc..273954f461 100644 +index 477a5ff1cb..aea27ef86a 100644 --- a/configure.ac +++ b/configure.ac -@@ -741,9 +741,9 @@ cat >> conftest.c <> conftest.c <> conftest.c <> conftest.c <> conftest.c <> conftest.c < Date: Thu, 11 Jul 2019 13:44:13 +0200 Subject: [PATCH] 00328: Restore pyc to TIMESTAMP invalidation mode as default @@ -31,7 +31,7 @@ index 21736896af..310bed5620 100644 else: return PycInvalidationMode.TIMESTAMP diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py -index d6677ab45f..88059b127e 100644 +index d4a68c9320..ed09874023 100644 --- a/Lib/test/test_py_compile.py +++ b/Lib/test/test_py_compile.py @@ -17,6 +17,7 @@ def without_source_date_epoch(fxn): @@ -51,5 +51,5 @@ index d6677ab45f..88059b127e 100644 return wrapper -- -2.21.0 +2.26.2 diff --git a/SOURCES/00329-fips.patch b/SOURCES/00329-fips.patch index 11371c9..4c96d02 100644 --- a/SOURCES/00329-fips.patch +++ b/SOURCES/00329-fips.patch @@ -1,268 +1,7 @@ -From 85855cf6fdc076dee6cd884c8b46d491458c431e Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Thu, 17 Oct 2019 20:48:42 -0700 -Subject: [PATCH 01/32] bpo-33604: Raise TypeError on missing hmac arg. - (GH-16805) - -Also updates the documentation to clarify the situation surrounding -the digestmod parameter that is required despite its position in the -argument list as of 3.8.0 as well as removing old python2 era -references to "binary strings". - -We indavertently had this raise ValueError in 3.8.0 for the missing -arg. This is not considered an API change as no reasonable code would -be catching this missing argument error in order to handle it. -(cherry picked from commit f33c57d5c780da1500619f548585792bb5b750ee) - -Co-authored-by: Gregory P. Smith ---- - Doc/library/hmac.rst | 8 +-- - Lib/hmac.py | 53 ++++++++++--------- - Lib/test/test_hmac.py | 7 ++- - .../2019-10-15-09-47-40.bpo-33604.J12cWT.rst | 3 ++ - 4 files changed, 43 insertions(+), 28 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2019-10-15-09-47-40.bpo-33604.J12cWT.rst - -diff --git a/Doc/library/hmac.rst b/Doc/library/hmac.rst -index dc994b07c35..57ac8bb1612 100644 ---- a/Doc/library/hmac.rst -+++ b/Doc/library/hmac.rst -@@ -14,12 +14,13 @@ - This module implements the HMAC algorithm as described by :rfc:`2104`. - - --.. function:: new(key, msg=None, digestmod=None) -+.. function:: new(key, msg=None, digestmod='') - - Return a new hmac object. *key* is a bytes or bytearray object giving the - secret key. If *msg* is present, the method call ``update(msg)`` is made. - *digestmod* is the digest name, digest constructor or module for the HMAC -- object to use. It supports any name suitable to :func:`hashlib.new`. -+ object to use. It may be any name suitable to :func:`hashlib.new`. -+ Despite its argument position, it is required. - - .. versionchanged:: 3.4 - Parameter *key* can be a bytes or bytearray object. -@@ -28,6 +29,8 @@ This module implements the HMAC algorithm as described by :rfc:`2104`. - - .. deprecated-removed:: 3.4 3.8 - MD5 as implicit default digest for *digestmod* is deprecated. -+ The digestmod parameter is now required. Pass it as a keyword -+ argument to avoid awkwardness when you do not have an initial msg. - - - .. function:: digest(key, msg, digest) -@@ -127,7 +130,6 @@ This module also provides the following helper function: - a timing attack could theoretically reveal information about the - types and lengths of *a* and *b*—but not their values. - -- - .. versionadded:: 3.3 - - -diff --git a/Lib/hmac.py b/Lib/hmac.py -index 890eaba08e8..b769876e6f7 100644 ---- a/Lib/hmac.py -+++ b/Lib/hmac.py -@@ -1,4 +1,4 @@ --"""HMAC (Keyed-Hashing for Message Authentication) Python module. -+"""HMAC (Keyed-Hashing for Message Authentication) module. - - Implements the HMAC algorithm as described by RFC 2104. - """ -@@ -30,23 +30,25 @@ class HMAC: - """ - blocksize = 64 # 512-bit HMAC; can be changed in subclasses. - -- def __init__(self, key, msg = None, digestmod = None): -+ def __init__(self, key, msg=None, digestmod=''): - """Create a new HMAC object. - -- key: key for the keyed hash object. -- msg: Initial input for the hash, if provided. -- digestmod: Required. A module supporting PEP 247. *OR* -- A hashlib constructor returning a new hash object. *OR* -- A hash name suitable for hashlib.new(). -+ key: bytes or buffer, key for the keyed hash object. -+ msg: bytes or buffer, Initial input for the hash or None. -+ digestmod: A hash name suitable for hashlib.new(). *OR* -+ A hashlib constructor returning a new hash object. *OR* -+ A module supporting PEP 247. - -- Note: key and msg must be a bytes or bytearray objects. -+ Required as of 3.8, despite its position after the optional -+ msg argument. Passing it as a keyword argument is -+ recommended, though not required for legacy API reasons. - """ - - if not isinstance(key, (bytes, bytearray)): - raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__) - -- if digestmod is None: -- raise ValueError('`digestmod` is required.') -+ if not digestmod: -+ raise TypeError("Missing required parameter 'digestmod'.") - - if callable(digestmod): - self.digest_cons = digestmod -@@ -90,8 +92,7 @@ class HMAC: - return "hmac-" + self.inner.name - - def update(self, msg): -- """Update this hashing object with the string msg. -- """ -+ """Feed data from msg into this hashing object.""" - self.inner.update(msg) - - def copy(self): -@@ -119,7 +120,7 @@ class HMAC: - def digest(self): - """Return the hash value of this hashing object. - -- This returns a string containing 8-bit data. The object is -+ This returns the hmac value as bytes. The object is - not altered in any way by this function; you can continue - updating the object after calling this function. - """ -@@ -132,30 +133,34 @@ class HMAC: - h = self._current() - return h.hexdigest() - --def new(key, msg = None, digestmod = None): -+def new(key, msg=None, digestmod=''): - """Create a new hashing object and return it. - -- key: The starting key for the hash. -- msg: if available, will immediately be hashed into the object's starting -- state. -+ key: bytes or buffer, The starting key for the hash. -+ msg: bytes or buffer, Initial input for the hash, or None. -+ digestmod: A hash name suitable for hashlib.new(). *OR* -+ A hashlib constructor returning a new hash object. *OR* -+ A module supporting PEP 247. -+ -+ Required as of 3.8, despite its position after the optional -+ msg argument. Passing it as a keyword argument is -+ recommended, though not required for legacy API reasons. - -- You can now feed arbitrary strings into the object using its update() -+ You can now feed arbitrary bytes into the object using its update() - method, and can ask for the hash value at any time by calling its digest() -- method. -+ or hexdigest() methods. - """ - return HMAC(key, msg, digestmod) - - - def digest(key, msg, digest): -- """Fast inline implementation of HMAC -+ """Fast inline implementation of HMAC. - -- key: key for the keyed hash object. -- msg: input message -+ key: bytes or buffer, The key for the keyed hash object. -+ msg: bytes or buffer, Input message. - digest: A hash name suitable for hashlib.new() for best performance. *OR* - A hashlib constructor returning a new hash object. *OR* - A module supporting PEP 247. -- -- Note: key and msg must be a bytes or bytearray objects. - """ - if (_hashopenssl is not None and - isinstance(digest, str) and digest in _openssl_md_meths): -diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py -index 1bbf201727d..ea00367c802 100644 ---- a/Lib/test/test_hmac.py -+++ b/Lib/test/test_hmac.py -@@ -312,10 +312,15 @@ class TestVectorsTestCase(unittest.TestCase): - self.fail('Expected warning about small block_size') - - def test_with_digestmod_no_default(self): -- with self.assertRaises(ValueError): -+ """The digestmod parameter is required as of Python 3.8.""" -+ with self.assertRaisesRegex(TypeError, r'required.*digestmod'): - key = b"\x0b" * 16 - data = b"Hi There" - hmac.HMAC(key, data, digestmod=None) -+ with self.assertRaisesRegex(TypeError, r'required.*digestmod'): -+ hmac.new(key, data) -+ with self.assertRaisesRegex(TypeError, r'required.*digestmod'): -+ hmac.HMAC(key, msg=data, digestmod='') - - - class ConstructorTestCase(unittest.TestCase): -diff --git a/Misc/NEWS.d/next/Library/2019-10-15-09-47-40.bpo-33604.J12cWT.rst b/Misc/NEWS.d/next/Library/2019-10-15-09-47-40.bpo-33604.J12cWT.rst -new file mode 100644 -index 00000000000..fbd73003cfc ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2019-10-15-09-47-40.bpo-33604.J12cWT.rst -@@ -0,0 +1,3 @@ -+Fixed `hmac.new` and `hmac.HMAC` to raise TypeError instead of ValueError -+when the digestmod parameter, now required in 3.8, is omitted. Also -+clarified the hmac module documentation and docstrings. --- -2.21.1 - - -From f01bee1d24524c80d446f702e8b8ff054a583064 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Thu, 5 Dec 2019 08:51:30 -0800 -Subject: [PATCH 02/32] [3.8] bpo-38270: Fix indentation of test_hmac - assertions (GH-17446) (GH-17450) - -Since https://github.com/python/cpython/commit/c64a1a61e6fc542cada40eb069a239317e1af36e two assertions were indented and thus ignored when running test_hmac. - -This PR fixes it. As the change is quite trivial I didn't add a NEWS entry. - - -https://bugs.python.org/issue38270 -(cherry picked from commit 894331838b256412c95d54051ec46a1cb96f52e7) - - -Co-authored-by: stratakis - - -https://bugs.python.org/issue38270 - - - -Automerge-Triggered-By: @tiran ---- - Lib/test/test_hmac.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py -index ea00367c802..23c108f6e3c 100644 ---- a/Lib/test/test_hmac.py -+++ b/Lib/test/test_hmac.py -@@ -367,7 +367,7 @@ class ConstructorTestCase(unittest.TestCase): - digestmod="sha256") - except Exception: - self.fail("Constructor call with bytearray arguments raised exception.") -- self.assertEqual(h.hexdigest(), self.expected) -+ self.assertEqual(h.hexdigest(), self.expected) - - @requires_hashdigest('sha256') - def test_with_memoryview_msg(self): -@@ -375,7 +375,7 @@ class ConstructorTestCase(unittest.TestCase): - h = hmac.HMAC(b"key", memoryview(b"hash this!"), digestmod="sha256") - except Exception: - self.fail("Constructor call with memoryview msg raised exception.") -- self.assertEqual(h.hexdigest(), self.expected) -+ self.assertEqual(h.hexdigest(), self.expected) - - @requires_hashdigest('sha256') - def test_withmodule(self): --- -2.21.1 - - -From 480c5e0c1fd8ed871f54b124528b35e570839a09 Mon Sep 17 00:00:00 2001 +From eba7874ad8a269c1e6e7f56a3f1d759448a0ea83 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 16:19:52 +0200 -Subject: [PATCH 03/32] Expose OpenSSL FIPS_mode() as hashlib.get_fips_mode() +Subject: [PATCH 01/36] Expose OpenSSL FIPS_mode() as hashlib.get_fips_mode() --- Lib/hashlib.py | 5 +++++ @@ -271,7 +10,7 @@ Subject: [PATCH 03/32] Expose OpenSSL FIPS_mode() as hashlib.get_fips_mode() 3 files changed, 66 insertions(+), 1 deletion(-) diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 56873b7278b..63ae8368aba 100644 +index 56873b7..63ae836 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -243,6 +243,11 @@ try: @@ -287,7 +26,7 @@ index 56873b7278b..63ae8368aba 100644 for __func_name in __always_supported: # try them all, some may not work due to the OpenSSL diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index 1513e4e35ed..43a69c73d1d 100644 +index 3e5f9c3..d38aae9 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -26,6 +26,9 @@ @@ -348,7 +87,7 @@ index 1513e4e35ed..43a69c73d1d 100644 _HASHLIB_OPENSSL_MD5_METHODDEF _HASHLIB_OPENSSL_SHA1_METHODDEF diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h -index 9aaea47e832..30fd8a9796a 100644 +index 9aaea47..30fd8a9 100644 --- a/Modules/clinic/_hashopenssl.c.h +++ b/Modules/clinic/_hashopenssl.c.h @@ -620,7 +620,30 @@ exit: @@ -384,13 +123,13 @@ index 9aaea47e832..30fd8a9796a 100644 -/*[clinic end generated code: output=38c2637f67e9bb79 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=5467006d93e7479e input=a9049054013a1b77]*/ -- -2.21.1 +2.25.4 -From ad854d7f0fb26aea7dff9b1da50de9e81fb3ba5c Mon Sep 17 00:00:00 2001 +From 692168044948a41211bb0efabacf0cbfade8db14 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 25 Jul 2019 17:04:06 +0200 -Subject: [PATCH 04/32] Use python's fall backs for the crypto it implements +Subject: [PATCH 02/36] Use python's fall backs for the crypto it implements only if we are not in FIPS mode --- @@ -399,7 +138,7 @@ Subject: [PATCH 04/32] Use python's fall backs for the crypto it implements 2 files changed, 81 insertions(+), 127 deletions(-) diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 63ae8368aba..1bcfdf9f7f7 100644 +index 63ae836..1bcfdf9 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -68,7 +68,6 @@ __all__ = __always_supported + ('new', 'algorithms_guaranteed', @@ -671,7 +410,7 @@ index 63ae8368aba..1bcfdf9f7f7 100644 +if not get_fips_mode(): + del __py_new diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 8b53d23ef52..e9abcbb929f 100644 +index 8b53d23..e9abcbb 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -945,6 +945,7 @@ class KDFTests(unittest.TestCase): @@ -683,13 +422,13 @@ index 8b53d23ef52..e9abcbb929f 100644 self._test_pbkdf2_hmac(py_hashlib.pbkdf2_hmac) -- -2.21.1 +2.25.4 -From 351fa613d2e194a7fe5c1f63bc89cbaa340deca5 Mon Sep 17 00:00:00 2001 +From 25b2075a04c0622cd11b8ea986d7d817a1a5d375 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 17:19:06 +0200 -Subject: [PATCH 05/32] Disable Python's hash implementations in FIPS mode, +Subject: [PATCH 03/36] Disable Python's hash implementations in FIPS mode, forcing OpenSSL --- @@ -705,7 +444,7 @@ Subject: [PATCH 05/32] Disable Python's hash implementations in FIPS mode, diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h new file mode 100644 -index 00000000000..a726c0d3fbf +index 0000000..a726c0d --- /dev/null +++ b/Include/_hashopenssl.h @@ -0,0 +1,66 @@ @@ -776,7 +515,7 @@ index 00000000000..a726c0d3fbf + +#endif // !Py_HASHOPENSSL_H diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c -index edab31ea222..1daf5c38e2c 100644 +index edab31e..1daf5c3 100644 --- a/Modules/_blake2/blake2b_impl.c +++ b/Modules/_blake2/blake2b_impl.c @@ -14,6 +14,7 @@ @@ -806,7 +545,7 @@ index edab31ea222..1daf5c38e2c 100644 if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE) diff --git a/Modules/_blake2/blake2module.c b/Modules/_blake2/blake2module.c -index e2a3d420d4e..817b7165684 100644 +index e2a3d42..817b716 100644 --- a/Modules/_blake2/blake2module.c +++ b/Modules/_blake2/blake2module.c @@ -9,6 +9,7 @@ @@ -827,7 +566,7 @@ index e2a3d420d4e..817b7165684 100644 if (m == NULL) return NULL; diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c -index ef2f7e1980f..389711abf14 100644 +index ef2f7e1..389711a 100644 --- a/Modules/_blake2/blake2s_impl.c +++ b/Modules/_blake2/blake2s_impl.c @@ -14,6 +14,7 @@ @@ -857,7 +596,7 @@ index ef2f7e1980f..389711abf14 100644 if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE) diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index 43a69c73d1d..661ceaa1986 100644 +index d38aae9..10a987d 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -17,6 +17,7 @@ @@ -919,7 +658,7 @@ index 43a69c73d1d..661ceaa1986 100644 py_digest_name(const EVP_MD *md) { diff --git a/Modules/_sha3/sha3module.c b/Modules/_sha3/sha3module.c -index c1fb6185e24..34d09b45d99 100644 +index c1fb618..34d09b4 100644 --- a/Modules/_sha3/sha3module.c +++ b/Modules/_sha3/sha3module.c @@ -18,6 +18,7 @@ @@ -956,7 +695,7 @@ index c1fb6185e24..34d09b45d99 100644 return NULL; } diff --git a/setup.py b/setup.py -index 20d7f35652f..0066006772f 100644 +index 024a103..a16961e 100644 --- a/setup.py +++ b/setup.py @@ -1688,7 +1688,6 @@ class PyBuildExt(build_ext): @@ -1068,13 +807,13 @@ index 20d7f35652f..0066006772f 100644 def detect_nis(self): if MS_WINDOWS or CYGWIN or HOST_PLATFORM == 'qnx6': -- -2.21.1 +2.25.4 -From 502fab3354771128a7b18a4e117cf09327803a6c Mon Sep 17 00:00:00 2001 +From 97d839b2d8c03a7b428907e51a44269fdfe3a48d Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 12 Dec 2019 16:58:31 +0100 -Subject: [PATCH 06/32] Expose all hashes available to OpenSSL +Subject: [PATCH 04/36] Expose all hashes available to OpenSSL --- Modules/_hashopenssl.c | 150 ++++++++++++++++ @@ -1082,7 +821,7 @@ Subject: [PATCH 06/32] Expose all hashes available to OpenSSL 2 files changed, 447 insertions(+), 1 deletion(-) diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index 661ceaa1986..625e2d2e8f6 100644 +index 10a987d..e10dbd7 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -190,6 +190,12 @@ py_digest_by_name(const char *name) @@ -1257,7 +996,7 @@ index 661ceaa1986..625e2d2e8f6 100644 }; diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h -index 30fd8a9796a..e96a752e273 100644 +index 30fd8a9..e96a752 100644 --- a/Modules/clinic/_hashopenssl.c.h +++ b/Modules/clinic/_hashopenssl.c.h @@ -331,6 +331,302 @@ exit: @@ -1570,20 +1309,20 @@ index 30fd8a9796a..e96a752e273 100644 -/*[clinic end generated code: output=5467006d93e7479e input=a9049054013a1b77]*/ +/*[clinic end generated code: output=be8e21a10dff71e7 input=a9049054013a1b77]*/ -- -2.21.1 +2.25.4 -From bc9f365705cf600dc26cd16585a25bcde6b43ff1 Mon Sep 17 00:00:00 2001 +From b681f084a48d5f2f3eb5257b33e968268850ea7b Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 18:13:45 +0200 -Subject: [PATCH 07/32] Fix tests +Subject: [PATCH 05/36] Fix tests --- Lib/test/test_hashlib.py | 58 +++++++++++++++++++++++++++++++--------- 1 file changed, 45 insertions(+), 13 deletions(-) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index e9abcbb929f..2a55fd4309f 100644 +index e9abcbb..2a55fd4 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -190,7 +190,9 @@ class HashLibTestCase(unittest.TestCase): @@ -1702,13 +1441,13 @@ index e9abcbb929f..2a55fd4309f 100644 @requires_sha3 def test_extra_sha3(self): -- -2.21.1 +2.25.4 -From de23605b73ef563766405f678822ec3b6e3645ea Mon Sep 17 00:00:00 2001 +From 78dea79c8a284940a5d5997646745cb29f74d720 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 26 Jul 2019 11:27:57 +0200 -Subject: [PATCH 08/32] Change FIPS exceptions from _blake2, _sha3 module init +Subject: [PATCH 06/36] Change FIPS exceptions from _blake2, _sha3 module init to ImportError --- @@ -1720,7 +1459,7 @@ Subject: [PATCH 08/32] Change FIPS exceptions from _blake2, _sha3 module init 5 files changed, 13 insertions(+), 14 deletions(-) diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h -index a726c0d3fbf..47ed0030422 100644 +index a726c0d..47ed003 100644 --- a/Include/_hashopenssl.h +++ b/Include/_hashopenssl.h @@ -39,7 +39,7 @@ _setException(PyObject *exc) @@ -1756,7 +1495,7 @@ index a726c0d3fbf..47ed0030422 100644 #endif // !Py_HASHOPENSSL_H diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c -index 1daf5c38e2c..97ce89d33c1 100644 +index 1daf5c3..97ce89d 100644 --- a/Modules/_blake2/blake2b_impl.c +++ b/Modules/_blake2/blake2b_impl.c @@ -97,7 +97,7 @@ py_blake2b_new_impl(PyTypeObject *type, PyObject *data, int digest_size, @@ -1778,7 +1517,7 @@ index 1daf5c38e2c..97ce89d33c1 100644 GET_BUFFER_VIEW_OR_ERROUT(data, &buf); diff --git a/Modules/_blake2/blake2module.c b/Modules/_blake2/blake2module.c -index 817b7165684..a9c7cbc7ebe 100644 +index 817b716..a9c7cbc 100644 --- a/Modules/_blake2/blake2module.c +++ b/Modules/_blake2/blake2module.c @@ -58,7 +58,7 @@ PyInit__blake2(void) @@ -1791,7 +1530,7 @@ index 817b7165684..a9c7cbc7ebe 100644 m = PyModule_Create(&blake2_module); if (m == NULL) diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c -index 389711abf14..c4447b4fe83 100644 +index 389711a..c4447b4 100644 --- a/Modules/_blake2/blake2s_impl.c +++ b/Modules/_blake2/blake2s_impl.c @@ -97,7 +97,7 @@ py_blake2s_new_impl(PyTypeObject *type, PyObject *data, int digest_size, @@ -1813,7 +1552,7 @@ index 389711abf14..c4447b4fe83 100644 GET_BUFFER_VIEW_OR_ERROUT(data, &buf); diff --git a/Modules/_sha3/sha3module.c b/Modules/_sha3/sha3module.c -index 34d09b45d99..3079e1e3a4a 100644 +index 34d09b4..3079e1e 100644 --- a/Modules/_sha3/sha3module.c +++ b/Modules/_sha3/sha3module.c @@ -161,7 +161,7 @@ static PyTypeObject SHAKE256type; @@ -1844,20 +1583,20 @@ index 34d09b45d99..3079e1e3a4a 100644 if ((m = PyModule_Create(&_SHA3module)) == NULL) { return NULL; -- -2.21.1 +2.25.4 -From 104d4b32cb6b28f48f6e03a0b9ec51126a833b72 Mon Sep 17 00:00:00 2001 +From be76f342f801a674fdbb622fd6e096bd7a09e1e6 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 26 Jul 2019 11:24:09 +0200 -Subject: [PATCH 09/32] Make hashlib importable under FIPS mode +Subject: [PATCH 07/36] Make hashlib importable under FIPS mode --- Lib/hashlib.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 1bcfdf9f7f7..898e6dca565 100644 +index 1bcfdf9..898e6dc 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -137,12 +137,14 @@ def __get_openssl_constructor(name): @@ -1879,13 +1618,13 @@ index 1bcfdf9f7f7..898e6dca565 100644 -- -2.21.1 +2.25.4 -From 168538a496916c0b92c11c433fd0f9545c33f535 Mon Sep 17 00:00:00 2001 +From 15b34c0943d79ec7d236a5eefab636a288dc0ae1 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 26 Jul 2019 15:41:10 +0200 -Subject: [PATCH 10/32] Implement hmac.new using new built-in module, +Subject: [PATCH 08/36] Implement hmac.new using new built-in module, _hmacopenssl --- @@ -1898,7 +1637,7 @@ Subject: [PATCH 10/32] Implement hmac.new using new built-in module, create mode 100644 Modules/clinic/_hmacopenssl.c.h diff --git a/Lib/hmac.py b/Lib/hmac.py -index b769876e6f7..daabc8c1425 100644 +index b769876..daabc8c 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -13,6 +13,8 @@ except ImportError: @@ -1970,7 +1709,7 @@ index b769876e6f7..daabc8c1425 100644 def digest(key, msg, digest): diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c new file mode 100644 -index 00000000000..ca95d725f01 +index 0000000..ca95d72 --- /dev/null +++ b/Modules/_hmacopenssl.c @@ -0,0 +1,396 @@ @@ -2372,7 +2111,7 @@ index 00000000000..ca95d725f01 +} diff --git a/Modules/clinic/_hmacopenssl.c.h b/Modules/clinic/_hmacopenssl.c.h new file mode 100644 -index 00000000000..b472a6eddd3 +index 0000000..b472a6e --- /dev/null +++ b/Modules/clinic/_hmacopenssl.c.h @@ -0,0 +1,133 @@ @@ -2510,7 +2249,7 @@ index 00000000000..b472a6eddd3 +} +/*[clinic end generated code: output=10b6e8cac6d7a2c9 input=a9049054013a1b77]*/ diff --git a/setup.py b/setup.py -index 0066006772f..6b376040ffc 100644 +index a16961e..3d2465d 100644 --- a/setup.py +++ b/setup.py @@ -2251,6 +2251,10 @@ class PyBuildExt(build_ext): @@ -2525,13 +2264,13 @@ index 0066006772f..6b376040ffc 100644 # RHEL: Always force OpenSSL for md5, sha1, sha256, sha512; # don't build Python's implementations. -- -2.21.1 +2.25.4 -From a5091b7016e4d86abaa733cd0dd7c0d066c4c33a Mon Sep 17 00:00:00 2001 +From f72ffcdcee6c59aa61a8df4a3bf6633d200d6417 Mon Sep 17 00:00:00 2001 From: Marcel Plch Date: Mon, 29 Jul 2019 12:45:11 +0200 -Subject: [PATCH 11/32] FIPS review +Subject: [PATCH 09/36] FIPS review * Port _hmacopenssl to multiphase init. * Make _hmacopenssl.HMAC.copy create same type as self. @@ -2542,7 +2281,7 @@ Subject: [PATCH 11/32] FIPS review 2 files changed, 70 insertions(+), 44 deletions(-) diff --git a/Lib/hmac.py b/Lib/hmac.py -index daabc8c1425..2ec24da5733 100644 +index daabc8c..2ec24da 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -48,7 +48,7 @@ class HMAC: @@ -2555,7 +2294,7 @@ index daabc8c1425..2ec24da5733 100644 if not isinstance(key, (bytes, bytearray)): diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index ca95d725f01..216ed04f236 100644 +index ca95d72..216ed04 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -24,7 +24,10 @@ @@ -2740,13 +2479,13 @@ index ca95d725f01..216ed04f236 100644 + return PyModuleDef_Init(&_hmacopenssl_def); } -- -2.21.1 +2.25.4 -From c482ed4a74e06d17a612d3a286772b62e5a8001a Mon Sep 17 00:00:00 2001 +From 408a7d606654249f4aaa2c26cd960b770429229c Mon Sep 17 00:00:00 2001 From: Marcel Plch Date: Mon, 29 Jul 2019 13:05:04 +0200 -Subject: [PATCH 12/32] revert cosmetic nitpick and remove trailing whitespace +Subject: [PATCH 10/36] revert cosmetic nitpick and remove trailing whitespace --- Lib/hmac.py | 2 +- @@ -2754,7 +2493,7 @@ Subject: [PATCH 12/32] revert cosmetic nitpick and remove trailing whitespace 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Lib/hmac.py b/Lib/hmac.py -index 2ec24da5733..daabc8c1425 100644 +index 2ec24da..daabc8c 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -48,7 +48,7 @@ class HMAC: @@ -2767,7 +2506,7 @@ index 2ec24da5733..daabc8c1425 100644 if not isinstance(key, (bytes, bytearray)): diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index 216ed04f236..221714ca434 100644 +index 216ed04..221714c 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -363,7 +363,7 @@ static PyType_Slot HmacType_slots[] = { @@ -2789,13 +2528,13 @@ index 216ed04f236..221714ca434 100644 .m_methods = hmacopenssl_functions, .m_slots = hmacopenssl_slots, -- -2.21.1 +2.25.4 -From fceba59a20d8f22f618777874a63162f520bed69 Mon Sep 17 00:00:00 2001 +From 6ed4037723b1ac437cfd8401355350ef5c47f0e1 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Wed, 31 Jul 2019 15:43:43 +0200 -Subject: [PATCH 13/32] Add initial tests for various hashes under FIPS mode +Subject: [PATCH 11/36] Add initial tests for various hashes under FIPS mode --- Lib/test/test_fips.py | 64 +++++++++++++++++++++++++++++++++++++++++++ @@ -2804,7 +2543,7 @@ Subject: [PATCH 13/32] Add initial tests for various hashes under FIPS mode diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py new file mode 100644 -index 00000000000..bee911ef405 +index 0000000..bee911e --- /dev/null +++ b/Lib/test/test_fips.py @@ -0,0 +1,64 @@ @@ -2873,20 +2612,20 @@ index 00000000000..bee911ef405 +if __name__ == "__main__": + unittest.main() -- -2.21.1 +2.25.4 -From 556b34545c0f7d72470faeb186371ffc9c2c997c Mon Sep 17 00:00:00 2001 +From 2548227dff8ae23fb7d3dd45b6e044ff17796547 Mon Sep 17 00:00:00 2001 From: Marcel Plch Date: Thu, 1 Aug 2019 16:39:37 +0200 -Subject: [PATCH 14/32] Initialize HMAC type. +Subject: [PATCH 12/36] Initialize HMAC type. --- Modules/_hmacopenssl.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index 221714ca434..239445a0831 100644 +index 221714c..239445a 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -22,12 +22,12 @@ @@ -2942,13 +2681,13 @@ index 221714ca434..239445a0831 100644 fail: -- -2.21.1 +2.25.4 -From 425d95325f304b0c2a04511a9f8e62208a5bace2 Mon Sep 17 00:00:00 2001 +From 4d40c61ed97eae9169df2e526d935d4997902f97 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 1 Aug 2019 17:57:05 +0200 -Subject: [PATCH 15/32] Use a stronger hash in multiprocessing handshake +Subject: [PATCH 13/36] Use a stronger hash in multiprocessing handshake Adapted from patch by David Malcolm, https://bugs.python.org/issue17258 @@ -2957,7 +2696,7 @@ https://bugs.python.org/issue17258 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py -index c9f995e5fa7..64180b245ea 100644 +index c9f995e..64180b2 100644 --- a/Lib/multiprocessing/connection.py +++ b/Lib/multiprocessing/connection.py @@ -42,6 +42,10 @@ BUFSIZE = 8192 @@ -2990,20 +2729,20 @@ index c9f995e5fa7..64180b245ea 100644 response = connection.recv_bytes(256) # reject large message if response != WELCOME: -- -2.21.1 +2.25.4 -From 5369e3fd06c84a648d056226616c6e796e014b20 Mon Sep 17 00:00:00 2001 +From bc917ee79da1166e9ff94e76bbb2a64044db2fc0 Mon Sep 17 00:00:00 2001 From: Marcel Plch Date: Fri, 2 Aug 2019 17:36:01 +0200 -Subject: [PATCH 16/32] Fix refcounting +Subject: [PATCH 14/36] Fix refcounting --- Modules/_hmacopenssl.c | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index 239445a0831..9c2882833d1 100644 +index 239445a..9c28828 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -373,6 +373,34 @@ static struct PyMethodDef hmacopenssl_functions[] = { @@ -3064,20 +2803,20 @@ index 239445a0831..9c2882833d1 100644 -- -2.21.1 +2.25.4 -From 11bc3a8ba5179defa0c6e86e27bdf25ab43809d4 Mon Sep 17 00:00:00 2001 +From 5807870fbc69dcd107a2fac7ce58da052d5e7fea Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 13:37:05 +0200 -Subject: [PATCH 17/32] hmac: Don't default to md5 in FIPS mode +Subject: [PATCH 15/36] hmac: Don't default to md5 in FIPS mode --- Lib/hmac.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/hmac.py b/Lib/hmac.py -index daabc8c1425..0302364642e 100644 +index daabc8c..0302364 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -173,7 +173,7 @@ def new(key, msg=None, digestmod=''): @@ -3090,13 +2829,13 @@ index daabc8c1425..0302364642e 100644 result = _hmacopenssl.new(key, digestmod=name) if msg: -- -2.21.1 +2.25.4 -From 074d6c62025226c381eb0191eddb86322be9d4f1 Mon Sep 17 00:00:00 2001 +From 04a69823b36ee8626aa74b40d5a631dd09759451 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 14:20:58 +0200 -Subject: [PATCH 18/32] Make _hmacopenssl.HMAC subclassable; subclass it as +Subject: [PATCH 16/36] Make _hmacopenssl.HMAC subclassable; subclass it as hmac.HMAC under FIPS This removes the _hmacopenssl.new function. @@ -3108,7 +2847,7 @@ This removes the _hmacopenssl.new function. 4 files changed, 55 insertions(+), 87 deletions(-) diff --git a/Lib/hmac.py b/Lib/hmac.py -index 0302364642e..e4222be7dcc 100644 +index 0302364..e4222be 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -143,6 +143,8 @@ class HMAC: @@ -3159,7 +2898,7 @@ index 0302364642e..e4222be7dcc 100644 def digest(key, msg, digest): diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py -index bee911ef405..34812e6098a 100644 +index bee911e..34812e6 100644 --- a/Lib/test/test_fips.py +++ b/Lib/test/test_fips.py @@ -54,7 +54,7 @@ class HashlibFipsTests(unittest.TestCase): @@ -3172,7 +2911,7 @@ index bee911ef405..34812e6098a 100644 diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index 9c2882833d1..7d3d9739f3a 100644 +index 9c28828..7d3d973 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -41,33 +41,25 @@ typedef struct { @@ -3327,7 +3066,7 @@ index 9c2882833d1..7d3d9739f3a 100644 .m_size = sizeof(hmacopenssl_state), .m_traverse = hmacopenssl_traverse, diff --git a/Modules/clinic/_hmacopenssl.c.h b/Modules/clinic/_hmacopenssl.c.h -index b472a6eddd3..861acc11bfd 100644 +index b472a6e..861acc1 100644 --- a/Modules/clinic/_hmacopenssl.c.h +++ b/Modules/clinic/_hmacopenssl.c.h @@ -2,43 +2,6 @@ @@ -3381,20 +3120,20 @@ index b472a6eddd3..861acc11bfd 100644 -/*[clinic end generated code: output=10b6e8cac6d7a2c9 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=d93ad460795d49b5 input=a9049054013a1b77]*/ -- -2.21.1 +2.25.4 -From 0cc9eab738876807a9116ee6fee57ac5757c1eb6 Mon Sep 17 00:00:00 2001 +From e0cbbc9dac64f173baa5348cf3608536ea8aea70 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 16:10:36 +0200 -Subject: [PATCH 19/32] Fix _hmacopenssl.HMAC.block_size +Subject: [PATCH 17/36] Fix _hmacopenssl.HMAC.block_size --- Modules/_hmacopenssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index 7d3d9739f3a..a24c8ba0229 100644 +index 7d3d973..a24c8ba 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -318,7 +318,7 @@ _hmacopenssl_get_block_size(HmacObject *self, void *closure) @@ -3407,13 +3146,13 @@ index 7d3d9739f3a..a24c8ba0229 100644 static PyMethodDef Hmac_methods[] = { -- -2.21.1 +2.25.4 -From 79442a65e763d1942a14f52f8ceb83d51d39ca2b Mon Sep 17 00:00:00 2001 +From d90c5c55ad983d84b09b366d4b62f06aa535fad6 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 15:02:08 +0200 -Subject: [PATCH 20/32] distutils upload: Skip md5 checksum in FIPS mode +Subject: [PATCH 18/36] distutils upload: Skip md5 checksum in FIPS mode --- Lib/distutils/command/upload.py | 12 +++++++++++- @@ -3421,7 +3160,7 @@ Subject: [PATCH 20/32] distutils upload: Skip md5 checksum in FIPS mode 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/Lib/distutils/command/upload.py b/Lib/distutils/command/upload.py -index 11afa24b777..79a6315a43b 100644 +index 11afa24..79a6315 100644 --- a/Lib/distutils/command/upload.py +++ b/Lib/distutils/command/upload.py @@ -102,7 +102,6 @@ class upload(PyPIRCCommand): @@ -3451,7 +3190,7 @@ index 11afa24b777..79a6315a43b 100644 if self.sign: diff --git a/Lib/distutils/tests/test_upload.py b/Lib/distutils/tests/test_upload.py -index c17d8e7d54e..b4b64e97737 100644 +index c17d8e7..b4b64e9 100644 --- a/Lib/distutils/tests/test_upload.py +++ b/Lib/distutils/tests/test_upload.py @@ -3,6 +3,7 @@ import os @@ -3489,13 +3228,13 @@ index c17d8e7d54e..b4b64e97737 100644 def test_upload_fails(self): -- -2.21.1 +2.25.4 -From b37078729378cb7c0b93ab15da0b1e4343a0b976 Mon Sep 17 00:00:00 2001 +From 885f7b41697f252260a67d78ca8c46450843fa5e Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 15:32:25 +0200 -Subject: [PATCH 21/32] Fix HMAC tests on FIPS mode +Subject: [PATCH 19/36] Fix HMAC tests on FIPS mode --- Lib/hmac.py | 3 +++ @@ -3503,7 +3242,7 @@ Subject: [PATCH 21/32] Fix HMAC tests on FIPS mode 2 files changed, 29 insertions(+) diff --git a/Lib/hmac.py b/Lib/hmac.py -index e4222be7dcc..394c81037b5 100644 +index e4222be..394c810 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -158,6 +158,9 @@ def _get_openssl_name(digestmod): @@ -3517,7 +3256,7 @@ index e4222be7dcc..394c81037b5 100644 result = _hmacopenssl.HMAC.__new__(cls, key, digestmod=name) if msg: diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py -index 23c108f6e3c..0a859817f68 100644 +index 23c108f..0a85981 100644 --- a/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py @@ -288,6 +288,7 @@ class TestVectorsTestCase(unittest.TestCase): @@ -3582,20 +3321,20 @@ index 23c108f6e3c..0a859817f68 100644 def test_equality(self): # Testing if the copy has the same digests. -- -2.21.1 +2.25.4 -From 9481cec81e30e0dfaa988ade89c50bea91762856 Mon Sep 17 00:00:00 2001 +From 288d91b4752801264b37f7e94d964e1dffdee562 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 16:37:12 +0200 -Subject: [PATCH 22/32] test_tools: Skip md5sum tests in FIPS mode +Subject: [PATCH 20/36] test_tools: Skip md5sum tests in FIPS mode --- Lib/test/test_tools/test_md5sum.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Lib/test/test_tools/test_md5sum.py b/Lib/test/test_tools/test_md5sum.py -index fb565b73778..7028a4dc214 100644 +index fb565b7..7028a4d 100644 --- a/Lib/test/test_tools/test_md5sum.py +++ b/Lib/test/test_tools/test_md5sum.py @@ -4,11 +4,15 @@ import os @@ -3615,20 +3354,20 @@ index fb565b73778..7028a4dc214 100644 @classmethod def setUpClass(cls): -- -2.21.1 +2.25.4 -From a12dec28f06338b7529da9bfeda2a8fe835395d2 Mon Sep 17 00:00:00 2001 +From 2c89b2e465e60558e0e066cc42a087ee6f31d520 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 18:23:57 +0200 -Subject: [PATCH 23/32] Make hashlib tests pass in FIPS mode +Subject: [PATCH 21/36] Make hashlib tests pass in FIPS mode --- Lib/test/test_hashlib.py | 67 ++++++++++++++++++++++++++++------------ 1 file changed, 48 insertions(+), 19 deletions(-) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 2a55fd4309f..9ae5efc451e 100644 +index 2a55fd4..9ae5efc 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -28,6 +28,11 @@ COMPILED_WITH_PYDEBUG = hasattr(sys, 'gettotalrefcount') @@ -3810,13 +3549,13 @@ index 2a55fd4309f..9ae5efc451e 100644 @support.reap_threads def test_threaded_hashing(self): -- -2.21.1 +2.25.4 -From 35ebfc357302e14372529a63334ca60cbec49b3e Mon Sep 17 00:00:00 2001 +From 14f26f4f378718024d0b0f300ab2f84429d23044 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Wed, 14 Aug 2019 14:43:07 +0200 -Subject: [PATCH 24/32] distutils upload: only add md5 if available, but +Subject: [PATCH 22/36] distutils upload: only add md5 if available, but *always* use sha256 --- @@ -3825,7 +3564,7 @@ Subject: [PATCH 24/32] distutils upload: only add md5 if available, but 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/Lib/distutils/command/upload.py b/Lib/distutils/command/upload.py -index 79a6315a43b..553617a8d8f 100644 +index 79a6315..553617a 100644 --- a/Lib/distutils/command/upload.py +++ b/Lib/distutils/command/upload.py @@ -102,6 +102,7 @@ class upload(PyPIRCCommand): @@ -3846,7 +3585,7 @@ index 79a6315a43b..553617a8d8f 100644 # this really shouldn't fail raise diff --git a/Lib/distutils/tests/test_upload.py b/Lib/distutils/tests/test_upload.py -index b4b64e97737..f720a7905dd 100644 +index b4b64e9..f720a79 100644 --- a/Lib/distutils/tests/test_upload.py +++ b/Lib/distutils/tests/test_upload.py @@ -132,10 +132,11 @@ class uploadTestCase(BasePyPIRCCommandTestCase): @@ -3880,13 +3619,13 @@ index b4b64e97737..f720a7905dd 100644 def test_upload_fails(self): -- -2.21.1 +2.25.4 -From 36204b47f4f48d4be8e4772f4ab8fc39ca98934b Mon Sep 17 00:00:00 2001 +From 24e57cc45dc18146a583257e5825d6b6e672742d Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 13 Sep 2019 02:30:00 +0200 -Subject: [PATCH 25/32] bpo-9216: Add usedforsecurity to hashlib constructors +Subject: [PATCH 23/36] bpo-9216: Add usedforsecurity to hashlib constructors (GH-16044) The usedforsecurity keyword only argument added to the hash constructors is useful for FIPS builds and similar restrictive environment with non-technical requirements that legacy algorithms be forbidden by their implementations without being explicitly annotated as not being used for any security related purposes. Linux distros with FIPS support benefit from this being standard rather than making up their own way(s) to do it. @@ -3917,7 +3656,7 @@ Contributed and Signed-off-by: Christian Heimes christian@python.org create mode 100644 Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst diff --git a/Doc/library/hashlib.rst b/Doc/library/hashlib.rst -index a16c7cd4d7c..6eb3a7bb4cc 100644 +index a16c7cd..6eb3a7b 100644 --- a/Doc/library/hashlib.rst +++ b/Doc/library/hashlib.rst @@ -67,7 +67,7 @@ Constructors for hash algorithms that are always present in this module are @@ -3969,7 +3708,7 @@ index a16c7cd4d7c..6eb3a7bb4cc 100644 These functions return the corresponding hash objects for calculating diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 9ae5efc451e..08bb91f27b1 100644 +index 9ae5efc..08bb91f 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -226,6 +226,15 @@ class HashLibTestCase(unittest.TestCase): @@ -3989,7 +3728,7 @@ index 9ae5efc451e..08bb91f27b1 100644 self.assertRaises(ValueError, hashlib.new, 'spam spam spam spam spam') self.assertRaises(TypeError, hashlib.new, 1) diff --git a/Lib/uuid.py b/Lib/uuid.py -index 188e16ba14e..5f3bc9e8de4 100644 +index 188e16b..5f3bc9e 100644 --- a/Lib/uuid.py +++ b/Lib/uuid.py @@ -772,8 +772,11 @@ def uuid1(node=None, clock_seq=None): @@ -4008,14 +3747,14 @@ index 188e16ba14e..5f3bc9e8de4 100644 """Generate a random UUID.""" diff --git a/Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst b/Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst new file mode 100644 -index 00000000000..a97ca4b8b4f +index 0000000..a97ca4b --- /dev/null +++ b/Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst @@ -0,0 +1,2 @@ +hashlib constructors now support usedforsecurity flag to signal that a +hashing algorithm is not used in a security context. diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c -index 97ce89d33c1..16df2327930 100644 +index 97ce89d..16df232 100644 --- a/Modules/_blake2/blake2b_impl.c +++ b/Modules/_blake2/blake2b_impl.c @@ -82,6 +82,7 @@ _blake2.blake2b.__new__ as py_blake2b_new @@ -4038,7 +3777,7 @@ index 97ce89d33c1..16df2327930 100644 BLAKE2bObject *self = NULL; Py_buffer buf; diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c -index c4447b4fe83..66a7ee567d5 100644 +index c4447b4..66a7ee5 100644 --- a/Modules/_blake2/blake2s_impl.c +++ b/Modules/_blake2/blake2s_impl.c @@ -82,6 +82,7 @@ _blake2.blake2s.__new__ as py_blake2s_new @@ -4061,7 +3800,7 @@ index c4447b4fe83..66a7ee567d5 100644 BLAKE2sObject *self = NULL; Py_buffer buf; diff --git a/Modules/_blake2/clinic/blake2b_impl.c.h b/Modules/_blake2/clinic/blake2b_impl.c.h -index cd329c07c99..07258c31c9b 100644 +index cd329c0..07258c3 100644 --- a/Modules/_blake2/clinic/blake2b_impl.c.h +++ b/Modules/_blake2/clinic/blake2b_impl.c.h @@ -5,7 +5,8 @@ preserve @@ -4133,7 +3872,7 @@ index cd329c07c99..07258c31c9b 100644 -/*[clinic end generated code: output=cbb625d7f60c288c input=a9049054013a1b77]*/ +/*[clinic end generated code: output=2d6d0fe9aa42a42a input=a9049054013a1b77]*/ diff --git a/Modules/_blake2/clinic/blake2s_impl.c.h b/Modules/_blake2/clinic/blake2s_impl.c.h -index 560bd68160b..71c5706fb66 100644 +index 560bd68..71c5706 100644 --- a/Modules/_blake2/clinic/blake2s_impl.c.h +++ b/Modules/_blake2/clinic/blake2s_impl.c.h @@ -5,7 +5,8 @@ preserve @@ -4205,7 +3944,7 @@ index 560bd68160b..71c5706fb66 100644 -/*[clinic end generated code: output=39af5a74c8805b36 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=c80d8d06ce40a192 input=a9049054013a1b77]*/ diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index 625e2d2e8f6..8d0c7de2b20 100644 +index e10dbd7..29c1bd8 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -517,7 +517,7 @@ static PyTypeObject EVPtype = { @@ -4605,7 +4344,7 @@ index 625e2d2e8f6..8d0c7de2b20 100644 diff --git a/Modules/_sha3/clinic/sha3module.c.h b/Modules/_sha3/clinic/sha3module.c.h -index 554442df0ec..1c79c269391 100644 +index 554442d..1c79c26 100644 --- a/Modules/_sha3/clinic/sha3module.c.h +++ b/Modules/_sha3/clinic/sha3module.c.h @@ -2,6 +2,52 @@ @@ -4668,7 +4407,7 @@ index 554442df0ec..1c79c269391 100644 -/*[clinic end generated code: output=5b3e99b9a96471e8 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=c8a97b34e80def62 input=a9049054013a1b77]*/ diff --git a/Modules/_sha3/sha3module.c b/Modules/_sha3/sha3module.c -index 3079e1e3a4a..fc8b1b262ab 100644 +index 3079e1e..fc8b1b2 100644 --- a/Modules/_sha3/sha3module.c +++ b/Modules/_sha3/sha3module.c @@ -171,22 +171,25 @@ newSHA3object(PyTypeObject *type) @@ -4776,7 +4515,7 @@ index 3079e1e3a4a..fc8b1b262ab 100644 Return a new SHAKE hash object."); diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h -index e96a752e273..967884727bd 100644 +index e96a752..9678847 100644 --- a/Modules/clinic/_hashopenssl.c.h +++ b/Modules/clinic/_hashopenssl.c.h @@ -66,7 +66,7 @@ PyDoc_STRVAR(EVP_update__doc__, @@ -5628,7 +5367,7 @@ index e96a752e273..967884727bd 100644 -/*[clinic end generated code: output=be8e21a10dff71e7 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=3db4f18f12892fa4 input=a9049054013a1b77]*/ diff --git a/Modules/clinic/md5module.c.h b/Modules/clinic/md5module.c.h -index 12484cc0e3d..c109f9efec6 100644 +index 12484cc..c109f9e 100644 --- a/Modules/clinic/md5module.c.h +++ b/Modules/clinic/md5module.c.h @@ -66,7 +66,7 @@ PyDoc_STRVAR(MD5Type_update__doc__, @@ -5691,7 +5430,7 @@ index 12484cc0e3d..c109f9efec6 100644 -/*[clinic end generated code: output=53133f08cf9095fc input=a9049054013a1b77]*/ +/*[clinic end generated code: output=dbe3abc60086f3ef input=a9049054013a1b77]*/ diff --git a/Modules/clinic/sha1module.c.h b/Modules/clinic/sha1module.c.h -index 001c6af7378..fc37b1ab880 100644 +index 001c6af..fc37b1a 100644 --- a/Modules/clinic/sha1module.c.h +++ b/Modules/clinic/sha1module.c.h @@ -66,7 +66,7 @@ PyDoc_STRVAR(SHA1Type_update__doc__, @@ -5754,7 +5493,7 @@ index 001c6af7378..fc37b1ab880 100644 -/*[clinic end generated code: output=1ae7e73ec84a27d5 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=3ddd637ae17e14b3 input=a9049054013a1b77]*/ diff --git a/Modules/clinic/sha256module.c.h b/Modules/clinic/sha256module.c.h -index 658abb15cf3..2a788ea9849 100644 +index 658abb1..2a788ea 100644 --- a/Modules/clinic/sha256module.c.h +++ b/Modules/clinic/sha256module.c.h @@ -66,7 +66,7 @@ PyDoc_STRVAR(SHA256Type_update__doc__, @@ -5872,7 +5611,7 @@ index 658abb15cf3..2a788ea9849 100644 -/*[clinic end generated code: output=c54d0956ec88409d input=a9049054013a1b77]*/ +/*[clinic end generated code: output=c8cca8adbe72ec9a input=a9049054013a1b77]*/ diff --git a/Modules/clinic/sha512module.c.h b/Modules/clinic/sha512module.c.h -index 459a9341cfc..b8185b62bb6 100644 +index 459a934..b8185b6 100644 --- a/Modules/clinic/sha512module.c.h +++ b/Modules/clinic/sha512module.c.h @@ -66,7 +66,7 @@ PyDoc_STRVAR(SHA512Type_update__doc__, @@ -5990,7 +5729,7 @@ index 459a9341cfc..b8185b62bb6 100644 -/*[clinic end generated code: output=580df4b667084a7e input=a9049054013a1b77]*/ +/*[clinic end generated code: output=bbfa72d8703c82b5 input=a9049054013a1b77]*/ diff --git a/Modules/md5module.c b/Modules/md5module.c -index b9a351a8c1c..f2c2d32cbe7 100644 +index b9a351a..f2c2d32 100644 --- a/Modules/md5module.c +++ b/Modules/md5module.c @@ -503,13 +503,15 @@ static PyTypeObject MD5type = { @@ -6012,7 +5751,7 @@ index b9a351a8c1c..f2c2d32cbe7 100644 MD5object *new; Py_buffer buf; diff --git a/Modules/sha1module.c b/Modules/sha1module.c -index ce2ad267e77..4d191c3c488 100644 +index ce2ad26..4d191c3 100644 --- a/Modules/sha1module.c +++ b/Modules/sha1module.c @@ -480,13 +480,15 @@ static PyTypeObject SHA1type = { @@ -6034,7 +5773,7 @@ index ce2ad267e77..4d191c3c488 100644 SHA1object *new; Py_buffer buf; diff --git a/Modules/sha256module.c b/Modules/sha256module.c -index b8d6c4cf800..245f4c04542 100644 +index b8d6c4c..245f4c0 100644 --- a/Modules/sha256module.c +++ b/Modules/sha256module.c @@ -601,13 +601,15 @@ static PyTypeObject SHA256type = { @@ -6074,7 +5813,7 @@ index b8d6c4cf800..245f4c04542 100644 SHAobject *new; Py_buffer buf; diff --git a/Modules/sha512module.c b/Modules/sha512module.c -index 98b97917f4c..df4f9d2d741 100644 +index 98b9791..df4f9d2 100644 --- a/Modules/sha512module.c +++ b/Modules/sha512module.c @@ -666,13 +666,15 @@ static PyTypeObject SHA512type = { @@ -6114,20 +5853,20 @@ index 98b97917f4c..df4f9d2d741 100644 SHAobject *new; Py_buffer buf; -- -2.21.1 +2.25.4 -From aed5f603fda874d823ca04b562c8289bfa42d8f3 Mon Sep 17 00:00:00 2001 +From 372b2b63bf8ffb3201dc3c8d2488f6a5a55c5b21 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 26 Aug 2019 19:09:39 +0200 -Subject: [PATCH 26/32] Test the usedforsecurity flag +Subject: [PATCH 24/36] Test the usedforsecurity flag --- Lib/test/test_hashlib.py | 88 ++++++++++++++++++++++++---------------- 1 file changed, 54 insertions(+), 34 deletions(-) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 08bb91f27b1..1368e917089 100644 +index 08bb91f..1368e91 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -21,6 +21,7 @@ from test import support @@ -6360,13 +6099,13 @@ index 08bb91f27b1..1368e917089 100644 class KDFTests(unittest.TestCase): -- -2.21.1 +2.25.4 -From fa3ce5149806b1ef588b75681147636d55c5c604 Mon Sep 17 00:00:00 2001 +From 7e2295b42d705d7d9cc0ccea472ff93bfa268b8c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 29 Aug 2019 10:25:28 +0200 -Subject: [PATCH 27/32] Skip error checking in _hashlib.get_fips_mode +Subject: [PATCH 25/36] Skip error checking in _hashlib.get_fips_mode Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1745499 --- @@ -6374,7 +6113,7 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1745499 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index 8d0c7de2b20..ed92514e786 100644 +index 29c1bd8..d208f5c 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -1249,20 +1249,22 @@ _hashlib_get_fips_mode_impl(PyObject *module) @@ -6415,13 +6154,13 @@ index 8d0c7de2b20..ed92514e786 100644 -- -2.21.1 +2.25.4 -From 282056eda492073e9e03904e8a513547fe2b9836 Mon Sep 17 00:00:00 2001 +From dd5f58152edbcac44bcb1cafbee511c44d60ff67 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 10 Oct 2019 13:04:50 +0200 -Subject: [PATCH 28/32] Skip error checking in _Py_hashlib_fips_error +Subject: [PATCH 26/36] Skip error checking in _Py_hashlib_fips_error https://bugzilla.redhat.com/show_bug.cgi?id=1760106 --- @@ -6429,7 +6168,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1760106 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h -index 47ed0030422..d4cbdef984d 100644 +index 47ed003..d4cbdef 100644 --- a/Include/_hashopenssl.h +++ b/Include/_hashopenssl.h @@ -42,16 +42,10 @@ static int @@ -6453,13 +6192,13 @@ index 47ed0030422..d4cbdef984d 100644 } PyErr_Format(exc, "%s is not available in FIPS mode", name); -- -2.21.1 +2.25.4 -From 6c5a3b45f7754e7d19084794f573189ba38a00fa Mon Sep 17 00:00:00 2001 +From c76f0df2561ae64952f347d294aec2866e6b0586 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 19:12:38 +0200 -Subject: [PATCH 29/32] Fixups +Subject: [PATCH 27/36] Fixups - Adjust error message of the original hmac.HMAC class - Don't duplicate a test name @@ -6469,7 +6208,7 @@ Subject: [PATCH 29/32] Fixups 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Lib/hmac.py b/Lib/hmac.py -index 394c81037b5..b2bff7d9758 100644 +index 394c810..b2bff7d 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -47,7 +47,7 @@ class HMAC: @@ -6482,7 +6221,7 @@ index 394c81037b5..b2bff7d9758 100644 ) diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py -index 0a859817f68..0b481ec9c01 100644 +index 0a85981..0b481ec 100644 --- a/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py @@ -439,7 +439,7 @@ class CopyTestCase(unittest.TestCase): @@ -6495,13 +6234,13 @@ index 0a859817f68..0b481ec9c01 100644 h1 = hmac.HMAC(b"key", digestmod="sha1") h2 = h1.copy() -- -2.21.1 +2.25.4 -From 63426a2f6c7904800094db9fd3476a5d4711ad25 Mon Sep 17 00:00:00 2001 +From b6139620fa7aaf401ebd510a0dbca14629096f94 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 26 Aug 2019 19:39:48 +0200 -Subject: [PATCH 30/32] Don't re-export get_fips_mode from hashlib +Subject: [PATCH 28/36] Don't re-export get_fips_mode from hashlib Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1745685 --- @@ -6518,7 +6257,7 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1745685 10 files changed, 41 insertions(+), 32 deletions(-) diff --git a/Lib/distutils/command/upload.py b/Lib/distutils/command/upload.py -index 553617a8d8f..8653caefc91 100644 +index 553617a..8653cae 100644 --- a/Lib/distutils/command/upload.py +++ b/Lib/distutils/command/upload.py @@ -127,7 +127,8 @@ class upload(PyPIRCCommand): @@ -6532,7 +6271,7 @@ index 553617a8d8f..8653caefc91 100644 raise else: diff --git a/Lib/distutils/tests/test_upload.py b/Lib/distutils/tests/test_upload.py -index f720a7905dd..a198b213577 100644 +index f720a79..a198b21 100644 --- a/Lib/distutils/tests/test_upload.py +++ b/Lib/distutils/tests/test_upload.py @@ -4,6 +4,7 @@ import unittest @@ -6562,7 +6301,7 @@ index f720a7905dd..a198b213577 100644 self.assertEqual(headers['Content-length'], '2207') else: diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 898e6dca565..2fc214e7efe 100644 +index 898e6dc..2fc214e 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -76,12 +76,12 @@ __block_openssl_constructor = { @@ -6644,7 +6383,7 @@ index 898e6dca565..2fc214e7efe 100644 del __py_new +del _hashlib_get_fips_mode diff --git a/Lib/hmac.py b/Lib/hmac.py -index b2bff7d9758..5055027bbbc 100644 +index b2bff7d..5055027 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -45,7 +45,7 @@ class HMAC: @@ -6675,7 +6414,7 @@ index b2bff7d9758..5055027bbbc 100644 diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py -index 34812e6098a..86e61e29c0b 100644 +index 34812e6..86e61e2 100644 --- a/Lib/test/test_fips.py +++ b/Lib/test/test_fips.py @@ -6,7 +6,7 @@ import hashlib, _hashlib @@ -6706,7 +6445,7 @@ index 34812e6098a..86e61e29c0b 100644 self.compare_hashes(hashlib.shake_128(b'abc'), _hashlib.openssl_shake_128(b'abc')) self.compare_hashes(hashlib.shake_256(b'abc'), _hashlib.openssl_shake_256(b'abc')) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 1368e917089..a4b78406a5e 100644 +index 1368e91..a4b7840 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -29,7 +29,9 @@ COMPILED_WITH_PYDEBUG = hasattr(sys, 'gettotalrefcount') @@ -6772,7 +6511,7 @@ index 1368e917089..a4b78406a5e 100644 """Make sure usedforsecurity flag isn't copied to other contexts""" for i in range(3): diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py -index 0b481ec9c01..cc77928fa30 100644 +index 0b481ec..cc77928 100644 --- a/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py @@ -5,6 +5,7 @@ import hashlib @@ -6811,7 +6550,7 @@ index 0b481ec9c01..cc77928fa30 100644 def test_realcopy(self): # Testing if the copy method created a real copy. diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py -index d0c9862edea..9a44c0dc7af 100644 +index d0c9862..9a44c0d 100644 --- a/Lib/test/test_smtplib.py +++ b/Lib/test/test_smtplib.py @@ -17,6 +17,8 @@ import select @@ -6833,7 +6572,7 @@ index d0c9862edea..9a44c0dc7af 100644 resp = smtp.login(sim_auth[0], sim_auth[1]) self.assertEqual(resp, (235, b'Authentication Succeeded')) diff --git a/Lib/test/test_tools/test_md5sum.py b/Lib/test/test_tools/test_md5sum.py -index 7028a4dc214..3ba1ca0f146 100644 +index 7028a4d..3ba1ca0 100644 --- a/Lib/test/test_tools/test_md5sum.py +++ b/Lib/test/test_tools/test_md5sum.py @@ -4,13 +4,13 @@ import os @@ -6853,7 +6592,7 @@ index 7028a4dc214..3ba1ca0f146 100644 class MD5SumTests(unittest.TestCase): diff --git a/Lib/test/test_urllib2_localnet.py b/Lib/test/test_urllib2_localnet.py -index 1cb358f8ddc..6f5cb7fcd17 100644 +index 1cb358f..6f5cb7f 100644 --- a/Lib/test/test_urllib2_localnet.py +++ b/Lib/test/test_urllib2_localnet.py @@ -7,6 +7,7 @@ import http.server @@ -6865,13 +6604,13 @@ index 1cb358f8ddc..6f5cb7fcd17 100644 from test import support -- -2.21.1 +2.25.4 -From a8f87fa94aae8f8ed05607974e2bd30c54d3f3ce Mon Sep 17 00:00:00 2001 +From 1de6c9e0e86e5c661ae32517492ecdf79a372e52 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 20 Nov 2019 10:59:25 +0100 -Subject: [PATCH 31/32] Use FIPS compliant CSPRNG +Subject: [PATCH 29/36] Use FIPS compliant CSPRNG Kernel's getrandom() source is not yet FIPS compliant. Use OpenSSL's DRBG in FIPS mode and disable os.getrandom() function. @@ -6885,7 +6624,7 @@ Signed-off-by: Christian Heimes 4 files changed, 89 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_os.py b/Lib/test/test_os.py -index 4a076e3bbf5..f60ad6ddbd7 100644 +index 4a076e3..f60ad6d 100644 --- a/Lib/test/test_os.py +++ b/Lib/test/test_os.py @@ -1546,6 +1546,11 @@ class GetRandomTests(unittest.TestCase): @@ -6901,7 +6640,7 @@ index 4a076e3bbf5..f60ad6ddbd7 100644 def test_getrandom_type(self): data = os.getrandom(16) diff --git a/Makefile.pre.in b/Makefile.pre.in -index 502317aa0c7..924367d2ada 100644 +index 72d202d..9c34f99 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in @@ -116,7 +116,7 @@ PY_STDMODULE_CFLAGS= $(PY_CFLAGS) $(PY_CFLAGS_NODIST) $(PY_CPPFLAGS) $(CFLAGSFOR @@ -6914,7 +6653,7 @@ index 502317aa0c7..924367d2ada 100644 CFLAGS_ALIASING=@CFLAGS_ALIASING@ diff --git a/Modules/posixmodule.c b/Modules/posixmodule.c -index b09204d6339..99d1dca1180 100644 +index 850769f..039392e 100644 --- a/Modules/posixmodule.c +++ b/Modules/posixmodule.c @@ -388,6 +388,9 @@ extern char *ctermid_r(char *); @@ -6940,7 +6679,7 @@ index b09204d6339..99d1dca1180 100644 if (bytes == NULL) { PyErr_NoMemory(); diff --git a/Python/bootstrap_hash.c b/Python/bootstrap_hash.c -index 43f5264d862..67166475a75 100644 +index 43f5264..6716647 100644 --- a/Python/bootstrap_hash.c +++ b/Python/bootstrap_hash.c @@ -409,6 +409,77 @@ dev_urandom_close(void) @@ -7033,13 +6772,13 @@ index 43f5264d862..67166475a75 100644 return win32_urandom((unsigned char *)buffer, size, raise); #else -- -2.21.1 +2.25.4 -From 5539f0001fb2785c2d2feea97fc2a910ca954f92 Mon Sep 17 00:00:00 2001 +From 2af1274a6f6f7eb7aeb106007fd62e9fc889a86e Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 28 Nov 2019 17:26:02 +0100 -Subject: [PATCH 32/32] Fixups for FIPS compliant CSPRNG +Subject: [PATCH 30/36] Fixups for FIPS compliant CSPRNG --- Lib/test/test_os.py | 3 ++- @@ -7047,7 +6786,7 @@ Subject: [PATCH 32/32] Fixups for FIPS compliant CSPRNG 2 files changed, 5 insertions(+), 31 deletions(-) diff --git a/Lib/test/test_os.py b/Lib/test/test_os.py -index f60ad6ddbd7..be057ad3a35 100644 +index f60ad6d..be057ad 100644 --- a/Lib/test/test_os.py +++ b/Lib/test/test_os.py @@ -28,6 +28,7 @@ import time @@ -7068,7 +6807,7 @@ index f60ad6ddbd7..be057ad3a35 100644 else: raise diff --git a/Python/bootstrap_hash.c b/Python/bootstrap_hash.c -index 67166475a75..7466d5fb5cf 100644 +index 6716647..7466d5f 100644 --- a/Python/bootstrap_hash.c +++ b/Python/bootstrap_hash.c @@ -409,40 +409,13 @@ dev_urandom_close(void) @@ -7132,5 +6871,275 @@ index 67166475a75..7466d5fb5cf 100644 return 0; } -- -2.21.1 +2.25.4 + + +From 17c962efe979581d12e1cf80a04b9538bdfe7c45 Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Thu, 2 Apr 2020 16:50:37 +0200 +Subject: [PATCH 31/36] Do not raise a ValueError if digestmod is missing in + FIPS + +Python 3.8 already requires the digestmod argument and raises +a TypeError if it's missing, so we remove our downstream check +for it. +--- + Lib/hmac.py | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/Lib/hmac.py b/Lib/hmac.py +index 5055027..ee1ad76 100644 +--- a/Lib/hmac.py ++++ b/Lib/hmac.py +@@ -143,8 +143,6 @@ class HMAC: + return h.hexdigest() + + def _get_openssl_name(digestmod): +- if digestmod is None: +- raise ValueError("'digestmod' argument is mandatory in FIPS mode") + if isinstance(digestmod, str): + return digestmod.lower() + elif callable(digestmod): +-- +2.25.4 + + +From 4acd1c8665231881335b6036a8595ac3220c0220 Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Thu, 2 Apr 2020 16:55:36 +0200 +Subject: [PATCH 32/36] Regenerate the clinic files + +--- + Modules/_hmacopenssl.c | 4 ++-- + Modules/clinic/_hmacopenssl.c.h | 22 +++++++++++++++------- + 2 files changed, 17 insertions(+), 9 deletions(-) + +diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c +index a24c8ba..9577cad 100644 +--- a/Modules/_hmacopenssl.c ++++ b/Modules/_hmacopenssl.c +@@ -132,12 +132,12 @@ error: + /*[clinic input] + _hmacopenssl.HMAC.copy + +-Return a copy (“clone”) of the HMAC object. ++Return a copy ("clone") of the HMAC object. + [clinic start generated code]*/ + + static PyObject * + _hmacopenssl_HMAC_copy_impl(HmacObject *self) +-/*[clinic end generated code: output=fe5ee41faf30dcf0 input=f5ed20feec42d8d0]*/ ++/*[clinic end generated code: output=fe5ee41faf30dcf0 input=06e7dbc1af7f4a13]*/ + { + HmacObject *retval; + +diff --git a/Modules/clinic/_hmacopenssl.c.h b/Modules/clinic/_hmacopenssl.c.h +index 861acc1..527be83 100644 +--- a/Modules/clinic/_hmacopenssl.c.h ++++ b/Modules/clinic/_hmacopenssl.c.h +@@ -6,7 +6,7 @@ PyDoc_STRVAR(_hmacopenssl_HMAC_copy__doc__, + "copy($self, /)\n" + "--\n" + "\n" +-"Return a copy (“clone”) of the HMAC object."); ++"Return a copy (\"clone\") of the HMAC object."); + + #define _HMACOPENSSL_HMAC_COPY_METHODDEF \ + {"copy", (PyCFunction)_hmacopenssl_HMAC_copy, METH_NOARGS, _hmacopenssl_HMAC_copy__doc__}, +@@ -27,21 +27,29 @@ PyDoc_STRVAR(_hmacopenssl_HMAC_update__doc__, + "Update the HMAC object with msg."); + + #define _HMACOPENSSL_HMAC_UPDATE_METHODDEF \ +- {"update", (PyCFunction)_hmacopenssl_HMAC_update, METH_FASTCALL, _hmacopenssl_HMAC_update__doc__}, ++ {"update", (PyCFunction)(void(*)(void))_hmacopenssl_HMAC_update, METH_FASTCALL|METH_KEYWORDS, _hmacopenssl_HMAC_update__doc__}, + + static PyObject * + _hmacopenssl_HMAC_update_impl(HmacObject *self, Py_buffer *msg); + + static PyObject * +-_hmacopenssl_HMAC_update(HmacObject *self, PyObject **args, Py_ssize_t nargs, PyObject *kwnames) ++_hmacopenssl_HMAC_update(HmacObject *self, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; + static const char * const _keywords[] = {"msg", NULL}; +- static _PyArg_Parser _parser = {"y*:update", _keywords, 0}; ++ static _PyArg_Parser _parser = {NULL, _keywords, "update", 0}; ++ PyObject *argsbuf[1]; + Py_buffer msg = {NULL, NULL}; + +- if (!_PyArg_ParseStack(args, nargs, kwnames, &_parser, +- &msg)) { ++ args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 1, 1, 0, argsbuf); ++ if (!args) { ++ goto exit; ++ } ++ if (PyObject_GetBuffer(args[0], &msg, PyBUF_SIMPLE) != 0) { ++ goto exit; ++ } ++ if (!PyBuffer_IsContiguous(&msg, 'C')) { ++ _PyArg_BadArgument("update", "argument 'msg'", "contiguous buffer", args[0]); + goto exit; + } + return_value = _hmacopenssl_HMAC_update_impl(self, &msg); +@@ -93,4 +101,4 @@ _hmacopenssl_HMAC_hexdigest(HmacObject *self, PyObject *Py_UNUSED(ignored)) + { + return _hmacopenssl_HMAC_hexdigest_impl(self); + } +-/*[clinic end generated code: output=d93ad460795d49b5 input=a9049054013a1b77]*/ ++/*[clinic end generated code: output=9b75c31e1116bf6f input=a9049054013a1b77]*/ +-- +2.25.4 + + +From 900bbdc1e2d9498829731da4591f1ea4a5602fa4 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Tue, 7 Apr 2020 15:16:45 +0200 +Subject: [PATCH 33/36] Pass kwargs (like usedforsecurity) through __hash_new + +--- + Lib/hashlib.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Lib/hashlib.py b/Lib/hashlib.py +index 2fc214e..785858f 100644 +--- a/Lib/hashlib.py ++++ b/Lib/hashlib.py +@@ -169,7 +169,7 @@ def __hash_new(name, data=b'', **kwargs): + # salt, personal, tree hashing or SSE. + return __get_builtin_constructor(name)(data, **kwargs) + try: +- return _hashlib.new(name, data) ++ return _hashlib.new(name, data, **kwargs) + except ValueError: + # If the _hashlib module (OpenSSL) doesn't support the named + # hash, try using our builtin implementations. +@@ -177,7 +177,7 @@ def __hash_new(name, data=b'', **kwargs): + # the OpenSSL library prior to 0.9.8 doesn't provide them. + if _hashlib.get_fips_mode(): + raise +- return __get_builtin_constructor(name)(data) ++ return __get_builtin_constructor(name)(data, **kwargs) + + + try: +-- +2.25.4 + + +From ab62e35c2c3a71b2ff50098966e654c91fb861d0 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Tue, 7 Apr 2020 15:18:48 +0200 +Subject: [PATCH 34/36] Adjust new upstream test for failing hashes with + usedforsecurity + +--- + Lib/test/test_hashlib.py | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py +index a4b7840..a858bf4 100644 +--- a/Lib/test/test_hashlib.py ++++ b/Lib/test/test_hashlib.py +@@ -239,15 +239,23 @@ class HashLibTestCase(unittest.TestCase): + self.assertTrue(set(hashlib.algorithms_guaranteed). + issubset(hashlib.algorithms_available)) + +- def test_usedforsecurity(self): ++ def test_usedforsecurity_false(self): + for cons in self.hash_constructors: +- cons(usedforsecurity=True) + cons(usedforsecurity=False) +- cons(b'', usedforsecurity=True) + cons(b'', usedforsecurity=False) +- hashlib.new("sha256", usedforsecurity=True) + hashlib.new("sha256", usedforsecurity=False) + ++ def test_usedforsecurity_true(self): ++ if _get_fips_mode(): ++ with self.assertRaises(ValueError): ++ hashlib.new("md5", usedforsecurity=True) ++ else: ++ for cons in self.hash_constructors: ++ cons(usedforsecurity=True) ++ cons(b'', usedforsecurity=True) ++ ++ hashlib.new("sha256", usedforsecurity=True) ++ + def test_unknown_hash(self): + self.assertRaises(ValueError, hashlib.new, 'spam spam spam spam spam') + self.assertRaises(TypeError, hashlib.new, 1) +-- +2.25.4 + + +From 2b6bf1615e9e04a688f622e4b45e0e062a09578f Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Fri, 24 Apr 2020 19:57:16 +0200 +Subject: [PATCH 35/36] Skip the test_with_digestmod_no_default under FIPS + +Also add a new test for testing the error values of +the digestmod parameter misuse under FIPS mode. +--- + Lib/test/test_hmac.py | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py +index cc77928..fd068e0 100644 +--- a/Lib/test/test_hmac.py ++++ b/Lib/test/test_hmac.py +@@ -313,6 +313,7 @@ class TestVectorsTestCase(unittest.TestCase): + hmac.HMAC(b'a', b'b', digestmod=MockCrazyHash) + self.fail('Expected warning about small block_size') + ++ @unittest.skipIf(get_fips_mode(), "digestmod misuse raises different errors under FIPS mode") + def test_with_digestmod_no_default(self): + """The digestmod parameter is required as of Python 3.8.""" + with self.assertRaisesRegex(TypeError, r'required.*digestmod'): +@@ -324,6 +325,18 @@ class TestVectorsTestCase(unittest.TestCase): + with self.assertRaisesRegex(TypeError, r'required.*digestmod'): + hmac.HMAC(key, msg=data, digestmod='') + ++ @unittest.skipIf(not get_fips_mode(), "test is run only under FIPS mode") ++ def test_with_digestmod_no_default_under_fips(self): ++ """Test the error values of digestmod misuse under FIPS mode.""" ++ with self.assertRaises(TypeError): ++ key = b"\x0b" * 16 ++ data = b"Hi There" ++ hmac.HMAC(key, data, digestmod=None) ++ with self.assertRaises(ValueError): ++ hmac.new(key, data) ++ with self.assertRaises(ValueError): ++ hmac.HMAC(key, msg=data, digestmod='') ++ + + class ConstructorTestCase(unittest.TestCase): + +-- +2.25.4 + + +From 65903540be85cbd6f188f6b5e69431859d0cbc0e Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Tue, 31 Mar 2020 18:00:42 +0200 +Subject: [PATCH 36/36] Add a sentinel value on the Hmac_members table of the + hmac module + +--- + Modules/_hmacopenssl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c +index 9577cad..4bd7c15 100644 +--- a/Modules/_hmacopenssl.c ++++ b/Modules/_hmacopenssl.c +@@ -337,6 +337,7 @@ static PyGetSetDef Hmac_getset[] = { + + static PyMemberDef Hmac_members[] = { + {"name", T_OBJECT, offsetof(HmacObject, name), READONLY, PyDoc_STR("HMAC name")}, ++ {NULL} /* Sentinel */ + }; + + PyDoc_STRVAR(hmactype_doc, +-- +2.25.4 diff --git a/SOURCES/00337-test_ssl-test_min_max_version-add-range.patch b/SOURCES/00337-test_ssl-test_min_max_version-add-range.patch deleted file mode 100644 index df60a01..0000000 --- a/SOURCES/00337-test_ssl-test_min_max_version-add-range.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 4e4445efad2d3aa17b455a2683884e500d1a7c90 Mon Sep 17 00:00:00 2001 -From: Tomas Orsava -Date: Fri, 29 Nov 2019 16:07:27 +0100 -Subject: [PATCH] Adjust the test_min_max_version in test_ssl - -to accept the new settings in RHEL 8.2 where maximum_version is set to TLS 1.3. ---- - Lib/test/test_ssl.py | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py -index 419506f..c9b2cf9 100644 ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py -@@ -1200,12 +1200,18 @@ class ContextTests(unittest.TestCase): - # RHEL 8 uses TLS 1.2 by default - ssl.TLSVersion.TLSv1_2 - } -+ maximum_range = { -+ # stock OpenSSL -+ ssl.TLSVersion.MAXIMUM_SUPPORTED, -+ # RHEL 8.2 requires maximum TLS 1.3 -+ ssl.TLSVersion.TLSv1_3 -+ } - - self.assertIn( - ctx.minimum_version, minimum_range - ) -- self.assertEqual( -- ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED -+ self.assertIn( -+ ctx.maximum_version, maximum_range - ) - - ctx.minimum_version = ssl.TLSVersion.TLSv1_1 --- -2.20.1 - diff --git a/SOURCES/00350-sqlite-fix-deterministic-test.patch b/SOURCES/00350-sqlite-fix-deterministic-test.patch new file mode 100644 index 0000000..1ec23dd --- /dev/null +++ b/SOURCES/00350-sqlite-fix-deterministic-test.patch @@ -0,0 +1,76 @@ +commit 00a240bf7f95bbd220f1cfbf9eb58484a5f9681a +Author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> +Date: Fri May 29 05:46:34 2020 -0700 + + bpo-40784: Fix sqlite3 deterministic test (GH-20448) + + (cherry picked from commit c610d970f5373b143bf5f5900d4645e6a90fb460) + + Co-authored-by: Erlend Egeberg Aasland + +diff --git a/Lib/sqlite3/test/userfunctions.py b/Lib/sqlite3/test/userfunctions.py +index 9501f53..c11c82e 100644 +--- a/Lib/sqlite3/test/userfunctions.py ++++ b/Lib/sqlite3/test/userfunctions.py +@@ -1,8 +1,7 @@ +-#-*- coding: iso-8859-1 -*- + # pysqlite2/test/userfunctions.py: tests for user-defined functions and + # aggregates. + # +-# Copyright (C) 2005-2007 Gerhard H�ring ++# Copyright (C) 2005-2007 Gerhard Häring + # + # This file is part of pysqlite. + # +@@ -158,6 +157,7 @@ class FunctionTests(unittest.TestCase): + self.con.create_function("isblob", 1, func_isblob) + self.con.create_function("islonglong", 1, func_islonglong) + self.con.create_function("spam", -1, func) ++ self.con.execute("create table test(t text)") + + def tearDown(self): + self.con.close() +@@ -276,18 +276,36 @@ class FunctionTests(unittest.TestCase): + val = cur.fetchone()[0] + self.assertEqual(val, 2) + ++ # Regarding deterministic functions: ++ # ++ # Between 3.8.3 and 3.15.0, deterministic functions were only used to ++ # optimize inner loops, so for those versions we can only test if the ++ # sqlite machinery has factored out a call or not. From 3.15.0 and onward, ++ # deterministic functions were permitted in WHERE clauses of partial ++ # indices, which allows testing based on syntax, iso. the query optimizer. ++ @unittest.skipIf(sqlite.sqlite_version_info < (3, 8, 3), "Requires SQLite 3.8.3 or higher") + def CheckFuncNonDeterministic(self): + mock = unittest.mock.Mock(return_value=None) +- self.con.create_function("deterministic", 0, mock, deterministic=False) +- self.con.execute("select deterministic() = deterministic()") +- self.assertEqual(mock.call_count, 2) +- +- @unittest.skipIf(sqlite.sqlite_version_info < (3, 8, 3), "deterministic parameter not supported") ++ self.con.create_function("nondeterministic", 0, mock, deterministic=False) ++ if sqlite.sqlite_version_info < (3, 15, 0): ++ self.con.execute("select nondeterministic() = nondeterministic()") ++ self.assertEqual(mock.call_count, 2) ++ else: ++ with self.assertRaises(sqlite.OperationalError): ++ self.con.execute("create index t on test(t) where nondeterministic() is not null") ++ ++ @unittest.skipIf(sqlite.sqlite_version_info < (3, 8, 3), "Requires SQLite 3.8.3 or higher") + def CheckFuncDeterministic(self): + mock = unittest.mock.Mock(return_value=None) + self.con.create_function("deterministic", 0, mock, deterministic=True) +- self.con.execute("select deterministic() = deterministic()") +- self.assertEqual(mock.call_count, 1) ++ if sqlite.sqlite_version_info < (3, 15, 0): ++ self.con.execute("select deterministic() = deterministic()") ++ self.assertEqual(mock.call_count, 1) ++ else: ++ try: ++ self.con.execute("create index t on test(t) where deterministic() is not null") ++ except sqlite.OperationalError: ++ self.fail("Unexpected failure while creating partial index") + + @unittest.skipIf(sqlite.sqlite_version_info >= (3, 8, 3), "SQLite < 3.8.3 needed") + def CheckFuncDeterministicNotSupported(self): diff --git a/SOURCES/00351-avoid-infinite-loop-in-the-tarfile-module.patch b/SOURCES/00351-avoid-infinite-loop-in-the-tarfile-module.patch new file mode 100644 index 0000000..c9c431c --- /dev/null +++ b/SOURCES/00351-avoid-infinite-loop-in-the-tarfile-module.patch @@ -0,0 +1,67 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Wed, 15 Jul 2020 05:36:36 -0700 +Subject: [PATCH] 00351: Avoid infinite loop in the tarfile module + +Avoid infinite loop when reading specially crafted TAR files using the tarfile module +(CVE-2019-20907). +Fixed upstream: https://bugs.python.org/issue39017 +--- + Lib/tarfile.py | 2 ++ + Lib/test/recursion.tar | Bin 0 -> 516 bytes + Lib/test/test_tarfile.py | 7 +++++++ + .../2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 + + 4 files changed, 10 insertions(+) + create mode 100644 Lib/test/recursion.tar + create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 62d22150f5..2ea47978ff 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -1231,6 +1231,8 @@ class TarInfo(object): + + length, keyword = match.groups() + length = int(length) ++ if length == 0: ++ raise InvalidHeaderError("invalid header") + value = buf[match.end(2) + 1:match.start(1) + length - 1] + + # Normally, we could just use "utf-8" as the encoding and "strict" +diff --git a/Lib/test/recursion.tar b/Lib/test/recursion.tar +new file mode 100644 +index 0000000000000000000000000000000000000000..b8237251964983f54ed1966297e887636cd0c5f4 +GIT binary patch +literal 516 +zcmYdFPRz+kEn=W0Fn}74P8%Xw3X=l~85kIuo0>8xq$A1Gm}!7)KUsFc41m#O8A5+e +I1_}|j06>QaCIA2c + +literal 0 +HcmV?d00001 + +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index 4cd7d5370f..573be812ea 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -395,6 +395,13 @@ class CommonReadTest(ReadTest): + with self.assertRaisesRegex(tarfile.ReadError, "unexpected end of data"): + tar.extractfile(t).read() + ++ def test_length_zero_header(self): ++ # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail ++ # with an exception ++ with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"): ++ with tarfile.open(support.findfile('recursion.tar')) as tar: ++ pass ++ + class MiscReadTestBase(CommonReadTest): + def requires_name_attribute(self): + pass +diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst +new file mode 100644 +index 0000000000..ad26676f8b +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst +@@ -0,0 +1 @@ ++Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). diff --git a/SOURCES/00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch b/SOURCES/00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch new file mode 100644 index 0000000..c01a42e --- /dev/null +++ b/SOURCES/00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch @@ -0,0 +1,70 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tapas Kundu <39723251+tapakund@users.noreply.github.com> +Date: Wed, 1 Jul 2020 01:00:22 +0530 +Subject: [PATCH] 00352: Resolve hash collisions for IPv4Interface and + IPv6Interface + +CVE-2020-14422 +The hash() methods of classes IPv4Interface and IPv6Interface had issue +of generating constant hash values of 32 and 128 respectively causing hash collisions. +The fix uses the hash() function to generate hash values for the objects +instead of XOR operation. +Fixed upstream: https://bugs.python.org/issue41004 +--- + Lib/ipaddress.py | 4 ++-- + Lib/test/test_ipaddress.py | 11 +++++++++++ + .../Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst | 1 + + 3 files changed, 14 insertions(+), 2 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst + +diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py +index 583f02ad54..98492136ca 100644 +--- a/Lib/ipaddress.py ++++ b/Lib/ipaddress.py +@@ -1418,7 +1418,7 @@ class IPv4Interface(IPv4Address): + return False + + def __hash__(self): +- return self._ip ^ self._prefixlen ^ int(self.network.network_address) ++ return hash((self._ip, self._prefixlen, int(self.network.network_address))) + + __reduce__ = _IPAddressBase.__reduce__ + +@@ -2092,7 +2092,7 @@ class IPv6Interface(IPv6Address): + return False + + def __hash__(self): +- return self._ip ^ self._prefixlen ^ int(self.network.network_address) ++ return hash((self._ip, self._prefixlen, int(self.network.network_address))) + + __reduce__ = _IPAddressBase.__reduce__ + +diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py +index 1cef4217bc..7de444af4a 100644 +--- a/Lib/test/test_ipaddress.py ++++ b/Lib/test/test_ipaddress.py +@@ -1990,6 +1990,17 @@ class IpaddrUnitTest(unittest.TestCase): + sixtofouraddr.sixtofour) + self.assertFalse(bad_addr.sixtofour) + ++ # issue41004 Hash collisions in IPv4Interface and IPv6Interface ++ def testV4HashIsNotConstant(self): ++ ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4") ++ ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5") ++ self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__()) ++ ++ # issue41004 Hash collisions in IPv4Interface and IPv6Interface ++ def testV6HashIsNotConstant(self): ++ ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1") ++ ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2") ++ self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__()) + + if __name__ == '__main__': + unittest.main() +diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst +new file mode 100644 +index 0000000000..f5a9db52ff +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst +@@ -0,0 +1 @@ ++CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). diff --git a/SOURCES/Python-3.8.0.tar.xz.asc b/SOURCES/Python-3.8.0.tar.xz.asc deleted file mode 100644 index 942a421..0000000 --- a/SOURCES/Python-3.8.0.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAl2kmqsACgkQsmmV4xAl -BWgUvRAAjomYhRM5CBKP99ygaTKAqeTHVnJt32O8n3OHPWL6YSSm2GBSnX4fhtqn -uX9VysXFc90zEX+ww2+n2+IwDzsddItWtdZfNnVAUeBs8GNGpq5KbnGX7LB7+orp -nJPcDUMsF2Mutuk7fREr8KHFUGSyMkUj+bh/1Ml+R7LGoTtPKywqtu7X0ACoJ3N0 -hds0qd79o8u5i2N5rLWfuj6/1HmorNwNhtJo7vIACZIUyIKP3rB8WXtE8+drptuv -ApYJdxE74iixntMuk6sCwPKBquIzwfEI3NzcmtJCV32cpASHB3+8FHJIlp94++9y -AUF4Kxp3aQui1XaeeLRdIpprl6M+PwB6tTQKoSkkecTVysj5GOdBRFEhGl5bFNO9 -DSiHU7uy8JkeOZVdcz4zIdZnlUUtCq4Ycpc8PXKjI0kbHlsp38y7F8lFNP10UY/D -iKDDGxQowCtVgKCORNhmKWCmEZcgbDZA9EAz9rgCdhPY7we3Qdj68L820ELxJeQj -50ss/6GcIJK1jgOSXng7DvUhlpsp5avhaM3iWnqCtU+a2fOVm0pQR826q62majLR -uui7SDKtVPU7VaLetfppuNjI3T8xUX86niSRtmlYjsjweJ+jXJWTnkkHUNI04UjH -2WANZRJ10NXl7UVRlnGYVzAcslyabnnlRw6Zf1haWtAWTLyP7Tw= -=bg98 ------END PGP SIGNATURE----- diff --git a/SOURCES/Python-3.8.3.tar.xz.asc b/SOURCES/Python-3.8.3.tar.xz.asc new file mode 100644 index 0000000..42c7be3 --- /dev/null +++ b/SOURCES/Python-3.8.3.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAl68Z1QACgkQsmmV4xAl +BWhdxQ/+PUi0er9eBEaWNaatCsEDXnBvrCs1OooL3WWJ2GC5zf3buMwj2pFOZf9D +YFFGdomhYhvRnyQCJQSXuWJXQaafzKAl1tvkgS2ycOnLvCJ/qw71SqorQxkMGK1m +TYZyLEapNkXrfDXRHfGybuVlNsHw9++abpEITqwucTWm9LiHZoF/zdK+JX/5RYQ0 +bfb8819DMZEyCsF+S8Jo6ZNyEIQyQxidFFt5HbMllFwsgzu37P8RqGSIoVNFJ8n9 +f7BWfXAIyGr7pIlJ+3qBYDXOeOx8iwIUxGu3Gbmiri+dlxz28Iei4mxPYHG4ji5B +3zMsqKcaVAMHzKuAwdF5ZbUg0DRRJweNoiDOsfKp0CI814pXmOLH0zi9OiLrxBzj +7v9H3dAPMC2f2zAFdNcjYVBRovCxIork/Lj3+6jGn67+8oV+eb23gnN5YpDAFAAu +ybtrt6fEi0uVJuxUl+MO5HkSmH3sLggVDskvuWPFLiuahcbSuiZoCvlB+osO9J0H +el/3Awv5TjckY/EVDt1T61aYLX0CHNcb8c/CjAf0OSd/96WxV3svtusllqcSYwiC +NxBRf0klpGn0Tpa+9hTAMc4dEKILgao1KsKiI8dj8YY3HcE0Lb3y9UdFcIDLCeqn +Sk5turYyKak7apZTY31/0eqqCUl/RlZwpmxVUUNViwR5F2ZPeAQ= +=jF/G +-----END PGP SIGNATURE----- diff --git a/SPECS/python38.spec b/SPECS/python38.spec index 6a1326d..2eeeb29 100644 --- a/SPECS/python38.spec +++ b/SPECS/python38.spec @@ -13,11 +13,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.0 +%global general_version %{pybasever}.3 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 6%{?dist} +Release: 3%{?dist} License: Python # Exclude i686 arch. Due to a modularity issue it's being added to the @@ -62,6 +62,9 @@ ExcludeArch: i686 # Expensive optimizations (mainly, profile-guided optimizations) %bcond_without optimizations +# https://fedoraproject.org/wiki/Changes/PythonNoSemanticInterpositionSpeedup +%bcond_without no_semantic_interposition + # Run the test suite in %%check %bcond_without tests @@ -141,16 +144,6 @@ ExcludeArch: i686 # on files that test invalid syntax. %undefine py_auto_byte_compile -# For multilib support, files that are different between 32- and 64-bit arches -# need different filenames. Use "64" or "32" according to the word size. -# Currently, the best way to determine an architecture's word size happens to -# be checking %%{_lib}. -%if "%{_lib}" == "lib64" -%global wordsize 64 -%else -%global wordsize 32 -%endif - # ======================= # Build-time requirements @@ -170,6 +163,7 @@ BuildRequires: gcc-c++ %if %{with gdbm} BuildRequires: gdbm-devel %endif +BuildRequires: git-core BuildRequires: glibc-all-langpacks BuildRequires: glibc-devel BuildRequires: gmp-devel @@ -260,6 +254,8 @@ Patch111: 00111-no-static-lib.patch # 00189 # # Instead of bundled wheels, use our RPM packaged wheels from # /usr/share/python38-wheels +# Downstream only: upstream bundles +# We might eventually pursuit upstream support, but it's low prio Patch189: 00189-use-rpm-wheels.patch # 00251 @@ -267,6 +263,7 @@ Patch189: 00189-use-rpm-wheels.patch # to /usr/local if executable is /usr/bin/python* and RPM build # is not detected to make pip and distutils install into separate location # Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe +# Downstream only: Awaiting resources to work on upstream PEP Patch251: 00251-change-user-install-location.patch # 00274 # @@ -276,6 +273,8 @@ Patch274: 00274-fix-arch-names.patch # 00328 # # Restore pyc to TIMESTAMP invalidation mode as default in rpmbubild # See https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/57#comment-27426 +# Downstream only: only used when building RPM packages +# Ideally, we should talk to upstream and explain why we don't want this Patch328: 00328-pyc-timestamp-invalidation-mode.patch # 00329 # @@ -301,10 +300,28 @@ Patch328: 00328-pyc-timestamp-invalidation-mode.patch # Resolves: rhbz#1731424 Patch329: 00329-fips.patch -# 00337 # -# Adjust the test_min_max_version in test_ssl to accept the new settings in -# RHEL 8.2 where maximum_version is set to TLS 1.3 -Patch337: 00337-test_ssl-test_min_max_version-add-range.patch +# 00350 # +# bpo-40784: Fix sqlite3 deterministic test (GH-20448) +# https://bugs.python.org/issue40784 +# https://github.com/python/cpython/commit/00a240bf7f95bbd220f1cfbf9eb58484a5f9681a +Patch350: 00350-sqlite-fix-deterministic-test.patch + +# 00351 # +# Avoid infinite loop when reading specially crafted TAR files using the tarfile module +# (CVE-2019-20907). +# See: https://bugs.python.org/issue39017 +Patch351: 00351-avoid-infinite-loop-in-the-tarfile-module.patch + +# 00352 # +# Resolve hash collisions for IPv4Interface and IPv6Interface +# +# CVE-2020-14422 +# The hash() methods of classes IPv4Interface and IPv6Interface had issue +# of generating constant hash values of 32 and 128 respectively causing hash collisions. +# The fix uses the hash() function to generate hash values for the objects +# instead of XOR operation. +# Fixed upstream: https://bugs.python.org/issue41004 +Patch352: 00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch # (New patches go here ^^^) # @@ -441,6 +458,10 @@ Provides: bundled(python38-setuptools) = 41.2.0 # See https://bugzilla.redhat.com/show_bug.cgi?id=1547131 Recommends: %{name}%{?_isa} = %{version}-%{release} +# tkinter is part of the standard library, +# but it is torn out to save an unwanted dependency on tk and X11. +# we recommend it when tk is already installed (for better UX) +Recommends: (%{name}-tkinter%{?_isa} = %{version}-%{release} if tk%{?_isa}) %description libs This package contains runtime libraries for use by Python: @@ -649,8 +670,12 @@ rm Lib/ensurepip/_bundled/*.whl %patch274 -p1 %patch328 -p1 %patch329 -p1 -%patch337 -p1 +%patch350 -p1 +# Patch 351 adds binary file for testing. We need to apply it using Git. +git apply %{PATCH351} + +%patch352 -p1 # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) @@ -692,14 +717,14 @@ topdir=$(pwd) # Fedora packages utilizing %%py3_build will use them as well # https://fedoraproject.org/wiki/Changes/Python_Extension_Flags export CFLAGS="%{extension_cflags} -D_GNU_SOURCE -fPIC -fwrapv" -export CFLAGS_NODIST="%{build_cflags} -D_GNU_SOURCE -fPIC -fwrapv -fno-semantic-interposition" +export CFLAGS_NODIST="%{build_cflags} -D_GNU_SOURCE -fPIC -fwrapv%{?with_no_semantic_interposition: -fno-semantic-interposition}" export CXXFLAGS="%{extension_cxxflags} -D_GNU_SOURCE -fPIC -fwrapv" export CPPFLAGS="$(pkg-config --cflags-only-I libffi)" export OPT="%{extension_cflags} -D_GNU_SOURCE -fPIC -fwrapv" export LINKCC="gcc" export CFLAGS="$CFLAGS $(pkg-config --cflags openssl)" export LDFLAGS="%{extension_ldflags} -g $(pkg-config --libs-only-L openssl)" -export LDFLAGS_NODIST="%{build_ldflags} -fno-semantic-interposition -g $(pkg-config --libs-only-L openssl)" +export LDFLAGS_NODIST="%{build_ldflags}%{?with_no_semantic_interposition: -fno-semantic-interposition} -g $(pkg-config --libs-only-L openssl)" # We can build several different configurations of Python: regular and debug. # Define a common function that does one build: @@ -804,7 +829,7 @@ mkdir -p %{buildroot}$DirHoldingGdbPy # Filanames are defined here: %global _pyconfig32_h pyconfig-32.h %global _pyconfig64_h pyconfig-64.h -%global _pyconfig_h pyconfig-%{wordsize}.h +%global _pyconfig_h pyconfig-%{__isa_bits}.h # Use a common function to do an install for all our configurations: InstallPython() { @@ -1082,6 +1107,7 @@ CheckPython() { LD_LIBRARY_PATH=$ConfDir $ConfDir/python -m test.pythoninfo # Run the upstream test suite + # --timeout=1800: kill test running for longer than 30 minutes # test_gdb skipped on s390x: # https://bugzilla.redhat.com/show_bug.cgi?id=1678277 # test_gdb skipped everywhere: @@ -1090,7 +1116,7 @@ CheckPython() { # distutils.tests.test_bdist_rpm tests fail when bootstraping the Python # package: rpmbuild requires /usr/bin/pythonX.Y to be installed LD_LIBRARY_PATH=$ConfDir $ConfDir/python -m test.regrtest \ - -wW --slowest -j0 \ + -wW --slowest -j0 --timeout=1800 \ %if %{with bootstrap} -x test_distutils \ %endif @@ -1690,7 +1716,7 @@ fi %ghost %{_bindir}/python3-debug-config %{_libdir}/libpython%{LDVERSION_debug}.so -%{_libdir}/libpython%{LDVERSION_debug}.so.1.0 +%{_libdir}/libpython%{LDVERSION_debug}.so.%{py_SOVERSION} %{_libdir}/pkgconfig/python-%{LDVERSION_debug}.pc %{_libdir}/pkgconfig/python-%{LDVERSION_debug}-embed.pc @@ -1732,6 +1758,40 @@ fi # ====================================================== %changelog +* Mon Aug 17 2020 Tomas Orsava - 3.8.3-3 +- Avoid infinite loop when reading specially crafted TAR files (CVE-2019-20907) +Resolves: rhbz#1856481 +- Resolve hash collisions for Pv4Interface and IPv6Interface (CVE-2020-14422) +Resolves: rhbz#1854926 + +* Wed Jun 24 2020 Tomas Orsava - 3.8.3-2 +- Fix sqlite3 deterministic test +Related: rhbz#1847416 + +* Wed Jun 24 2020 Tomas Orsava - 3.8.3-1 +- Rebased to 3.8.3 final +- Backported changes from Fedora + - Recommend python3-tkinter when tk is installed + - Add bcond for no_semantic_interposition (enabled by default) + - Update the ensurepip module to work with setuptools >= 45 +Resolves: rhbz#1847416 + +* Thu May 07 2020 Charalampos Stratakis - 3.8.0-10 +- Fix test_hashlib and test_hmac under FIPS mode +Resolves: rhbz#1812477 + +* Thu Apr 23 2020 Lumír Balhar - 3.8.0-9 +- Fix ensurepip to run pip via runpy to fix compatibility with pip 19.3.1 +Resolves: rhbz#1827623 + +* Wed Apr 22 2020 Charalampos Stratakis - 3.8.0-8 +- Skip test_startup_imports from test_site if we have a .pth file in sys.path +Resolves: rhbz#1815643 + +* Fri Apr 03 2020 Charalampos Stratakis - 3.8.0-7 +- Security fix for CVE-2020-8492 +Resolves: rhbz#1810622 + * Mon Feb 24 2020 Tomas Orsava - 3.8.0-6 - Implement alternatives for /usr/bin/python, python3 and related executables - Resolves: rhbz#1807041