Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.3k
gh-61460: Stronger HMAC in multiprocessing#20380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Signed-off-by: Christian Heimes <christian@python.org>
f4d7007 toc7f7680CompareI'm just wondering here, but is this still waiting for reviews before it can be merged? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Why jump through all the hoops to specify the digest in the protocol? Don't we always control both ends of the connection so there should never be a situation where negotiation and understanding of what was used is needed?
That'd be a lot less complicated.
And not prone to the potential problem this has of always stooping to the lowest level decided upon out by the challenge initiator rather thanrequiring a specific hash to be used on the channel.
Misc/NEWS.d/next/Library/2020-05-25-12-42-36.bpo-17258.lf2554.rst OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
The protocol modification idea remains, but we now take advantage of themessage length as an indicator of legacy vs modern protocol version. Nomore regular expression usage. We now default to HMAC-SHA256, but do soin a way that will be compatible when communicating with older clientsor older servers. No protocol transition period is needed.More unittests to verify these claims remain true are required.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
netlifybot commentedDec 11, 2022 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
✅ Deploy Preview forpython-cpython-preview ready!
To edit notification comments on pull requests, go to yourNetlify site settings. |
merged, we'll see how this goes during the betas! |
xnox commentedSep 5, 2024
Given this is backwards and forwards compatible, and doesn't change default connectivity methods, has it been considered for backports to earlier python versions? as it would increase overlap as to which servers can interoperate, thus allowing to eventually change the default organically as md5 drops off in availability on the most modern servers/OSes. |
There's no appetite to do it (see my comment on the original issue, this is a feature, not a bugfix, and not a security fix 3.11 and earlier are security fix only now). People who think they need this are better off upgrading to 3.12.(the default does change in this PR FWIW, but if someone were backporting it into their own old runtime they could consider making |
bpo-17258: `multiprocessing` now supports stronger HMAC algorithms for inter-process connection authentication rather than only HMAC-MD5.Signed-off-by: Christian Heimes <christian@python.org>gpshead: I Reworked to be more robust while keeping the idea.The protocol modification idea remains, but we now take advantage of themessage length as an indicator of legacy vs modern protocol version. Nomore regular expression usage. We now default to HMAC-SHA256, but do soin a way that will be compatible when communicating with older clientsor older servers. No protocol transition period is needed.More integration tests to verify these claims remain true are required. I'munaware of anyone depending on multiprocessing connections betweendifferent Python versions.---------(cherry picked from commit3ed57e4)Co-authored-by: Christian Heimes <christian@python.org>Signed-off-by: Christian Heimes <christian@python.org>Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
bpo-17258: `multiprocessing` now supports stronger HMAC algorithms for inter-process connection authentication rather than only HMAC-MD5.Signed-off-by: Christian Heimes <christian@python.org>gpshead: I Reworked to be more robust while keeping the idea.The protocol modification idea remains, but we now take advantage of themessage length as an indicator of legacy vs modern protocol version. Nomore regular expression usage. We now default to HMAC-SHA256, but do soin a way that will be compatible when communicating with older clientsor older servers. No protocol transition period is needed.More integration tests to verify these claims remain true are required. I'munaware of anyone depending on multiprocessing connections betweendifferent Python versions.---------(cherry picked from commit3ed57e4)Co-authored-by: Christian Heimes <christian@python.org>Signed-off-by: Christian Heimes <christian@python.org>Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
[3.10]pythongh-61460: Stronger HMAC in multiprocessing (pythonGH-20380)
Uh oh!
There was an error while loading.Please reload this page.
See also#61460
Signed-off-by: Christian Heimeschristian@python.org
#61460 formerly known ashttps://bugs.python.org/issue17258