[Security-sig] Pending security features for 3.6
Christian Heimes
christian at python.org
Mon Aug 15 13:12:45 EDT 2016
Hi,
(2nd attempt, first mail didn't make it)
I have a bunch of tickets with security-related improvements or features
for Python 3.6. Most of the tickets come with patches and tests. Some of
the patches might be outdated or conflict with tip. I have branches on
my private github fork for all patches.
Please review the patches and decide which features you like to include
in future releases.
Make ssl module compatible with OpenSSL 1.1.0
---------------------------------------------
http://bugs.python.org/issue26470
https://github.com/tiran/cpython/commits/feature/openssl110
https://github.com/tiran/cpython/commits/feature/openssl110_27
OpenSSL 1.1.0 changes several APIs, e.g. it makes structs opaque. The
ticket has patches for 2.7 and 3.x series. It should be applied to all
Python versions that are open for security patches.
Add ChaCha20 Poly1305 to SSL ciphers
------------------------------------
http://bugs.python.org/issue27766
https://github.com/tiran/cpython/commits/feature/chacha20
The ticket changes the default cipher list and moves ChaCha20 Poly1305
up front. For now the patch makes only sense with OpenSSL 1.1.0 since
1.0.2 does not include the cipher. I expect to see backports, though. It
should be applied to all Python versions, too.
ssl: add public API for IA-32 processor capabilities vector
-----------------------------------------------------------
http://bugs.python.org/issue27768
This ticket doesn't have a patch yet. I'm going to move code from ticket
27766 to a separate ticket. Alex and Cory have requested to make the API
public.
Add AF_ALG (Linux Kernel crypto) to socket module
-------------------------------------------------
http://bugs.python.org/issue27744
https://github.com/tiran/cpython/commits/feature/af_alg
AF_ALG is a Linux-only socket it to interface with Kernel space crypto.
It's limited but has a couple of really useful properties, e.g.
zero-copy hashing of files with sendfile() or storing key material
securely in Kernel memory.
Add BLAKE2 to hashlib
---------------------
http://bugs.python.org/issue26798
https://github.com/tiran/cpython/commits/feature/blake2
BLAKE2 is a fast and powerful hash algorithm. It's as secure as SHA-2
family, faster than MD5 and has built-in features like MAC support,
variable output length, salting and personalization. Donald uses BLAKE2
for PyPI. The patch was refused on python-dev because it introduces too
much new code.
Add SHA-3 and SHAKE (Keccak) support
------------------------------------
http://bugs.python.org/issue16113
https://github.com/tiran/cpython/commits/feature/sha3
SHA-3 is the successor of SHA-2. Like BLAKE2 the patch was refused on
python-dev because it introduces too much new code.
Add truncated SHA512/224 and SHA512/256
---------------------------------------
http://bugs.python.org/issue26834
https://github.com/tiran/cpython/commits/feature/sha512truncated
Truncated SHA512/224 and SHA512/256 use the SHA512 algorithm instead of
SHA256 algorithm. Like SHA384 it's SHA512 with a different init vector
and truncated output.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/security-sig/attachments/20160815/2a871f78/attachment.sig>
More information about the Security-SIG
mailing list