diff --git a/.gitignore b/.gitignore index 0968fc9..47eb58c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/Python-3.8.6.tar.xz +SOURCES/Python-3.8.11.tar.xz diff --git a/.rh-python38-python.metadata b/.rh-python38-python.metadata index 1f2c00d..3ec451b 100644 --- a/.rh-python38-python.metadata +++ b/.rh-python38-python.metadata @@ -1 +1 @@ -6ee446eaacf901a3305565bd6569e2de135168e3 SOURCES/Python-3.8.6.tar.xz +1561060627fd171de19c53eb374cd92d2f297bff SOURCES/Python-3.8.11.tar.xz diff --git a/SOURCES/00189-use-rpm-wheels.patch b/SOURCES/00189-use-rpm-wheels.patch index eefa59c..498c727 100644 --- a/SOURCES/00189-use-rpm-wheels.patch +++ b/SOURCES/00189-use-rpm-wheels.patch @@ -1,4 +1,4 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From 91c30b058ad9ab85debef8ffc058656c689fd1ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 15 Aug 2018 15:36:29 +0200 Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels @@ -8,11 +8,11 @@ We keep them in /usr/share/python-wheels Downstream only: upstream bundles We might eventually pursuit upstream support, but it's low prio --- - Lib/ensurepip/__init__.py | 32 ++++++++++++++++++++++---------- - 1 file changed, 22 insertions(+), 10 deletions(-) + Lib/ensurepip/__init__.py | 33 +++++++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py -index 9415fd73b8..f58dab1800 100644 +index 597a1ef..9206d11 100644 --- a/Lib/ensurepip/__init__.py +++ b/Lib/ensurepip/__init__.py @@ -1,6 +1,7 @@ @@ -24,16 +24,16 @@ index 9415fd73b8..f58dab1800 100644 import sys import runpy import tempfile -@@ -8,10 +9,24 @@ import tempfile +@@ -9,9 +10,24 @@ import subprocess __all__ = ["version", "bootstrap"] +-_SETUPTOOLS_VERSION = "56.0.0" +_WHEEL_DIR = "/opt/rh/rh-python38/root/usr/share/python38-wheels/" --_SETUPTOOLS_VERSION = "49.2.1" +-_PIP_VERSION = "21.1.1" +_wheels = {} - --_PIP_VERSION = "20.2.1" ++ +def _get_most_recent_wheel_version(pkg): + prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg)) + _wheels[pkg] = {} @@ -51,7 +51,7 @@ index 9415fd73b8..f58dab1800 100644 _PROJECTS = [ ("setuptools", _SETUPTOOLS_VERSION, "py3"), -@@ -105,13 +120,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False, +@@ -101,13 +117,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False, # additional paths that need added to sys.path additional_paths = [] for project, version, py_tag in _PROJECTS: @@ -69,3 +69,6 @@ index 9415fd73b8..f58dab1800 100644 additional_paths.append(os.path.join(tmpdir, wheel_name)) +-- +2.31.1 + diff --git a/SOURCES/00329-fips.patch b/SOURCES/00329-fips.patch index a241c6f..a8c0cd4 100644 --- a/SOURCES/00329-fips.patch +++ b/SOURCES/00329-fips.patch @@ -1,4 +1,4 @@ -From bf82908a9c0bba5af2cf8a69fb89777041baeb6b Mon Sep 17 00:00:00 2001 +From d54aed1a92a08776306d49d0828d84257b7f9fa3 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 16:19:52 +0200 Subject: [PATCH 01/41] Expose OpenSSL FIPS_mode() as hashlib.get_fips_mode() @@ -10,7 +10,7 @@ Subject: [PATCH 01/41] Expose OpenSSL FIPS_mode() as hashlib.get_fips_mode() 3 files changed, 66 insertions(+), 1 deletion(-) diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 56873b7278..63ae8368ab 100644 +index 56873b7..63ae836 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -243,6 +243,11 @@ try: @@ -26,12 +26,12 @@ index 56873b7278..63ae8368ab 100644 for __func_name in __always_supported: # try them all, some may not work due to the OpenSSL diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index edadbcb393..9874b06891 100644 +index 93bf25f..2409522 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -26,6 +26,9 @@ +@@ -33,6 +33,9 @@ #include - #include "openssl/err.h" + #include +/* Expose FIPS_mode */ +#include @@ -39,7 +39,7 @@ index edadbcb393..9874b06891 100644 #ifndef OPENSSL_THREADS # error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL" #endif -@@ -1072,12 +1075,46 @@ generate_hash_name_list(void) +@@ -1079,12 +1082,46 @@ generate_hash_name_list(void) return state.set; } @@ -87,7 +87,7 @@ index edadbcb393..9874b06891 100644 _HASHLIB_OPENSSL_MD5_METHODDEF _HASHLIB_OPENSSL_SHA1_METHODDEF diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h -index 9aaea47e83..30fd8a9796 100644 +index 9aaea47..30fd8a9 100644 --- a/Modules/clinic/_hashopenssl.c.h +++ b/Modules/clinic/_hashopenssl.c.h @@ -620,7 +620,30 @@ exit: @@ -123,10 +123,10 @@ index 9aaea47e83..30fd8a9796 100644 -/*[clinic end generated code: output=38c2637f67e9bb79 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=5467006d93e7479e input=a9049054013a1b77]*/ -- -2.25.4 +2.31.1 -From 0299c1e1b84ef07cb801633451fbc5964aec62ea Mon Sep 17 00:00:00 2001 +From b5fb5767c8d4aabae7f920d7d4416ac52d570919 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 25 Jul 2019 17:04:06 +0200 Subject: [PATCH 02/41] Use python's fall backs for the crypto it implements @@ -138,7 +138,7 @@ Subject: [PATCH 02/41] Use python's fall backs for the crypto it implements 2 files changed, 81 insertions(+), 127 deletions(-) diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 63ae8368ab..1bcfdf9f7f 100644 +index 63ae836..1bcfdf9 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -68,7 +68,6 @@ __all__ = __always_supported + ('new', 'algorithms_guaranteed', @@ -410,7 +410,7 @@ index 63ae8368ab..1bcfdf9f7f 100644 +if not get_fips_mode(): + del __py_new diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 8b53d23ef5..e9abcbb929 100644 +index 8b53d23..e9abcbb 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -945,6 +945,7 @@ class KDFTests(unittest.TestCase): @@ -422,10 +422,10 @@ index 8b53d23ef5..e9abcbb929 100644 self._test_pbkdf2_hmac(py_hashlib.pbkdf2_hmac) -- -2.25.4 +2.31.1 -From 407ab33921568bbc22c915173d9bc226e927d321 Mon Sep 17 00:00:00 2001 +From eddcda1ab30d2b7b39f9c967f6b8293a91a1d08e Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 17:19:06 +0200 Subject: [PATCH 03/41] Disable Python's hash implementations in FIPS mode, @@ -444,7 +444,7 @@ Subject: [PATCH 03/41] Disable Python's hash implementations in FIPS mode, diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h new file mode 100644 -index 0000000000..a726c0d3fb +index 0000000..a726c0d --- /dev/null +++ b/Include/_hashopenssl.h @@ -0,0 +1,66 @@ @@ -515,7 +515,7 @@ index 0000000000..a726c0d3fb + +#endif // !Py_HASHOPENSSL_H diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c -index edab31ea22..1daf5c38e2 100644 +index edab31e..1daf5c3 100644 --- a/Modules/_blake2/blake2b_impl.c +++ b/Modules/_blake2/blake2b_impl.c @@ -14,6 +14,7 @@ @@ -545,7 +545,7 @@ index edab31ea22..1daf5c38e2 100644 if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE) diff --git a/Modules/_blake2/blake2module.c b/Modules/_blake2/blake2module.c -index e2a3d420d4..817b716568 100644 +index e2a3d42..817b716 100644 --- a/Modules/_blake2/blake2module.c +++ b/Modules/_blake2/blake2module.c @@ -9,6 +9,7 @@ @@ -566,7 +566,7 @@ index e2a3d420d4..817b716568 100644 if (m == NULL) return NULL; diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c -index ef2f7e1980..389711abf1 100644 +index ef2f7e1..389711a 100644 --- a/Modules/_blake2/blake2s_impl.c +++ b/Modules/_blake2/blake2s_impl.c @@ -14,6 +14,7 @@ @@ -596,10 +596,10 @@ index ef2f7e1980..389711abf1 100644 if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE) diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index 9874b06891..d733a39059 100644 +index 2409522..a51c502 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -17,6 +17,7 @@ +@@ -24,6 +24,7 @@ #include "structmember.h" #include "hashlib.h" #include "pystrhex.h" @@ -607,18 +607,18 @@ index 9874b06891..d733a39059 100644 /* EVP is the preferred interface to hashing in OpenSSL */ -@@ -24,10 +25,6 @@ +@@ -31,10 +32,6 @@ #include /* We use the object interface to discover what hashes OpenSSL supports. */ #include --#include "openssl/err.h" +-#include - -/* Expose FIPS_mode */ -#include #ifndef OPENSSL_THREADS # error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL" -@@ -69,38 +66,6 @@ class _hashlib.HASH "EVPobject *" "&EVPtype" +@@ -76,38 +73,6 @@ class _hashlib.HASH "EVPobject *" "&EVPtype" [clinic start generated code]*/ /*[clinic end generated code: output=da39a3ee5e6b4b0d input=a881a5092eecad28]*/ @@ -658,7 +658,7 @@ index 9874b06891..d733a39059 100644 py_digest_name(const EVP_MD *md) { diff --git a/Modules/_sha3/sha3module.c b/Modules/_sha3/sha3module.c -index c1fb6185e2..34d09b45d9 100644 +index c1fb618..34d09b4 100644 --- a/Modules/_sha3/sha3module.c +++ b/Modules/_sha3/sha3module.c @@ -18,6 +18,7 @@ @@ -695,10 +695,10 @@ index c1fb6185e2..34d09b45d9 100644 return NULL; } diff --git a/setup.py b/setup.py -index 6340669fff..ef9c8c62e3 100644 +index c28c096..55dc7ba 100644 --- a/setup.py +++ b/setup.py -@@ -1688,7 +1688,6 @@ class PyBuildExt(build_ext): +@@ -1673,7 +1673,6 @@ class PyBuildExt(build_ext): def detect_modules(self): self.configure_compiler() self.init_inc_lib_dirs() @@ -706,7 +706,7 @@ index 6340669fff..ef9c8c62e3 100644 self.detect_simple_extensions() if TEST_EXTENSIONS: self.detect_test_extensions() -@@ -2187,7 +2186,7 @@ class PyBuildExt(build_ext): +@@ -2161,7 +2160,7 @@ class PyBuildExt(build_ext): sources=sources, depends=depends)) @@ -715,7 +715,7 @@ index 6340669fff..ef9c8c62e3 100644 # Detect SSL support for the socket module (via _ssl) config_vars = sysconfig.get_config_vars() -@@ -2208,7 +2207,7 @@ class PyBuildExt(build_ext): +@@ -2182,7 +2181,7 @@ class PyBuildExt(build_ext): if not openssl_libs: # libssl and libcrypto not found self.missing.extend(['_ssl', '_hashlib']) @@ -724,7 +724,7 @@ index 6340669fff..ef9c8c62e3 100644 # Find OpenSSL includes ssl_incs = find_file( -@@ -2216,7 +2215,7 @@ class PyBuildExt(build_ext): +@@ -2190,7 +2189,7 @@ class PyBuildExt(build_ext): ) if ssl_incs is None: self.missing.extend(['_ssl', '_hashlib']) @@ -733,7 +733,7 @@ index 6340669fff..ef9c8c62e3 100644 # OpenSSL 1.0.2 uses Kerberos for KRB5 ciphers krb5_h = find_file( -@@ -2226,12 +2225,23 @@ class PyBuildExt(build_ext): +@@ -2200,12 +2199,23 @@ class PyBuildExt(build_ext): if krb5_h: ssl_incs.extend(krb5_h) @@ -757,10 +757,10 @@ index 6340669fff..ef9c8c62e3 100644 - library_dirs=openssl_libdirs, - libraries=openssl_libs, + **self.detect_openssl_args(), - depends=['socketmodule.h', '_ssl/debughelpers.c']) - ) - else: -@@ -2239,22 +2249,12 @@ class PyBuildExt(build_ext): + depends=[ + 'socketmodule.h', + '_ssl/debughelpers.c', +@@ -2218,22 +2228,12 @@ class PyBuildExt(build_ext): self.add(Extension('_hashlib', ['_hashopenssl.c'], depends=['hashlib.h'], @@ -787,7 +787,7 @@ index 6340669fff..ef9c8c62e3 100644 blake2_deps = glob(os.path.join(escape(self.srcdir), 'Modules/_blake2/impl/*')) -@@ -2264,14 +2264,16 @@ class PyBuildExt(build_ext): +@@ -2243,14 +2243,16 @@ class PyBuildExt(build_ext): ['_blake2/blake2module.c', '_blake2/blake2b_impl.c', '_blake2/blake2s_impl.c'], @@ -807,10 +807,10 @@ index 6340669fff..ef9c8c62e3 100644 def detect_nis(self): if MS_WINDOWS or CYGWIN or HOST_PLATFORM == 'qnx6': -- -2.25.4 +2.31.1 -From c29a5b0db94e2f422af7e3d11be64608133de7d0 Mon Sep 17 00:00:00 2001 +From e05a02937dbe7f3bf9ad138ba1cb1c4fdbc1f1de Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 12 Dec 2019 16:58:31 +0100 Subject: [PATCH 04/41] Expose all hashes available to OpenSSL @@ -821,10 +821,10 @@ Subject: [PATCH 04/41] Expose all hashes available to OpenSSL 2 files changed, 447 insertions(+), 1 deletion(-) diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index d733a39059..69822685dc 100644 +index a51c502..713e15a 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -194,6 +194,12 @@ py_digest_by_name(const char *name) +@@ -201,6 +201,12 @@ py_digest_by_name(const char *name) else if (!strcmp(name, "blake2b512")) { digest = EVP_blake2b512(); } @@ -837,7 +837,7 @@ index d733a39059..69822685dc 100644 #endif } -@@ -712,6 +718,142 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj) +@@ -719,6 +725,142 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj) return EVP_fast_new(module, data_obj, EVP_sha512()); } @@ -980,7 +980,7 @@ index d733a39059..69822685dc 100644 /*[clinic input] _hashlib.pbkdf2_hmac as pbkdf2_hmac -@@ -1087,6 +1229,14 @@ static struct PyMethodDef EVP_functions[] = { +@@ -1094,6 +1236,14 @@ static struct PyMethodDef EVP_functions[] = { _HASHLIB_OPENSSL_SHA256_METHODDEF _HASHLIB_OPENSSL_SHA384_METHODDEF _HASHLIB_OPENSSL_SHA512_METHODDEF @@ -996,7 +996,7 @@ index d733a39059..69822685dc 100644 }; diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h -index 30fd8a9796..e96a752e27 100644 +index 30fd8a9..e96a752 100644 --- a/Modules/clinic/_hashopenssl.c.h +++ b/Modules/clinic/_hashopenssl.c.h @@ -331,6 +331,302 @@ exit: @@ -1309,10 +1309,10 @@ index 30fd8a9796..e96a752e27 100644 -/*[clinic end generated code: output=5467006d93e7479e input=a9049054013a1b77]*/ +/*[clinic end generated code: output=be8e21a10dff71e7 input=a9049054013a1b77]*/ -- -2.25.4 +2.31.1 -From a3fd1f95a5f805f045c64c3fbae0323d990ec604 Mon Sep 17 00:00:00 2001 +From ac0b7a45bde60c58dd10a16d2af4c7b65e4af44c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 18:13:45 +0200 Subject: [PATCH 05/41] Fix tests @@ -1322,7 +1322,7 @@ Subject: [PATCH 05/41] Fix tests 1 file changed, 45 insertions(+), 13 deletions(-) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index e9abcbb929..2a55fd4309 100644 +index e9abcbb..2a55fd4 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -190,7 +190,9 @@ class HashLibTestCase(unittest.TestCase): @@ -1441,10 +1441,10 @@ index e9abcbb929..2a55fd4309 100644 @requires_sha3 def test_extra_sha3(self): -- -2.25.4 +2.31.1 -From 4d258bd88fcac695da827f7662fb467cf839bccf Mon Sep 17 00:00:00 2001 +From 13d3be0925244b22c4bdd1ffa6c2801239ad2167 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 26 Jul 2019 11:27:57 +0200 Subject: [PATCH 06/41] Change FIPS exceptions from _blake2, _sha3 module init @@ -1459,7 +1459,7 @@ Subject: [PATCH 06/41] Change FIPS exceptions from _blake2, _sha3 module init 5 files changed, 13 insertions(+), 14 deletions(-) diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h -index a726c0d3fb..47ed003042 100644 +index a726c0d..47ed003 100644 --- a/Include/_hashopenssl.h +++ b/Include/_hashopenssl.h @@ -39,7 +39,7 @@ _setException(PyObject *exc) @@ -1495,7 +1495,7 @@ index a726c0d3fb..47ed003042 100644 #endif // !Py_HASHOPENSSL_H diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c -index 1daf5c38e2..97ce89d33c 100644 +index 1daf5c3..97ce89d 100644 --- a/Modules/_blake2/blake2b_impl.c +++ b/Modules/_blake2/blake2b_impl.c @@ -97,7 +97,7 @@ py_blake2b_new_impl(PyTypeObject *type, PyObject *data, int digest_size, @@ -1517,7 +1517,7 @@ index 1daf5c38e2..97ce89d33c 100644 GET_BUFFER_VIEW_OR_ERROUT(data, &buf); diff --git a/Modules/_blake2/blake2module.c b/Modules/_blake2/blake2module.c -index 817b716568..a9c7cbc7eb 100644 +index 817b716..a9c7cbc 100644 --- a/Modules/_blake2/blake2module.c +++ b/Modules/_blake2/blake2module.c @@ -58,7 +58,7 @@ PyInit__blake2(void) @@ -1530,7 +1530,7 @@ index 817b716568..a9c7cbc7eb 100644 m = PyModule_Create(&blake2_module); if (m == NULL) diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c -index 389711abf1..c4447b4fe8 100644 +index 389711a..c4447b4 100644 --- a/Modules/_blake2/blake2s_impl.c +++ b/Modules/_blake2/blake2s_impl.c @@ -97,7 +97,7 @@ py_blake2s_new_impl(PyTypeObject *type, PyObject *data, int digest_size, @@ -1552,7 +1552,7 @@ index 389711abf1..c4447b4fe8 100644 GET_BUFFER_VIEW_OR_ERROUT(data, &buf); diff --git a/Modules/_sha3/sha3module.c b/Modules/_sha3/sha3module.c -index 34d09b45d9..3079e1e3a4 100644 +index 34d09b4..3079e1e 100644 --- a/Modules/_sha3/sha3module.c +++ b/Modules/_sha3/sha3module.c @@ -161,7 +161,7 @@ static PyTypeObject SHAKE256type; @@ -1583,10 +1583,10 @@ index 34d09b45d9..3079e1e3a4 100644 if ((m = PyModule_Create(&_SHA3module)) == NULL) { return NULL; -- -2.25.4 +2.31.1 -From d95c4a53870ba803cb51885596a04201b6925fbe Mon Sep 17 00:00:00 2001 +From 5518aa29cd744f77aa81ede6c04f09ee83f5203e Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 26 Jul 2019 11:24:09 +0200 Subject: [PATCH 07/41] Make hashlib importable under FIPS mode @@ -1596,7 +1596,7 @@ Subject: [PATCH 07/41] Make hashlib importable under FIPS mode 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 1bcfdf9f7f..898e6dca56 100644 +index 1bcfdf9..898e6dc 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -137,12 +137,14 @@ def __get_openssl_constructor(name): @@ -1618,10 +1618,10 @@ index 1bcfdf9f7f..898e6dca56 100644 -- -2.25.4 +2.31.1 -From 44a5d9c94d8ce6244e330debcb9fcf5aa27af25b Mon Sep 17 00:00:00 2001 +From 6dcb2e1eb5b96bf094f47b5c40a3d615c6edd7e4 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 26 Jul 2019 15:41:10 +0200 Subject: [PATCH 08/41] Implement hmac.new using new built-in module, @@ -1637,7 +1637,7 @@ Subject: [PATCH 08/41] Implement hmac.new using new built-in module, create mode 100644 Modules/clinic/_hmacopenssl.c.h diff --git a/Lib/hmac.py b/Lib/hmac.py -index b769876e6f..daabc8c142 100644 +index b769876..daabc8c 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -13,6 +13,8 @@ except ImportError: @@ -1709,7 +1709,7 @@ index b769876e6f..daabc8c142 100644 def digest(key, msg, digest): diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c new file mode 100644 -index 0000000000..ca95d725f0 +index 0000000..ca95d72 --- /dev/null +++ b/Modules/_hmacopenssl.c @@ -0,0 +1,396 @@ @@ -2111,7 +2111,7 @@ index 0000000000..ca95d725f0 +} diff --git a/Modules/clinic/_hmacopenssl.c.h b/Modules/clinic/_hmacopenssl.c.h new file mode 100644 -index 0000000000..b472a6eddd +index 0000000..b472a6e --- /dev/null +++ b/Modules/clinic/_hmacopenssl.c.h @@ -0,0 +1,133 @@ @@ -2249,10 +2249,10 @@ index 0000000000..b472a6eddd +} +/*[clinic end generated code: output=10b6e8cac6d7a2c9 input=a9049054013a1b77]*/ diff --git a/setup.py b/setup.py -index ef9c8c62e3..a07e9b1483 100644 +index 55dc7ba..530b2b9 100644 --- a/setup.py +++ b/setup.py -@@ -2251,6 +2251,10 @@ class PyBuildExt(build_ext): +@@ -2230,6 +2230,10 @@ class PyBuildExt(build_ext): depends=['hashlib.h'], **self.detect_openssl_args()) ) @@ -2264,10 +2264,10 @@ index ef9c8c62e3..a07e9b1483 100644 # RHEL: Always force OpenSSL for md5, sha1, sha256, sha512; # don't build Python's implementations. -- -2.25.4 +2.31.1 -From 26ae748271a10ee0a2afccfee3c966d3b32bc5c0 Mon Sep 17 00:00:00 2001 +From e8b5a08c069ca74ad0d03b3d24e976ed309f2d51 Mon Sep 17 00:00:00 2001 From: Marcel Plch Date: Mon, 29 Jul 2019 12:45:11 +0200 Subject: [PATCH 09/41] FIPS review @@ -2281,7 +2281,7 @@ Subject: [PATCH 09/41] FIPS review 2 files changed, 70 insertions(+), 44 deletions(-) diff --git a/Lib/hmac.py b/Lib/hmac.py -index daabc8c142..2ec24da573 100644 +index daabc8c..2ec24da 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -48,7 +48,7 @@ class HMAC: @@ -2294,7 +2294,7 @@ index daabc8c142..2ec24da573 100644 if not isinstance(key, (bytes, bytearray)): diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index ca95d725f0..216ed04f23 100644 +index ca95d72..216ed04 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -24,7 +24,10 @@ @@ -2479,10 +2479,10 @@ index ca95d725f0..216ed04f23 100644 + return PyModuleDef_Init(&_hmacopenssl_def); } -- -2.25.4 +2.31.1 -From 7ae1499029f158f0fde7f0f56c64e79bf0826564 Mon Sep 17 00:00:00 2001 +From 2287d248eb872fb2887dcd297f81821a365c5bd7 Mon Sep 17 00:00:00 2001 From: Marcel Plch Date: Mon, 29 Jul 2019 13:05:04 +0200 Subject: [PATCH 10/41] revert cosmetic nitpick and remove trailing whitespace @@ -2493,7 +2493,7 @@ Subject: [PATCH 10/41] revert cosmetic nitpick and remove trailing whitespace 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Lib/hmac.py b/Lib/hmac.py -index 2ec24da573..daabc8c142 100644 +index 2ec24da..daabc8c 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -48,7 +48,7 @@ class HMAC: @@ -2506,7 +2506,7 @@ index 2ec24da573..daabc8c142 100644 if not isinstance(key, (bytes, bytearray)): diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index 216ed04f23..221714ca43 100644 +index 216ed04..221714c 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -363,7 +363,7 @@ static PyType_Slot HmacType_slots[] = { @@ -2528,10 +2528,10 @@ index 216ed04f23..221714ca43 100644 .m_methods = hmacopenssl_functions, .m_slots = hmacopenssl_slots, -- -2.25.4 +2.31.1 -From a9569c81de9ef83cb6d7103af060a8d062a52c2d Mon Sep 17 00:00:00 2001 +From 51cf699618f52000bd008fcb0dcf8d8b5920874f Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Wed, 31 Jul 2019 15:43:43 +0200 Subject: [PATCH 11/41] Add initial tests for various hashes under FIPS mode @@ -2543,7 +2543,7 @@ Subject: [PATCH 11/41] Add initial tests for various hashes under FIPS mode diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py new file mode 100644 -index 0000000000..bee911ef40 +index 0000000..bee911e --- /dev/null +++ b/Lib/test/test_fips.py @@ -0,0 +1,64 @@ @@ -2612,10 +2612,10 @@ index 0000000000..bee911ef40 +if __name__ == "__main__": + unittest.main() -- -2.25.4 +2.31.1 -From 8722f9cda080e8ddf2567c6e3b88c18c504b2640 Mon Sep 17 00:00:00 2001 +From 3be0869c7207c360467572787a49a3d46fe32e7c Mon Sep 17 00:00:00 2001 From: Marcel Plch Date: Thu, 1 Aug 2019 16:39:37 +0200 Subject: [PATCH 12/41] Initialize HMAC type. @@ -2625,7 +2625,7 @@ Subject: [PATCH 12/41] Initialize HMAC type. 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index 221714ca43..239445a083 100644 +index 221714c..239445a 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -22,12 +22,12 @@ @@ -2681,10 +2681,10 @@ index 221714ca43..239445a083 100644 fail: -- -2.25.4 +2.31.1 -From 89df966055de04cd7c1d7098fe7dddf68ba92374 Mon Sep 17 00:00:00 2001 +From f555b248b8c69c55b04435b087b030ba20e6752b Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 1 Aug 2019 17:57:05 +0200 Subject: [PATCH 13/41] Use a stronger hash in multiprocessing handshake @@ -2696,7 +2696,7 @@ https://bugs.python.org/issue17258 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py -index 8e2facf92a..bb4acb6f7c 100644 +index 8e2facf..bb4acb6 100644 --- a/Lib/multiprocessing/connection.py +++ b/Lib/multiprocessing/connection.py @@ -42,6 +42,10 @@ BUFSIZE = 8192 @@ -2729,10 +2729,10 @@ index 8e2facf92a..bb4acb6f7c 100644 response = connection.recv_bytes(256) # reject large message if response != WELCOME: -- -2.25.4 +2.31.1 -From d3492303bd43569a6715a802b79ae424cd3d962f Mon Sep 17 00:00:00 2001 +From 0c6347dd8c3ab923d3f82d7b1cb1bb1ad2ab10d4 Mon Sep 17 00:00:00 2001 From: Marcel Plch Date: Fri, 2 Aug 2019 17:36:01 +0200 Subject: [PATCH 14/41] Fix refcounting @@ -2742,7 +2742,7 @@ Subject: [PATCH 14/41] Fix refcounting 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index 239445a083..9c2882833d 100644 +index 239445a..9c28828 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -373,6 +373,34 @@ static struct PyMethodDef hmacopenssl_functions[] = { @@ -2803,10 +2803,10 @@ index 239445a083..9c2882833d 100644 -- -2.25.4 +2.31.1 -From 8b7d0583c67b17ea2480e6eefebbde746f03c549 Mon Sep 17 00:00:00 2001 +From a166ebb3c810072fe2022168ddea0349b6a8076d Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 13:37:05 +0200 Subject: [PATCH 15/41] hmac: Don't default to md5 in FIPS mode @@ -2816,7 +2816,7 @@ Subject: [PATCH 15/41] hmac: Don't default to md5 in FIPS mode 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/hmac.py b/Lib/hmac.py -index daabc8c142..0302364642 100644 +index daabc8c..0302364 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -173,7 +173,7 @@ def new(key, msg=None, digestmod=''): @@ -2829,10 +2829,10 @@ index daabc8c142..0302364642 100644 result = _hmacopenssl.new(key, digestmod=name) if msg: -- -2.25.4 +2.31.1 -From 49761c639075d4c21922e99bb63fccb8f210255b Mon Sep 17 00:00:00 2001 +From 417131ce3035aa5147a03de0d4f602703e8e4d44 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 14:20:58 +0200 Subject: [PATCH 16/41] Make _hmacopenssl.HMAC subclassable; subclass it as @@ -2847,7 +2847,7 @@ This removes the _hmacopenssl.new function. 4 files changed, 55 insertions(+), 87 deletions(-) diff --git a/Lib/hmac.py b/Lib/hmac.py -index 0302364642..e4222be7dc 100644 +index 0302364..e4222be 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -143,6 +143,8 @@ class HMAC: @@ -2898,7 +2898,7 @@ index 0302364642..e4222be7dc 100644 def digest(key, msg, digest): diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py -index bee911ef40..34812e6098 100644 +index bee911e..34812e6 100644 --- a/Lib/test/test_fips.py +++ b/Lib/test/test_fips.py @@ -54,7 +54,7 @@ class HashlibFipsTests(unittest.TestCase): @@ -2911,7 +2911,7 @@ index bee911ef40..34812e6098 100644 diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index 9c2882833d..7d3d9739f3 100644 +index 9c28828..7d3d973 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -41,33 +41,25 @@ typedef struct { @@ -3066,7 +3066,7 @@ index 9c2882833d..7d3d9739f3 100644 .m_size = sizeof(hmacopenssl_state), .m_traverse = hmacopenssl_traverse, diff --git a/Modules/clinic/_hmacopenssl.c.h b/Modules/clinic/_hmacopenssl.c.h -index b472a6eddd..861acc11bf 100644 +index b472a6e..861acc1 100644 --- a/Modules/clinic/_hmacopenssl.c.h +++ b/Modules/clinic/_hmacopenssl.c.h @@ -2,43 +2,6 @@ @@ -3120,10 +3120,10 @@ index b472a6eddd..861acc11bf 100644 -/*[clinic end generated code: output=10b6e8cac6d7a2c9 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=d93ad460795d49b5 input=a9049054013a1b77]*/ -- -2.25.4 +2.31.1 -From b1b297625e38a69203ed6f37031453b085196e7a Mon Sep 17 00:00:00 2001 +From 6934cc42d90aa66b1b1a6adb124ec13212959bc5 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 16:10:36 +0200 Subject: [PATCH 17/41] Fix _hmacopenssl.HMAC.block_size @@ -3133,7 +3133,7 @@ Subject: [PATCH 17/41] Fix _hmacopenssl.HMAC.block_size 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index 7d3d9739f3..a24c8ba022 100644 +index 7d3d973..a24c8ba 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -318,7 +318,7 @@ _hmacopenssl_get_block_size(HmacObject *self, void *closure) @@ -3146,10 +3146,10 @@ index 7d3d9739f3..a24c8ba022 100644 static PyMethodDef Hmac_methods[] = { -- -2.25.4 +2.31.1 -From 325007f6c9d0c40095e49241241f534dd9e7a156 Mon Sep 17 00:00:00 2001 +From e927240965dabc6f823b8ca7354310685f133fae Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 15:02:08 +0200 Subject: [PATCH 18/41] distutils upload: Skip md5 checksum in FIPS mode @@ -3160,7 +3160,7 @@ Subject: [PATCH 18/41] distutils upload: Skip md5 checksum in FIPS mode 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/Lib/distutils/command/upload.py b/Lib/distutils/command/upload.py -index 11afa24b77..79a6315a43 100644 +index 11afa24..79a6315 100644 --- a/Lib/distutils/command/upload.py +++ b/Lib/distutils/command/upload.py @@ -102,7 +102,6 @@ class upload(PyPIRCCommand): @@ -3190,7 +3190,7 @@ index 11afa24b77..79a6315a43 100644 if self.sign: diff --git a/Lib/distutils/tests/test_upload.py b/Lib/distutils/tests/test_upload.py -index c17d8e7d54..b4b64e9773 100644 +index c17d8e7..b4b64e9 100644 --- a/Lib/distutils/tests/test_upload.py +++ b/Lib/distutils/tests/test_upload.py @@ -3,6 +3,7 @@ import os @@ -3228,10 +3228,10 @@ index c17d8e7d54..b4b64e9773 100644 def test_upload_fails(self): -- -2.25.4 +2.31.1 -From 6abc9f4a9b9173876ed4fd681c5b68bb06fd8710 Mon Sep 17 00:00:00 2001 +From 77c348456f599b3ac8b1a5cecb066b97738f1f56 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 15:32:25 +0200 Subject: [PATCH 19/41] Fix HMAC tests on FIPS mode @@ -3242,7 +3242,7 @@ Subject: [PATCH 19/41] Fix HMAC tests on FIPS mode 2 files changed, 29 insertions(+) diff --git a/Lib/hmac.py b/Lib/hmac.py -index e4222be7dc..394c81037b 100644 +index e4222be..394c810 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -158,6 +158,9 @@ def _get_openssl_name(digestmod): @@ -3256,7 +3256,7 @@ index e4222be7dc..394c81037b 100644 result = _hmacopenssl.HMAC.__new__(cls, key, digestmod=name) if msg: diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py -index 23c108f6e3..0a859817f6 100644 +index 23c108f..0a85981 100644 --- a/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py @@ -288,6 +288,7 @@ class TestVectorsTestCase(unittest.TestCase): @@ -3321,10 +3321,10 @@ index 23c108f6e3..0a859817f6 100644 def test_equality(self): # Testing if the copy has the same digests. -- -2.25.4 +2.31.1 -From 3c1d0a4a4a4feaa60a586a63b29a1c2ee34a8f61 Mon Sep 17 00:00:00 2001 +From acb2faa3322c84309e81d0ec40896e3805e44a7b Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 16:37:12 +0200 Subject: [PATCH 20/41] test_tools: Skip md5sum tests in FIPS mode @@ -3334,7 +3334,7 @@ Subject: [PATCH 20/41] test_tools: Skip md5sum tests in FIPS mode 1 file changed, 4 insertions(+) diff --git a/Lib/test/test_tools/test_md5sum.py b/Lib/test/test_tools/test_md5sum.py -index fb565b7377..7028a4dc21 100644 +index fb565b7..7028a4d 100644 --- a/Lib/test/test_tools/test_md5sum.py +++ b/Lib/test/test_tools/test_md5sum.py @@ -4,11 +4,15 @@ import os @@ -3354,10 +3354,10 @@ index fb565b7377..7028a4dc21 100644 @classmethod def setUpClass(cls): -- -2.25.4 +2.31.1 -From 6a9c0d440e44dc8eb91d61473f7ea3594d5cd5cc Mon Sep 17 00:00:00 2001 +From c2a57a58289463014525ef2facd39226478ff731 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 18:23:57 +0200 Subject: [PATCH 21/41] Make hashlib tests pass in FIPS mode @@ -3367,7 +3367,7 @@ Subject: [PATCH 21/41] Make hashlib tests pass in FIPS mode 1 file changed, 48 insertions(+), 19 deletions(-) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 2a55fd4309..9ae5efc451 100644 +index 2a55fd4..9ae5efc 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -28,6 +28,11 @@ COMPILED_WITH_PYDEBUG = hasattr(sys, 'gettotalrefcount') @@ -3549,10 +3549,10 @@ index 2a55fd4309..9ae5efc451 100644 @support.reap_threads def test_threaded_hashing(self): -- -2.25.4 +2.31.1 -From dff29a0ceefd0da169e16f2a789d8610aed895e7 Mon Sep 17 00:00:00 2001 +From 45e045f5d5acfbe5d97ed3cc5f42949a3c5c0510 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Wed, 14 Aug 2019 14:43:07 +0200 Subject: [PATCH 22/41] distutils upload: only add md5 if available, but @@ -3564,7 +3564,7 @@ Subject: [PATCH 22/41] distutils upload: only add md5 if available, but 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/Lib/distutils/command/upload.py b/Lib/distutils/command/upload.py -index 79a6315a43..553617a8d8 100644 +index 79a6315..553617a 100644 --- a/Lib/distutils/command/upload.py +++ b/Lib/distutils/command/upload.py @@ -102,6 +102,7 @@ class upload(PyPIRCCommand): @@ -3585,7 +3585,7 @@ index 79a6315a43..553617a8d8 100644 # this really shouldn't fail raise diff --git a/Lib/distutils/tests/test_upload.py b/Lib/distutils/tests/test_upload.py -index b4b64e9773..f720a7905d 100644 +index b4b64e9..f720a79 100644 --- a/Lib/distutils/tests/test_upload.py +++ b/Lib/distutils/tests/test_upload.py @@ -132,10 +132,11 @@ class uploadTestCase(BasePyPIRCCommandTestCase): @@ -3619,10 +3619,10 @@ index b4b64e9773..f720a7905d 100644 def test_upload_fails(self): -- -2.25.4 +2.31.1 -From 53dd5be242b76911f3701409f80790b16310f597 Mon Sep 17 00:00:00 2001 +From c0e9a47796c2959f7aecdad8dfc8ffda54974250 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 13 Sep 2019 02:30:00 +0200 Subject: [PATCH 23/41] bpo-9216: Add usedforsecurity to hashlib constructors @@ -3656,7 +3656,7 @@ Contributed and Signed-off-by: Christian Heimes christian@python.org create mode 100644 Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst diff --git a/Doc/library/hashlib.rst b/Doc/library/hashlib.rst -index a16c7cd4d7..6eb3a7bb4c 100644 +index f5da6ec..86b9f65 100644 --- a/Doc/library/hashlib.rst +++ b/Doc/library/hashlib.rst @@ -67,7 +67,7 @@ Constructors for hash algorithms that are always present in this module are @@ -3708,7 +3708,7 @@ index a16c7cd4d7..6eb3a7bb4c 100644 These functions return the corresponding hash objects for calculating diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 9ae5efc451..08bb91f27b 100644 +index 9ae5efc..08bb91f 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -226,6 +226,15 @@ class HashLibTestCase(unittest.TestCase): @@ -3728,7 +3728,7 @@ index 9ae5efc451..08bb91f27b 100644 self.assertRaises(ValueError, hashlib.new, 'spam spam spam spam spam') self.assertRaises(TypeError, hashlib.new, 1) diff --git a/Lib/uuid.py b/Lib/uuid.py -index 9540c21e65..be724ba2fd 100644 +index 9540c21..be724ba 100644 --- a/Lib/uuid.py +++ b/Lib/uuid.py @@ -774,8 +774,11 @@ def uuid1(node=None, clock_seq=None): @@ -3747,14 +3747,14 @@ index 9540c21e65..be724ba2fd 100644 """Generate a random UUID.""" diff --git a/Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst b/Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst new file mode 100644 -index 0000000000..a97ca4b8b4 +index 0000000..a97ca4b --- /dev/null +++ b/Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst @@ -0,0 +1,2 @@ +hashlib constructors now support usedforsecurity flag to signal that a +hashing algorithm is not used in a security context. diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c -index 97ce89d33c..16df232793 100644 +index 97ce89d..16df232 100644 --- a/Modules/_blake2/blake2b_impl.c +++ b/Modules/_blake2/blake2b_impl.c @@ -82,6 +82,7 @@ _blake2.blake2b.__new__ as py_blake2b_new @@ -3777,7 +3777,7 @@ index 97ce89d33c..16df232793 100644 BLAKE2bObject *self = NULL; Py_buffer buf; diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c -index c4447b4fe8..66a7ee567d 100644 +index c4447b4..66a7ee5 100644 --- a/Modules/_blake2/blake2s_impl.c +++ b/Modules/_blake2/blake2s_impl.c @@ -82,6 +82,7 @@ _blake2.blake2s.__new__ as py_blake2s_new @@ -3800,7 +3800,7 @@ index c4447b4fe8..66a7ee567d 100644 BLAKE2sObject *self = NULL; Py_buffer buf; diff --git a/Modules/_blake2/clinic/blake2b_impl.c.h b/Modules/_blake2/clinic/blake2b_impl.c.h -index cd329c07c9..07258c31c9 100644 +index cd329c0..07258c3 100644 --- a/Modules/_blake2/clinic/blake2b_impl.c.h +++ b/Modules/_blake2/clinic/blake2b_impl.c.h @@ -5,7 +5,8 @@ preserve @@ -3872,7 +3872,7 @@ index cd329c07c9..07258c31c9 100644 -/*[clinic end generated code: output=cbb625d7f60c288c input=a9049054013a1b77]*/ +/*[clinic end generated code: output=2d6d0fe9aa42a42a input=a9049054013a1b77]*/ diff --git a/Modules/_blake2/clinic/blake2s_impl.c.h b/Modules/_blake2/clinic/blake2s_impl.c.h -index 560bd68160..71c5706fb6 100644 +index 560bd68..71c5706 100644 --- a/Modules/_blake2/clinic/blake2s_impl.c.h +++ b/Modules/_blake2/clinic/blake2s_impl.c.h @@ -5,7 +5,8 @@ preserve @@ -3944,10 +3944,10 @@ index 560bd68160..71c5706fb6 100644 -/*[clinic end generated code: output=39af5a74c8805b36 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=c80d8d06ce40a192 input=a9049054013a1b77]*/ diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index 69822685dc..a1f81eb5e9 100644 +index 713e15a..b4d05ab 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -521,7 +521,7 @@ static PyTypeObject EVPtype = { +@@ -528,7 +528,7 @@ static PyTypeObject EVPtype = { \ static PyObject * EVPnew(const EVP_MD *digest, @@ -3956,7 +3956,7 @@ index 69822685dc..a1f81eb5e9 100644 { int result = 0; EVPobject *self; -@@ -534,6 +534,12 @@ EVPnew(const EVP_MD *digest, +@@ -541,6 +541,12 @@ EVPnew(const EVP_MD *digest, if ((self = newEVPobject()) == NULL) return NULL; @@ -3969,7 +3969,7 @@ index 69822685dc..a1f81eb5e9 100644 if (!EVP_DigestInit_ex(self->ctx, digest, NULL)) { _setException(PyExc_ValueError); Py_DECREF(self); -@@ -565,6 +571,8 @@ _hashlib.new as EVP_new +@@ -572,6 +578,8 @@ _hashlib.new as EVP_new name as name_obj: object string as data_obj: object(c_default="NULL") = b'' @@ -3978,7 +3978,7 @@ index 69822685dc..a1f81eb5e9 100644 Return a new hash object using the named algorithm. -@@ -575,8 +583,9 @@ The MD5 and SHA1 algorithms are always supported. +@@ -582,8 +590,9 @@ The MD5 and SHA1 algorithms are always supported. [clinic start generated code]*/ static PyObject * @@ -3990,7 +3990,7 @@ index 69822685dc..a1f81eb5e9 100644 { Py_buffer view = { 0 }; PyObject *ret_obj; -@@ -593,7 +602,9 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj) +@@ -600,7 +609,9 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj) digest = py_digest_by_name(name); @@ -4001,7 +4001,7 @@ index 69822685dc..a1f81eb5e9 100644 if (data_obj) PyBuffer_Release(&view); -@@ -601,7 +612,8 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj) +@@ -608,7 +619,8 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj) } static PyObject* @@ -4011,7 +4011,7 @@ index 69822685dc..a1f81eb5e9 100644 { Py_buffer view = { 0 }; PyObject *ret_obj; -@@ -609,7 +621,8 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest) +@@ -616,7 +628,8 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest) if (data_obj) GET_BUFFER_VIEW_OR_ERROUT(data_obj, &view); @@ -4021,7 +4021,7 @@ index 69822685dc..a1f81eb5e9 100644 if (data_obj) PyBuffer_Release(&view); -@@ -621,16 +634,19 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest) +@@ -628,16 +641,19 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest) _hashlib.openssl_md5 string as data_obj: object(py_default="b''") = NULL @@ -4044,7 +4044,7 @@ index 69822685dc..a1f81eb5e9 100644 } -@@ -638,16 +654,19 @@ _hashlib_openssl_md5_impl(PyObject *module, PyObject *data_obj) +@@ -645,16 +661,19 @@ _hashlib_openssl_md5_impl(PyObject *module, PyObject *data_obj) _hashlib.openssl_sha1 string as data_obj: object(py_default="b''") = NULL @@ -4067,7 +4067,7 @@ index 69822685dc..a1f81eb5e9 100644 } -@@ -655,16 +674,19 @@ _hashlib_openssl_sha1_impl(PyObject *module, PyObject *data_obj) +@@ -662,16 +681,19 @@ _hashlib_openssl_sha1_impl(PyObject *module, PyObject *data_obj) _hashlib.openssl_sha224 string as data_obj: object(py_default="b''") = NULL @@ -4090,7 +4090,7 @@ index 69822685dc..a1f81eb5e9 100644 } -@@ -672,16 +694,19 @@ _hashlib_openssl_sha224_impl(PyObject *module, PyObject *data_obj) +@@ -679,16 +701,19 @@ _hashlib_openssl_sha224_impl(PyObject *module, PyObject *data_obj) _hashlib.openssl_sha256 string as data_obj: object(py_default="b''") = NULL @@ -4113,7 +4113,7 @@ index 69822685dc..a1f81eb5e9 100644 } -@@ -689,16 +714,19 @@ _hashlib_openssl_sha256_impl(PyObject *module, PyObject *data_obj) +@@ -696,16 +721,19 @@ _hashlib_openssl_sha256_impl(PyObject *module, PyObject *data_obj) _hashlib.openssl_sha384 string as data_obj: object(py_default="b''") = NULL @@ -4136,7 +4136,7 @@ index 69822685dc..a1f81eb5e9 100644 } -@@ -706,152 +734,179 @@ _hashlib_openssl_sha384_impl(PyObject *module, PyObject *data_obj) +@@ -713,152 +741,179 @@ _hashlib_openssl_sha384_impl(PyObject *module, PyObject *data_obj) _hashlib.openssl_sha512 string as data_obj: object(py_default="b''") = NULL @@ -4344,7 +4344,7 @@ index 69822685dc..a1f81eb5e9 100644 diff --git a/Modules/_sha3/clinic/sha3module.c.h b/Modules/_sha3/clinic/sha3module.c.h -index 554442df0e..1c79c26939 100644 +index 554442d..1c79c26 100644 --- a/Modules/_sha3/clinic/sha3module.c.h +++ b/Modules/_sha3/clinic/sha3module.c.h @@ -2,6 +2,52 @@ @@ -4407,7 +4407,7 @@ index 554442df0e..1c79c26939 100644 -/*[clinic end generated code: output=5b3e99b9a96471e8 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=c8a97b34e80def62 input=a9049054013a1b77]*/ diff --git a/Modules/_sha3/sha3module.c b/Modules/_sha3/sha3module.c -index 3079e1e3a4..fc8b1b262a 100644 +index 3079e1e..fc8b1b2 100644 --- a/Modules/_sha3/sha3module.c +++ b/Modules/_sha3/sha3module.c @@ -171,22 +171,25 @@ newSHA3object(PyTypeObject *type) @@ -4515,7 +4515,7 @@ index 3079e1e3a4..fc8b1b262a 100644 Return a new SHAKE hash object."); diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h -index e96a752e27..967884727b 100644 +index e96a752..9678847 100644 --- a/Modules/clinic/_hashopenssl.c.h +++ b/Modules/clinic/_hashopenssl.c.h @@ -66,7 +66,7 @@ PyDoc_STRVAR(EVP_update__doc__, @@ -5367,7 +5367,7 @@ index e96a752e27..967884727b 100644 -/*[clinic end generated code: output=be8e21a10dff71e7 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=3db4f18f12892fa4 input=a9049054013a1b77]*/ diff --git a/Modules/clinic/md5module.c.h b/Modules/clinic/md5module.c.h -index 12484cc0e3..c109f9efec 100644 +index 12484cc..c109f9e 100644 --- a/Modules/clinic/md5module.c.h +++ b/Modules/clinic/md5module.c.h @@ -66,7 +66,7 @@ PyDoc_STRVAR(MD5Type_update__doc__, @@ -5430,7 +5430,7 @@ index 12484cc0e3..c109f9efec 100644 -/*[clinic end generated code: output=53133f08cf9095fc input=a9049054013a1b77]*/ +/*[clinic end generated code: output=dbe3abc60086f3ef input=a9049054013a1b77]*/ diff --git a/Modules/clinic/sha1module.c.h b/Modules/clinic/sha1module.c.h -index 001c6af737..fc37b1ab88 100644 +index 001c6af..fc37b1a 100644 --- a/Modules/clinic/sha1module.c.h +++ b/Modules/clinic/sha1module.c.h @@ -66,7 +66,7 @@ PyDoc_STRVAR(SHA1Type_update__doc__, @@ -5493,7 +5493,7 @@ index 001c6af737..fc37b1ab88 100644 -/*[clinic end generated code: output=1ae7e73ec84a27d5 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=3ddd637ae17e14b3 input=a9049054013a1b77]*/ diff --git a/Modules/clinic/sha256module.c.h b/Modules/clinic/sha256module.c.h -index 658abb15cf..2a788ea984 100644 +index 658abb1..2a788ea 100644 --- a/Modules/clinic/sha256module.c.h +++ b/Modules/clinic/sha256module.c.h @@ -66,7 +66,7 @@ PyDoc_STRVAR(SHA256Type_update__doc__, @@ -5611,7 +5611,7 @@ index 658abb15cf..2a788ea984 100644 -/*[clinic end generated code: output=c54d0956ec88409d input=a9049054013a1b77]*/ +/*[clinic end generated code: output=c8cca8adbe72ec9a input=a9049054013a1b77]*/ diff --git a/Modules/clinic/sha512module.c.h b/Modules/clinic/sha512module.c.h -index 459a9341cf..b8185b62bb 100644 +index 459a934..b8185b6 100644 --- a/Modules/clinic/sha512module.c.h +++ b/Modules/clinic/sha512module.c.h @@ -66,7 +66,7 @@ PyDoc_STRVAR(SHA512Type_update__doc__, @@ -5729,7 +5729,7 @@ index 459a9341cf..b8185b62bb 100644 -/*[clinic end generated code: output=580df4b667084a7e input=a9049054013a1b77]*/ +/*[clinic end generated code: output=bbfa72d8703c82b5 input=a9049054013a1b77]*/ diff --git a/Modules/md5module.c b/Modules/md5module.c -index c2ebaaf61f..fdc4d7bbef 100644 +index 64fab80..ee4efe4 100644 --- a/Modules/md5module.c +++ b/Modules/md5module.c @@ -503,13 +503,15 @@ static PyTypeObject MD5type = { @@ -5751,7 +5751,7 @@ index c2ebaaf61f..fdc4d7bbef 100644 MD5object *new; Py_buffer buf; diff --git a/Modules/sha1module.c b/Modules/sha1module.c -index ce2ad267e7..4d191c3c48 100644 +index 4a8dbd8..aec0bad 100644 --- a/Modules/sha1module.c +++ b/Modules/sha1module.c @@ -480,13 +480,15 @@ static PyTypeObject SHA1type = { @@ -5773,7 +5773,7 @@ index ce2ad267e7..4d191c3c48 100644 SHA1object *new; Py_buffer buf; diff --git a/Modules/sha256module.c b/Modules/sha256module.c -index b8d6c4cf80..245f4c0454 100644 +index a1c8b1a..8777c59 100644 --- a/Modules/sha256module.c +++ b/Modules/sha256module.c @@ -601,13 +601,15 @@ static PyTypeObject SHA256type = { @@ -5813,7 +5813,7 @@ index b8d6c4cf80..245f4c0454 100644 SHAobject *new; Py_buffer buf; diff --git a/Modules/sha512module.c b/Modules/sha512module.c -index 98b97917f4..df4f9d2d74 100644 +index 4167fd3..504d40a 100644 --- a/Modules/sha512module.c +++ b/Modules/sha512module.c @@ -666,13 +666,15 @@ static PyTypeObject SHA512type = { @@ -5853,10 +5853,10 @@ index 98b97917f4..df4f9d2d74 100644 SHAobject *new; Py_buffer buf; -- -2.25.4 +2.31.1 -From 96c7faf94181487931634cb569d9468c9ac1bcec Mon Sep 17 00:00:00 2001 +From 4830a7b0c14f424a120eb2faef99a4821865e65f Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 26 Aug 2019 19:09:39 +0200 Subject: [PATCH 24/41] Test the usedforsecurity flag @@ -5866,7 +5866,7 @@ Subject: [PATCH 24/41] Test the usedforsecurity flag 1 file changed, 54 insertions(+), 34 deletions(-) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 08bb91f27b..1368e91708 100644 +index 08bb91f..1368e91 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -21,6 +21,7 @@ from test import support @@ -6099,10 +6099,10 @@ index 08bb91f27b..1368e91708 100644 class KDFTests(unittest.TestCase): -- -2.25.4 +2.31.1 -From 8fbdf03b9239e6f55d9ac6e298fe8c0bc13fe49a Mon Sep 17 00:00:00 2001 +From 5e8d600b6d713737b471f083727b6f0365233cfe Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 29 Aug 2019 10:25:28 +0200 Subject: [PATCH 25/41] Skip error checking in _hashlib.get_fips_mode @@ -6113,10 +6113,10 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1745499 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index a1f81eb5e9..eff331bb8b 100644 +index b4d05ab..a48b607 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -1253,20 +1253,22 @@ _hashlib_get_fips_mode_impl(PyObject *module) +@@ -1260,20 +1260,22 @@ _hashlib_get_fips_mode_impl(PyObject *module) /*[clinic end generated code: output=ad8a7793310d3f98 input=f42a2135df2a5e11]*/ { @@ -6154,10 +6154,10 @@ index a1f81eb5e9..eff331bb8b 100644 -- -2.25.4 +2.31.1 -From 92587894edbc857a3c2788d8b72a469b27c8d7b3 Mon Sep 17 00:00:00 2001 +From b2135a9b90ed43e5b562e2e9777d9ced800319a3 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 10 Oct 2019 13:04:50 +0200 Subject: [PATCH 26/41] Skip error checking in _Py_hashlib_fips_error @@ -6168,7 +6168,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1760106 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h -index 47ed003042..d4cbdef984 100644 +index 47ed003..d4cbdef 100644 --- a/Include/_hashopenssl.h +++ b/Include/_hashopenssl.h @@ -42,16 +42,10 @@ static int @@ -6192,10 +6192,10 @@ index 47ed003042..d4cbdef984 100644 } PyErr_Format(exc, "%s is not available in FIPS mode", name); -- -2.25.4 +2.31.1 -From 986a732d39df012221e95e2e08d0231b6ffbd487 Mon Sep 17 00:00:00 2001 +From f17451dab2a354f4a0588f08ffcc3a858aced668 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 19:12:38 +0200 Subject: [PATCH 27/41] Fixups @@ -6208,7 +6208,7 @@ Subject: [PATCH 27/41] Fixups 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Lib/hmac.py b/Lib/hmac.py -index 394c81037b..b2bff7d975 100644 +index 394c810..b2bff7d 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -47,7 +47,7 @@ class HMAC: @@ -6221,7 +6221,7 @@ index 394c81037b..b2bff7d975 100644 ) diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py -index 0a859817f6..0b481ec9c0 100644 +index 0a85981..0b481ec 100644 --- a/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py @@ -439,7 +439,7 @@ class CopyTestCase(unittest.TestCase): @@ -6234,10 +6234,10 @@ index 0a859817f6..0b481ec9c0 100644 h1 = hmac.HMAC(b"key", digestmod="sha1") h2 = h1.copy() -- -2.25.4 +2.31.1 -From a34e8be3c4af03b8c5c52e39c09422741ca7e91f Mon Sep 17 00:00:00 2001 +From 8bc5d1b032b863dfe0ddf83e3a3ecb99a65ae9f4 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 26 Aug 2019 19:39:48 +0200 Subject: [PATCH 28/41] Don't re-export get_fips_mode from hashlib @@ -6257,7 +6257,7 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1745685 10 files changed, 41 insertions(+), 32 deletions(-) diff --git a/Lib/distutils/command/upload.py b/Lib/distutils/command/upload.py -index 553617a8d8..8653caefc9 100644 +index 553617a..8653cae 100644 --- a/Lib/distutils/command/upload.py +++ b/Lib/distutils/command/upload.py @@ -127,7 +127,8 @@ class upload(PyPIRCCommand): @@ -6271,7 +6271,7 @@ index 553617a8d8..8653caefc9 100644 raise else: diff --git a/Lib/distutils/tests/test_upload.py b/Lib/distutils/tests/test_upload.py -index f720a7905d..a198b21357 100644 +index f720a79..a198b21 100644 --- a/Lib/distutils/tests/test_upload.py +++ b/Lib/distutils/tests/test_upload.py @@ -4,6 +4,7 @@ import unittest @@ -6301,7 +6301,7 @@ index f720a7905d..a198b21357 100644 self.assertEqual(headers['Content-length'], '2207') else: diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 898e6dca56..2fc214e7ef 100644 +index 898e6dc..2fc214e 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -76,12 +76,12 @@ __block_openssl_constructor = { @@ -6383,7 +6383,7 @@ index 898e6dca56..2fc214e7ef 100644 del __py_new +del _hashlib_get_fips_mode diff --git a/Lib/hmac.py b/Lib/hmac.py -index b2bff7d975..5055027bbb 100644 +index b2bff7d..5055027 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -45,7 +45,7 @@ class HMAC: @@ -6414,7 +6414,7 @@ index b2bff7d975..5055027bbb 100644 diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py -index 34812e6098..86e61e29c0 100644 +index 34812e6..86e61e2 100644 --- a/Lib/test/test_fips.py +++ b/Lib/test/test_fips.py @@ -6,7 +6,7 @@ import hashlib, _hashlib @@ -6445,7 +6445,7 @@ index 34812e6098..86e61e29c0 100644 self.compare_hashes(hashlib.shake_128(b'abc'), _hashlib.openssl_shake_128(b'abc')) self.compare_hashes(hashlib.shake_256(b'abc'), _hashlib.openssl_shake_256(b'abc')) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 1368e91708..a4b78406a5 100644 +index 1368e91..a4b7840 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -29,7 +29,9 @@ COMPILED_WITH_PYDEBUG = hasattr(sys, 'gettotalrefcount') @@ -6511,7 +6511,7 @@ index 1368e91708..a4b78406a5 100644 """Make sure usedforsecurity flag isn't copied to other contexts""" for i in range(3): diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py -index 0b481ec9c0..cc77928fa3 100644 +index 0b481ec..cc77928 100644 --- a/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py @@ -5,6 +5,7 @@ import hashlib @@ -6550,7 +6550,7 @@ index 0b481ec9c0..cc77928fa3 100644 def test_realcopy(self): # Testing if the copy method created a real copy. diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py -index d0c9862ede..9a44c0dc7a 100644 +index c9205ae..e4d7fb4 100644 --- a/Lib/test/test_smtplib.py +++ b/Lib/test/test_smtplib.py @@ -17,6 +17,8 @@ import select @@ -6562,7 +6562,7 @@ index d0c9862ede..9a44c0dc7a 100644 import unittest from test import support, mock_socket -@@ -1021,7 +1023,7 @@ class SMTPSimTests(unittest.TestCase): +@@ -1059,7 +1061,7 @@ class SMTPSimTests(unittest.TestCase): def testAUTH_multiple(self): # Test that multiple authentication methods are tried. @@ -6572,7 +6572,7 @@ index d0c9862ede..9a44c0dc7a 100644 resp = smtp.login(sim_auth[0], sim_auth[1]) self.assertEqual(resp, (235, b'Authentication Succeeded')) diff --git a/Lib/test/test_tools/test_md5sum.py b/Lib/test/test_tools/test_md5sum.py -index 7028a4dc21..3ba1ca0f14 100644 +index 7028a4d..3ba1ca0 100644 --- a/Lib/test/test_tools/test_md5sum.py +++ b/Lib/test/test_tools/test_md5sum.py @@ -4,13 +4,13 @@ import os @@ -6592,7 +6592,7 @@ index 7028a4dc21..3ba1ca0f14 100644 class MD5SumTests(unittest.TestCase): diff --git a/Lib/test/test_urllib2_localnet.py b/Lib/test/test_urllib2_localnet.py -index 1cb358f8dd..6f5cb7fcd1 100644 +index 1cb358f..6f5cb7f 100644 --- a/Lib/test/test_urllib2_localnet.py +++ b/Lib/test/test_urllib2_localnet.py @@ -7,6 +7,7 @@ import http.server @@ -6604,10 +6604,10 @@ index 1cb358f8dd..6f5cb7fcd1 100644 from test import support -- -2.25.4 +2.31.1 -From 34d924a23c0c4a2740cb2fb30dcd5cfe061179d4 Mon Sep 17 00:00:00 2001 +From dfc0d1cacc0b299bcce43a37a997e78c03c55dec Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 2 Apr 2020 16:50:37 +0200 Subject: [PATCH 29/41] Do not raise a ValueError if digestmod is missing in @@ -6621,7 +6621,7 @@ for it. 1 file changed, 2 deletions(-) diff --git a/Lib/hmac.py b/Lib/hmac.py -index 5055027bbb..ee1ad76d22 100644 +index 5055027..ee1ad76 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -143,8 +143,6 @@ class HMAC: @@ -6634,10 +6634,10 @@ index 5055027bbb..ee1ad76d22 100644 return digestmod.lower() elif callable(digestmod): -- -2.25.4 +2.31.1 -From a1a4fbf3b1eec95af27fa0352ebdfa13863f3e89 Mon Sep 17 00:00:00 2001 +From 38faf7660b65dcd0536eb21984d12c688c43d7f9 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 2 Apr 2020 16:55:36 +0200 Subject: [PATCH 30/41] Regenerate the clinic files @@ -6648,7 +6648,7 @@ Subject: [PATCH 30/41] Regenerate the clinic files 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index a24c8ba022..9577cadf93 100644 +index a24c8ba..9577cad 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -132,12 +132,12 @@ error: @@ -6667,7 +6667,7 @@ index a24c8ba022..9577cadf93 100644 HmacObject *retval; diff --git a/Modules/clinic/_hmacopenssl.c.h b/Modules/clinic/_hmacopenssl.c.h -index 861acc11bf..527be832bf 100644 +index 861acc1..527be83 100644 --- a/Modules/clinic/_hmacopenssl.c.h +++ b/Modules/clinic/_hmacopenssl.c.h @@ -6,7 +6,7 @@ PyDoc_STRVAR(_hmacopenssl_HMAC_copy__doc__, @@ -6721,10 +6721,10 @@ index 861acc11bf..527be832bf 100644 -/*[clinic end generated code: output=d93ad460795d49b5 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=9b75c31e1116bf6f input=a9049054013a1b77]*/ -- -2.25.4 +2.31.1 -From d2a96515d4cf5b47c9d2cfeb2eab4eb4c026e133 Mon Sep 17 00:00:00 2001 +From f5677065f9153a4e300c956adbcbdec8c6cf69c0 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Tue, 7 Apr 2020 15:16:45 +0200 Subject: [PATCH 31/41] Pass kwargs (like usedforsecurity) through __hash_new @@ -6734,7 +6734,7 @@ Subject: [PATCH 31/41] Pass kwargs (like usedforsecurity) through __hash_new 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 2fc214e7ef..785858ff8e 100644 +index 2fc214e..785858f 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -169,7 +169,7 @@ def __hash_new(name, data=b'', **kwargs): @@ -6756,10 +6756,10 @@ index 2fc214e7ef..785858ff8e 100644 try: -- -2.25.4 +2.31.1 -From 875ef635e8d1431bf764abdbe02fe2d2ddb0cd5e Mon Sep 17 00:00:00 2001 +From ce30224bb44a580a769c1f81d5114901aa8fa5f3 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Tue, 7 Apr 2020 15:18:48 +0200 Subject: [PATCH 32/41] Adjust new upstream test for failing hashes with @@ -6770,7 +6770,7 @@ Subject: [PATCH 32/41] Adjust new upstream test for failing hashes with 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index a4b78406a5..a858bf4c59 100644 +index a4b7840..a858bf4 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -239,15 +239,23 @@ class HashLibTestCase(unittest.TestCase): @@ -6802,10 +6802,10 @@ index a4b78406a5..a858bf4c59 100644 self.assertRaises(ValueError, hashlib.new, 'spam spam spam spam spam') self.assertRaises(TypeError, hashlib.new, 1) -- -2.25.4 +2.31.1 -From 927d40c90861426a959bd136b32d4a8edcb2d092 Mon Sep 17 00:00:00 2001 +From 896f2a76c1ca4cbad8f224562e544744c239431d Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 24 Apr 2020 19:57:16 +0200 Subject: [PATCH 33/41] Skip the test_with_digestmod_no_default under FIPS @@ -6817,7 +6817,7 @@ the digestmod parameter misuse under FIPS mode. 1 file changed, 13 insertions(+) diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py -index cc77928fa3..fd068e0229 100644 +index cc77928..fd068e0 100644 --- a/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py @@ -313,6 +313,7 @@ class TestVectorsTestCase(unittest.TestCase): @@ -6848,10 +6848,10 @@ index cc77928fa3..fd068e0229 100644 class ConstructorTestCase(unittest.TestCase): -- -2.25.4 +2.31.1 -From 14823821aa8abff02843b0ab0e1e4646e635aee5 Mon Sep 17 00:00:00 2001 +From f4ea7d8249610973c286d7fdd618bf26cba1cd60 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 24 Apr 2020 20:00:59 +0200 Subject: [PATCH 34/41] Fix test_crypt under FIPS mode @@ -6863,7 +6863,7 @@ and crypt.METHOD_CRYPT is not always available. 1 file changed, 2 deletions(-) diff --git a/Lib/test/test_crypt.py b/Lib/test/test_crypt.py -index 5dc83b4ecb..a4f6f8e93f 100644 +index 5dc83b4..a4f6f8e 100644 --- a/Lib/test/test_crypt.py +++ b/Lib/test/test_crypt.py @@ -53,8 +53,6 @@ class CryptTestCase(unittest.TestCase): @@ -6876,10 +6876,10 @@ index 5dc83b4ecb..a4f6f8e93f 100644 @unittest.skipUnless( crypt -- -2.25.4 +2.31.1 -From 84235df723cb227e68ebb122b8835264b203d5ef Mon Sep 17 00:00:00 2001 +From d6b6fbaa9a70e51589a95347ba007147e49ea850 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 24 Apr 2020 20:14:52 +0200 Subject: [PATCH 35/41] Port the _hashopenssl module to openssl api 1.0.2 @@ -6890,7 +6890,7 @@ Subject: [PATCH 35/41] Port the _hashopenssl module to openssl api 1.0.2 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h -index d4cbdef984..4d23f6d584 100644 +index d4cbdef..4d23f6d 100644 --- a/Include/_hashopenssl.h +++ b/Include/_hashopenssl.h @@ -2,6 +2,7 @@ @@ -6902,7 +6902,7 @@ index d4cbdef984..4d23f6d584 100644 #include diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index 9577cadf93..7e60fa9bb7 100644 +index 9577cad..7e60fa9 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -82,7 +82,7 @@ Hmac_new(PyTypeObject *subtype, PyObject *args, PyObject *kwds) @@ -7001,10 +7001,10 @@ index 9577cadf93..7e60fa9bb7 100644 return _setException(PyExc_ValueError); } -- -2.25.4 +2.31.1 -From 3d498b9c3d4a2ceb532c1828f80589428e140e09 Mon Sep 17 00:00:00 2001 +From 1969bcb84248484ef52cf30859d712c54bde2b0e Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 24 Apr 2020 20:17:33 +0200 Subject: [PATCH 36/41] blake2, sha3 and shake are not available through @@ -7018,7 +7018,7 @@ Subject: [PATCH 36/41] blake2, sha3 and shake are not available through 4 files changed, 1 insertion(+), 589 deletions(-) diff --git a/Modules/_blake2/blake2module.c b/Modules/_blake2/blake2module.c -index a9c7cbc7eb..278467731b 100644 +index a9c7cbc..2784677 100644 --- a/Modules/_blake2/blake2module.c +++ b/Modules/_blake2/blake2module.c @@ -58,8 +58,6 @@ PyInit__blake2(void) @@ -7031,10 +7031,10 @@ index a9c7cbc7eb..278467731b 100644 if (m == NULL) return NULL; diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index eff331bb8b..190749e596 100644 +index a48b607..18fce62 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -749,166 +749,6 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj, +@@ -756,166 +756,6 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj, return EVP_fast_new(module, data_obj, EVP_sha512(), usedforsecurity); } @@ -7201,7 +7201,7 @@ index eff331bb8b..190749e596 100644 /*[clinic input] _hashlib.pbkdf2_hmac as pbkdf2_hmac -@@ -1286,14 +1126,6 @@ static struct PyMethodDef EVP_functions[] = { +@@ -1293,14 +1133,6 @@ static struct PyMethodDef EVP_functions[] = { _HASHLIB_OPENSSL_SHA256_METHODDEF _HASHLIB_OPENSSL_SHA384_METHODDEF _HASHLIB_OPENSSL_SHA512_METHODDEF @@ -7217,7 +7217,7 @@ index eff331bb8b..190749e596 100644 }; diff --git a/Modules/_sha3/sha3module.c b/Modules/_sha3/sha3module.c -index fc8b1b262a..4be98e4cb0 100644 +index fc8b1b2..4be98e4 100644 --- a/Modules/_sha3/sha3module.c +++ b/Modules/_sha3/sha3module.c @@ -710,8 +710,6 @@ PyInit__sha3(void) @@ -7230,7 +7230,7 @@ index fc8b1b262a..4be98e4cb0 100644 return NULL; } diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h -index 967884727b..7c31809c60 100644 +index 9678847..7c31809 100644 --- a/Modules/clinic/_hashopenssl.c.h +++ b/Modules/clinic/_hashopenssl.c.h @@ -436,422 +436,6 @@ exit: @@ -7663,10 +7663,10 @@ index 967884727b..7c31809c60 100644 -/*[clinic end generated code: output=3db4f18f12892fa4 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=646d49f01d125759 input=a9049054013a1b77]*/ -- -2.25.4 +2.31.1 -From e0e4c6aead83e773c1c2b9f1f5ba242a3cddd41c Mon Sep 17 00:00:00 2001 +From 6e97e1190517c291b4d80a7695120f47bf31394d Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 24 Apr 2020 20:18:44 +0200 Subject: [PATCH 37/41] Remove unavailable algorithms testing from test_fips @@ -7676,7 +7676,7 @@ Subject: [PATCH 37/41] Remove unavailable algorithms testing from test_fips 1 file changed, 25 deletions(-) diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py -index 86e61e29c0..73b219be6a 100644 +index 86e61e2..73b219b 100644 --- a/Lib/test/test_fips.py +++ b/Lib/test/test_fips.py @@ -6,15 +6,6 @@ import hashlib, _hashlib @@ -7719,10 +7719,10 @@ index 86e61e29c0..73b219be6a 100644 self.compare_hashes(hashlib.sha1(b'abc'), _hashlib.openssl_sha1(b'abc')) self.compare_hashes(hashlib.sha224(b'abc'), _hashlib.openssl_sha224(b'abc')) -- -2.25.4 +2.31.1 -From e1e3a4754052acc90f4ad7e1e96ab3aa2ff8c859 Mon Sep 17 00:00:00 2001 +From 17277f232d2dd223a1bdc2712a5196e149a9cc1a Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 24 Apr 2020 20:20:03 +0200 Subject: [PATCH 38/41] Fix the hashlib test under FIPS mode in RHEL7 @@ -7733,7 +7733,7 @@ Subject: [PATCH 38/41] Fix the hashlib test under FIPS mode in RHEL7 2 files changed, 167 insertions(+), 142 deletions(-) diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 785858ff8e..1d214c1767 100644 +index 785858f..1d214c1 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -53,6 +53,12 @@ More condensed: @@ -7880,7 +7880,7 @@ index 785858ff8e..1d214c1767 100644 # Cleanup locals() diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index a858bf4c59..ccc572dabf 100644 +index a858bf4..ccc572d 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -1,4 +1,4 @@ @@ -8214,10 +8214,10 @@ index a858bf4c59..ccc572dabf 100644 @support.reap_threads def test_threaded_hashing(self): -- -2.25.4 +2.31.1 -From 2f964a5f931ab5e27ce5bd84613f25ccc3ac5c51 Mon Sep 17 00:00:00 2001 +From 946c6b83fdab378329eabd2477509a7341381311 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 24 Apr 2020 23:32:23 +0200 Subject: [PATCH 39/41] test_ssl fixes for FIPS mode in RHEL7 @@ -8227,7 +8227,7 @@ Subject: [PATCH 39/41] test_ssl fixes for FIPS mode in RHEL7 1 file changed, 31 insertions(+), 16 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py -index 0bc0a8c452..f06141d6ab 100644 +index 1fa0241..7ac0f88 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -20,6 +20,7 @@ import weakref @@ -8250,7 +8250,7 @@ index 0bc0a8c452..f06141d6ab 100644 HOST = support.HOST IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL') IS_OPENSSL_1_1_0 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0) -@@ -3223,36 +3229,41 @@ class ThreadedTests(unittest.TestCase): +@@ -3292,36 +3298,41 @@ class ThreadedTests(unittest.TestCase): if support.verbose: sys.stdout.write("\n") if has_tls_version('SSLv2'): @@ -8305,7 +8305,7 @@ index 0bc0a8c452..f06141d6ab 100644 # Will choose TLSv1 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) -@@ -3260,6 +3271,7 @@ class ThreadedTests(unittest.TestCase): +@@ -3329,6 +3340,7 @@ class ThreadedTests(unittest.TestCase): try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, False, server_options=ssl.OP_NO_TLSv1) @@ -8313,7 +8313,7 @@ index 0bc0a8c452..f06141d6ab 100644 @requires_tls_version('SSLv3') def test_protocol_sslv3(self): """Connecting to an SSLv3 server with various client options""" -@@ -3289,7 +3301,8 @@ class ThreadedTests(unittest.TestCase): +@@ -3358,7 +3370,8 @@ class ThreadedTests(unittest.TestCase): if has_tls_version('SSLv2'): try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False) if has_tls_version('SSLv3'): @@ -8323,7 +8323,7 @@ index 0bc0a8c452..f06141d6ab 100644 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLS, False, client_options=ssl.OP_NO_TLSv1) -@@ -3303,7 +3316,8 @@ class ThreadedTests(unittest.TestCase): +@@ -3372,7 +3385,8 @@ class ThreadedTests(unittest.TestCase): if has_tls_version('SSLv2'): try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False) if has_tls_version('SSLv3'): @@ -8333,7 +8333,7 @@ index 0bc0a8c452..f06141d6ab 100644 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLS, False, client_options=ssl.OP_NO_TLSv1_1) -@@ -3323,7 +3337,8 @@ class ThreadedTests(unittest.TestCase): +@@ -3392,7 +3406,8 @@ class ThreadedTests(unittest.TestCase): if has_tls_version('SSLv2'): try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv2, False) if has_tls_version('SSLv3'): @@ -8344,10 +8344,10 @@ index 0bc0a8c452..f06141d6ab 100644 client_options=ssl.OP_NO_TLSv1_2) -- -2.25.4 +2.31.1 -From 090540bd96a8f5cea30479130d1ffbe2424b04c9 Mon Sep 17 00:00:00 2001 +From a5550a52bbd45a565431a7954e48b1af3fe5fcd8 Mon Sep 17 00:00:00 2001 From: Marcel Plch Date: Fri, 24 Apr 2020 22:44:43 +0200 Subject: [PATCH 40/41] Fix imports in hashlib under FIPS mode @@ -8357,7 +8357,7 @@ Subject: [PATCH 40/41] Fix imports in hashlib under FIPS mode 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 1d214c1767..5b54ba7360 100644 +index 1d214c1..5b54ba7 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -81,7 +81,7 @@ __block_openssl_constructor = {'sha3_224', 'sha3_256', 'sha3_384', 'sha3_512', @@ -8370,10 +8370,10 @@ index 1d214c1767..5b54ba7360 100644 constructor = cache.get(name) if constructor is not None: -- -2.25.4 +2.31.1 -From e5c87863d9634ec966c20368664fbcb5b33825d8 Mon Sep 17 00:00:00 2001 +From 010c9bf5783884f6d63edced3a9437159d8ac806 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Tue, 31 Mar 2020 18:00:42 +0200 Subject: [PATCH 41/41] Add a sentinel value on the Hmac_members table of the @@ -8384,7 +8384,7 @@ Subject: [PATCH 41/41] Add a sentinel value on the Hmac_members table of the 1 file changed, 1 insertion(+) diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c -index 7e60fa9bb7..ed07a18215 100644 +index 7e60fa9..ed07a18 100644 --- a/Modules/_hmacopenssl.c +++ b/Modules/_hmacopenssl.c @@ -336,6 +336,7 @@ static PyGetSetDef Hmac_getset[] = { @@ -8396,5 +8396,5 @@ index 7e60fa9bb7..ed07a18215 100644 PyDoc_STRVAR(hmactype_doc, -- -2.25.4 +2.31.1 diff --git a/SOURCES/00359-CVE-2021-23336.patch b/SOURCES/00359-CVE-2021-23336.patch new file mode 100644 index 0000000..b65eb60 --- /dev/null +++ b/SOURCES/00359-CVE-2021-23336.patch @@ -0,0 +1,430 @@ +From c983b1ee6471d9835e94ff153dd40b6e7c1fef86 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Thu, 1 Apr 2021 08:18:07 +0200 +Subject: [PATCH] CVE-2021-23336: Add `separator` argument to parse_qs; warn + with default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Partially backports https://bugs.python.org/issue42967 : [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl(). +However, this solution is different than the upstream solution in Python 3.6.13. + +An optional argument seperator is added to specify the separator. +It is recommended to set it to '&' or ';' to match the application or proxy in use. +The default can be set with an env variable of a config file. +If neither the argument, env var or config file specifies a separator, "&" is used +but a warning is raised if parse_qs is used on input that contains ';'. + +Co-authors of the upstream change (who do not necessarily agree with this): +Co-authored-by: Adam Goldschmidt +Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> +Co-authored-by: Éric Araujo +--- + Doc/library/cgi.rst | 2 +- + Doc/library/urllib.parse.rst | 12 +++-- + Lib/cgi.py | 4 +- + Lib/test/test_cgi.py | 29 ++++++++++ + Lib/test/test_urlparse.py | 102 ++++++++++++++++++++++++++++++++--- + Lib/urllib/parse.py | 78 ++++++++++++++++++++++++--- + 6 files changed, 209 insertions(+), 18 deletions(-) + +diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst +index 880074b..d8a6dc1 100644 +--- a/Doc/library/cgi.rst ++++ b/Doc/library/cgi.rst +@@ -277,7 +277,7 @@ These are useful if you want more control, or if you want to employ some of the + algorithms implemented in this module in other circumstances. + + +-.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False, separator="&") ++.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False, separator=None) + + Parse a query in the environment or from a file (the file defaults to + ``sys.stdin``). The *keep_blank_values*, *strict_parsing* and *separator* parameters are +diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst +index fcad707..9bcef69 100644 +--- a/Doc/library/urllib.parse.rst ++++ b/Doc/library/urllib.parse.rst +@@ -165,7 +165,7 @@ or on combining URL components into a URL string. + now raise :exc:`ValueError`. + + +-.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator='&') ++.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator=None) + + Parse a query string given as a string argument (data of type + :mimetype:`application/x-www-form-urlencoded`). Data are returned as a +@@ -191,7 +191,13 @@ or on combining URL components into a URL string. + *max_num_fields* fields read. + + The optional argument *separator* is the symbol to use for separating the +- query arguments. It defaults to ``&``. ++ query arguments. It is recommended to set it to ``'&'`` or ``';'``. ++ It defaults to ``'&'``; a warning is raised if this default is used. ++ This default may be changed with the following environment variable settings: ++ ++ - ``PYTHON_URLLIB_QS_SEPARATOR='&'``: use only ``&`` as separator, without warning (as in Python 3.6.13+ or 3.10) ++ - ``PYTHON_URLLIB_QS_SEPARATOR=';'``: use only ``;`` as separator ++ - ``PYTHON_URLLIB_QS_SEPARATOR=legacy``: use both ``&`` and ``;`` (as in previous versions of Python) + + Use the :func:`urllib.parse.urlencode` function (with the ``doseq`` + parameter set to ``True``) to convert such dictionaries into query +@@ -236,7 +242,7 @@ or on combining URL components into a URL string. + *max_num_fields* fields read. + + The optional argument *separator* is the symbol to use for separating the +- query arguments. It defaults to ``&``. ++ query arguments. It works as in :py:func:`parse_qs`. + + Use the :func:`urllib.parse.urlencode` function to convert such lists of pairs into + query strings. +diff --git a/Lib/cgi.py b/Lib/cgi.py +index 1e880e5..d7b994b 100755 +--- a/Lib/cgi.py ++++ b/Lib/cgi.py +@@ -116,7 +116,7 @@ log = initlog # The current logging function + maxlen = 0 + + def parse(fp=None, environ=os.environ, keep_blank_values=0, +- strict_parsing=0, separator='&'): ++ strict_parsing=0, separator=None): + """Parse a query in the environment or from a file (default stdin) + + Arguments, all optional: +@@ -319,7 +319,7 @@ class FieldStorage: + def __init__(self, fp=None, headers=None, outerboundary=b'', + environ=os.environ, keep_blank_values=0, strict_parsing=0, + limit=None, encoding='utf-8', errors='replace', +- max_num_fields=None, separator='&'): ++ max_num_fields=None, separator=None): + """Constructor. Read multipart/* until last part. + + Arguments, all optional: +diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py +index 4e1506a..49b6926 100644 +--- a/Lib/test/test_cgi.py ++++ b/Lib/test/test_cgi.py +@@ -180,6 +180,35 @@ Content-Length: 3 + + env = {'QUERY_STRING': orig} + fs = cgi.FieldStorage(environ=env) ++ if isinstance(expect, dict): ++ # test dict interface ++ self.assertEqual(len(expect), len(fs)) ++ self.assertCountEqual(expect.keys(), fs.keys()) ++ self.assertEqual(fs.getvalue("nonexistent field", "default"), "default") ++ # test individual fields ++ for key in expect.keys(): ++ expect_val = expect[key] ++ self.assertIn(key, fs) ++ if len(expect_val) > 1: ++ self.assertEqual(fs.getvalue(key), expect_val) ++ else: ++ self.assertEqual(fs.getvalue(key), expect_val[0]) ++ ++ def test_separator(self): ++ parse_semicolon = [ ++ ("x=1;y=2.0", {'x': ['1'], 'y': ['2.0']}), ++ ("x=1;y=2.0;z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}), ++ (";", ValueError("bad query field: ''")), ++ (";;", ValueError("bad query field: ''")), ++ ("=;a", ValueError("bad query field: 'a'")), ++ (";b=a", ValueError("bad query field: ''")), ++ ("b;=a", ValueError("bad query field: 'b'")), ++ ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}), ++ ("a=a+b;a=b+a", {'a': ['a b', 'b a']}), ++ ] ++ for orig, expect in parse_semicolon: ++ env = {'QUERY_STRING': orig} ++ fs = cgi.FieldStorage(separator=';', environ=env) + if isinstance(expect, dict): + # test dict interface + self.assertEqual(len(expect), len(fs)) +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index d2ec0da..bb64974 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -2,6 +2,11 @@ import sys + import unicodedata + import unittest + import urllib.parse ++from test.support import EnvironmentVarGuard ++from warnings import catch_warnings ++import tempfile ++import contextlib ++import os.path + + RFC1808_BASE = "http://a/b/c/d;p?q#f" + RFC2396_BASE = "http://a/b/c/d;p?q" +@@ -32,10 +37,34 @@ parse_qsl_test_cases = [ + (b"&a=b", [(b'a', b'b')]), + (b"a=a+b&b=b+c", [(b'a', b'a b'), (b'b', b'b c')]), + (b"a=1&a=2", [(b'a', b'1'), (b'a', b'2')]), ++] ++ ++parse_qsl_test_cases_semicolon = [ ++ (";", []), ++ (";;", []), ++ (";a=b", [('a', 'b')]), ++ ("a=a+b;b=b+c", [('a', 'a b'), ('b', 'b c')]), ++ ("a=1;a=2", [('a', '1'), ('a', '2')]), ++ (b";", []), ++ (b";;", []), ++ (b";a=b", [(b'a', b'b')]), ++ (b"a=a+b;b=b+c", [(b'a', b'a b'), (b'b', b'b c')]), ++ (b"a=1;a=2", [(b'a', b'1'), (b'a', b'2')]), ++] ++ ++parse_qsl_test_cases_legacy = [ ++ (b"a=1;a=2&a=3", [(b'a', b'1'), (b'a', b'2'), (b'a', b'3')]), ++ (b"a=1;b=2&c=3", [(b'a', b'1'), (b'b', b'2'), (b'c', b'3')]), ++ (b"a=1&b=2&c=3;", [(b'a', b'1'), (b'b', b'2'), (b'c', b'3')]), ++] ++ ++parse_qsl_test_cases_warn = [ + (";a=b", [(';a', 'b')]), + ("a=a+b;b=b+c", [('a', 'a b;b=b c')]), + (b";a=b", [(b';a', b'b')]), + (b"a=a+b;b=b+c", [(b'a', b'a b;b=b c')]), ++ ("a=1;a=2&a=3", [('a', '1;a=2'), ('a', '3')]), ++ (b"a=1;a=2&a=3", [(b'a', b'1;a=2'), (b'a', b'3')]), + ] + + # Each parse_qs testcase is a two-tuple that contains +@@ -62,10 +91,37 @@ parse_qs_test_cases = [ + (b"&a=b", {b'a': [b'b']}), + (b"a=a+b&b=b+c", {b'a': [b'a b'], b'b': [b'b c']}), + (b"a=1&a=2", {b'a': [b'1', b'2']}), ++] ++ ++parse_qs_test_cases_semicolon = [ ++ (";", {}), ++ (";;", {}), ++ (";a=b", {'a': ['b']}), ++ ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}), ++ ("a=1;a=2", {'a': ['1', '2']}), ++ (b";", {}), ++ (b";;", {}), ++ (b";a=b", {b'a': [b'b']}), ++ (b"a=a+b;b=b+c", {b'a': [b'a b'], b'b': [b'b c']}), ++ (b"a=1;a=2", {b'a': [b'1', b'2']}), ++] ++ ++parse_qs_test_cases_legacy = [ ++ ("a=1;a=2&a=3", {'a': ['1', '2', '3']}), ++ ("a=1;b=2&c=3", {'a': ['1'], 'b': ['2'], 'c': ['3']}), ++ ("a=1&b=2&c=3;", {'a': ['1'], 'b': ['2'], 'c': ['3']}), ++ (b"a=1;a=2&a=3", {b'a': [b'1', b'2', b'3']}), ++ (b"a=1;b=2&c=3", {b'a': [b'1'], b'b': [b'2'], b'c': [b'3']}), ++ (b"a=1&b=2&c=3;", {b'a': [b'1'], b'b': [b'2'], b'c': [b'3']}), ++] ++ ++parse_qs_test_cases_warn = [ + (";a=b", {';a': ['b']}), + ("a=a+b;b=b+c", {'a': ['a b;b=b c']}), + (b";a=b", {b';a': [b'b']}), + (b"a=a+b;b=b+c", {b'a':[ b'a b;b=b c']}), ++ ("a=1;a=2&a=3", {'a': ['1;a=2', '3']}), ++ (b"a=1;a=2&a=3", {b'a': [b'1;a=2', b'3']}), + ] + + class UrlParseTestCase(unittest.TestCase): +@@ -123,23 +179,57 @@ class UrlParseTestCase(unittest.TestCase): + + def test_qsl(self): + for orig, expect in parse_qsl_test_cases: +- result = urllib.parse.parse_qsl(orig, keep_blank_values=True) ++ result = urllib.parse.parse_qsl(orig, keep_blank_values=True, separator="&") + self.assertEqual(result, expect, "Error parsing %r" % orig) + expect_without_blanks = [v for v in expect if len(v[1])] +- result = urllib.parse.parse_qsl(orig, keep_blank_values=False) ++ result = urllib.parse.parse_qsl(orig, keep_blank_values=False, separator="&") + self.assertEqual(result, expect_without_blanks, + "Error parsing %r" % orig) + + def test_qs(self): + for orig, expect in parse_qs_test_cases: +- result = urllib.parse.parse_qs(orig, keep_blank_values=True) ++ result = urllib.parse.parse_qs(orig, keep_blank_values=True, separator="&") + self.assertEqual(result, expect, "Error parsing %r" % orig) + expect_without_blanks = {v: expect[v] + for v in expect if len(expect[v][0])} +- result = urllib.parse.parse_qs(orig, keep_blank_values=False) ++ result = urllib.parse.parse_qs(orig, keep_blank_values=False, separator="&") + self.assertEqual(result, expect_without_blanks, + "Error parsing %r" % orig) + ++ def test_qs_default_warn(self): ++ for orig, expect in parse_qs_test_cases_warn: ++ with self.subTest(orig=orig, expect=expect): ++ with catch_warnings(record=True) as w: ++ result = urllib.parse.parse_qs(orig, keep_blank_values=True) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 1) ++ self.assertEqual(w[0].category, urllib.parse._QueryStringSeparatorWarning) ++ ++ def test_qsl_default_warn(self): ++ for orig, expect in parse_qsl_test_cases_warn: ++ with self.subTest(orig=orig, expect=expect): ++ with catch_warnings(record=True) as w: ++ result = urllib.parse.parse_qsl(orig, keep_blank_values=True) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 1) ++ self.assertEqual(w[0].category, urllib.parse._QueryStringSeparatorWarning) ++ ++ def test_default_qs_no_warnings(self): ++ for orig, expect in parse_qs_test_cases: ++ with self.subTest(orig=orig, expect=expect): ++ with catch_warnings(record=True) as w: ++ result = urllib.parse.parse_qs(orig, keep_blank_values=True) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 0) ++ ++ def test_default_qsl_no_warnings(self): ++ for orig, expect in parse_qsl_test_cases: ++ with self.subTest(orig=orig, expect=expect): ++ with catch_warnings(record=True) as w: ++ result = urllib.parse.parse_qsl(orig, keep_blank_values=True) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 0) ++ + def test_roundtrips(self): + str_cases = [ + ('file:///tmp/junk.txt', +@@ -871,8 +961,8 @@ class UrlParseTestCase(unittest.TestCase): + + def test_parse_qsl_max_num_fields(self): + with self.assertRaises(ValueError): +- urllib.parse.parse_qs('&'.join(['a=a']*11), max_num_fields=10) +- urllib.parse.parse_qs('&'.join(['a=a']*10), max_num_fields=10) ++ urllib.parse.parse_qs('&'.join(['a=a']*11), max_num_fields=10, separator='&') ++ urllib.parse.parse_qs('&'.join(['a=a']*10), max_num_fields=10, separator='&') + + def test_parse_qs_separator(self): + parse_qs_semicolon_cases = [ +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index 36fd8fe..83638bb 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -28,6 +28,7 @@ test_urlparse.py provides a good indicator of parsing behavior. + """ + + import re ++import os + import sys + import collections + import warnings +@@ -650,7 +651,7 @@ def unquote(string, encoding='utf-8', errors='replace'): + + + def parse_qs(qs, keep_blank_values=False, strict_parsing=False, +- encoding='utf-8', errors='replace', max_num_fields=None, separator='&'): ++ encoding='utf-8', errors='replace', max_num_fields=None, separator=None): + """Parse a query given as a string argument. + + Arguments: +@@ -690,9 +691,16 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False, + parsed_result[name] = [value] + return parsed_result + ++class _QueryStringSeparatorWarning(RuntimeWarning): ++ """Warning for using default `separator` in parse_qs or parse_qsl""" ++ ++# The default "separator" for parse_qsl can be specified in a config file. ++# It's cached after first read. ++_QS_SEPARATOR_CONFIG_FILENAME = '/etc/python/urllib.cfg' ++_default_qs_separator = None + + def parse_qsl(qs, keep_blank_values=False, strict_parsing=False, +- encoding='utf-8', errors='replace', max_num_fields=None, separator='&'): ++ encoding='utf-8', errors='replace', max_num_fields=None, separator=None): + """Parse a query given as a string argument. + + Arguments: +@@ -721,20 +729,78 @@ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False, + Returns a list, as G-d intended. + """ + qs, _coerce_result = _coerce_args(qs) +- separator, _ = _coerce_args(separator) + +- if not separator or (not isinstance(separator, (str, bytes))): ++ if isinstance(separator, bytes): ++ separator = separator.decode('ascii') ++ ++ if (not separator or (not isinstance(separator, (str, bytes)))) and separator is not None: + raise ValueError("Separator must be of type string or bytes.") + ++ # Used when both "&" and ";" act as separators. (Need a non-string value.) ++ _legacy = object() ++ ++ if separator is None: ++ global _default_qs_separator ++ separator = _default_qs_separator ++ envvar_name = 'PYTHON_URLLIB_QS_SEPARATOR' ++ if separator is None: ++ # Set default separator from environment variable ++ separator = os.environ.get(envvar_name) ++ config_source = 'environment variable' ++ if separator is None: ++ # Set default separator from the configuration file ++ try: ++ file = open(_QS_SEPARATOR_CONFIG_FILENAME) ++ except FileNotFoundError: ++ pass ++ else: ++ with file: ++ import configparser ++ config = configparser.ConfigParser( ++ interpolation=None, ++ comment_prefixes=('#', ), ++ ) ++ config.read_file(file) ++ separator = config.get('parse_qs', envvar_name, fallback=None) ++ _default_qs_separator = separator ++ config_source = _QS_SEPARATOR_CONFIG_FILENAME ++ if separator is None: ++ # The default is '&', but warn if not specified explicitly ++ if ';' in qs: ++ from warnings import warn ++ warn("The default separator of urllib.parse.parse_qsl and " ++ + "parse_qs was changed to '&' to avoid a web cache " ++ + "poisoning issue (CVE-2021-23336). " ++ + "By default, semicolons no longer act as query field " ++ + "separators. " ++ + "See https://access.redhat.com/articles/5860431 for " ++ + "more details.", ++ _QueryStringSeparatorWarning, stacklevel=2) ++ separator = '&' ++ elif separator == 'legacy': ++ separator = _legacy ++ elif len(separator) != 1: ++ raise ValueError( ++ f'{envvar_name} (from {config_source}) must contain ' ++ + '1 character, or "legacy". See ' ++ + 'https://access.redhat.com/articles/5860431 for more details.' ++ ) ++ + # If max_num_fields is defined then check that the number of fields + # is less than max_num_fields. This prevents a memory exhaustion DOS + # attack via post bodies with many fields. + if max_num_fields is not None: +- num_fields = 1 + qs.count(separator) ++ if separator is _legacy: ++ num_fields = 1 + qs.count('&') + qs.count(';') ++ else: ++ num_fields = 1 + qs.count(separator) + if max_num_fields < num_fields: + raise ValueError('Max number of fields exceeded') + +- pairs = [s1 for s1 in qs.split(separator)] ++ if separator is _legacy: ++ pairs = [s2 for s1 in qs.split('&') for s2 in s1.split(';')] ++ else: ++ pairs = [s1 for s1 in qs.split(separator)] + r = [] + for name_value in pairs: + if not name_value and not strict_parsing: +-- +2.31.1 + diff --git a/SOURCES/00365-CVE-2021-29921.patch b/SOURCES/00365-CVE-2021-29921.patch new file mode 100644 index 0000000..b3f8176 --- /dev/null +++ b/SOURCES/00365-CVE-2021-29921.patch @@ -0,0 +1,62 @@ +diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst +index 2cdfddb..d464d2a 100644 +--- a/Doc/library/ipaddress.rst ++++ b/Doc/library/ipaddress.rst +@@ -104,8 +104,7 @@ write code that handles both IP versions correctly. Address objects are + 1. A string in decimal-dot notation, consisting of four decimal integers in + the inclusive range 0--255, separated by dots (e.g. ``192.168.0.1``). Each + integer represents an octet (byte) in the address. Leading zeroes are +- tolerated only for values less than 8 (as there is no ambiguity +- between the decimal and octal interpretations of such strings). ++ not tolerated to prevent confusion with octal notation. + 2. An integer that fits into 32 bits. + 3. An integer packed into a :class:`bytes` object of length 4 (most + significant octet first). +diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py +index 28b7b61..d351f07 100644 +--- a/Lib/ipaddress.py ++++ b/Lib/ipaddress.py +@@ -1173,6 +1173,11 @@ class _BaseV4: + if len(octet_str) > 3: + msg = "At most 3 characters permitted in %r" + raise ValueError(msg % octet_str) ++ # Handle leading zeros as strict as glibc's inet_pton() ++ # See security bug bpo-36384 ++ if octet_str != '0' and octet_str[0] == '0': ++ msg = "Leading zeros are not permitted in %r" ++ raise ValueError(msg % octet_str) + # Convert to integer (we know digits are legal) + octet_int = int(octet_str, 10) + if octet_int > 255: +diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py +index 2f1c5b6..1297b83 100644 +--- a/Lib/test/test_ipaddress.py ++++ b/Lib/test/test_ipaddress.py +@@ -97,10 +97,23 @@ class CommonTestMixin: + class CommonTestMixin_v4(CommonTestMixin): + + def test_leading_zeros(self): +- self.assertInstancesEqual("000.000.000.000", "0.0.0.0") +- self.assertInstancesEqual("192.168.000.001", "192.168.0.1") +- self.assertInstancesEqual("016.016.016.016", "16.16.16.16") +- self.assertInstancesEqual("001.000.008.016", "1.0.8.16") ++ # bpo-36384: no leading zeros to avoid ambiguity with octal notation ++ msg = "Leading zeros are not permitted in '\d+'" ++ addresses = [ ++ "000.000.000.000", ++ "192.168.000.001", ++ "016.016.016.016", ++ "192.168.000.001", ++ "001.000.008.016", ++ "01.2.3.40", ++ "1.02.3.40", ++ "1.2.03.40", ++ "1.2.3.040", ++ ] ++ for address in addresses: ++ with self.subTest(address=address): ++ with self.assertAddressError(msg): ++ self.factory(address) + + def test_int(self): + self.assertInstancesEqual(0, "0.0.0.0") diff --git a/SPECS/python.spec b/SPECS/python.spec index efe1b09..72478b9 100644 --- a/SPECS/python.spec +++ b/SPECS/python.spec @@ -20,11 +20,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.6 +%global general_version %{pybasever}.11 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 1%{?dist} +Release: 2%{?dist} License: Python # ================================== @@ -372,6 +372,19 @@ Patch328: 00328-pyc-timestamp-invalidation-mode.patch # Resolves: rhbz#1817494 Patch329: 00329-fips.patch +# 00359 # +# CVE-2021-23336 python: Web Cache Poisoning via urllib.parse.parse_qsl and +# urllib.parse.parse_qs by using a semicolon in query parameters +# Upstream: https://bugs.python.org/issue42967 +# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904 +Patch359: 00359-CVE-2021-23336.patch + +# 00365 # +# CVE-2021-29921: Improper input validation of octal strings in the ipaddress module +# Upstream: https://bugs.python.org/issue36384 +# Main bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1957458 +Patch365: 00365-CVE-2021-29921.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -704,6 +717,8 @@ rm Lib/ensurepip/_bundled/*.whl %patch274 -p1 %patch328 -p1 %patch329 -p1 +%patch359 -p1 +%patch365 -p1 cat %{PATCH300} | sed -e "s/__SCL_NAME__/%{?scl}/" \ | patch -p1 @@ -1687,10 +1702,19 @@ CheckPython optimized # ====================================================== %changelog +* Thu Jul 22 2021 Charalampos Stratakis - 3.8.11-2 +- Security fix for CVE-2021-29921: Leading zeros in IPv4 addresses are no longer tolerated +Resolves: rhbz#1957458 + +* Wed Jun 09 2021 Charalampos Stratakis - 3.8.11-1 +- Update to 3.8.11 +- Security fixes for CVE-2021-3426, CVE-2021-23336, CVE-2021-3177 and CVE-2020-27619 +Resolves: rhbz#1935913, rhbz#1928904, rhbz#1918168, rhbz#1889886 + * Mon Oct 05 2020 Charalampos Stratakis - 3.8.6-1 - Update to 3.8.6 - Security fixes for CVE-2020-26116, CVE-2020-14422 and CVE-2019-20907 -Resolves: rhbz#1885289, rhbz#1885287, rhbz#1885290, rhbz#1885296 +Resolves: rhbz#1882438, rhbz#1883256, rhbz#1857277, rhbz#1856546 * Tue Apr 28 2020 Charalampos Stratakis - 3.8.0-15 - Add a sentinel value on the Hmac_members table of the fips compliant hmac module