Message 182547 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	dmalcolm
Recipients	dmalcolm, sbt
Date	2013-02-20.20:11:35
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<[email protected]>
In-reply-to

Content
Within multiprocessing.connection, deliver_challenge() and answer_challenge() use hmac for a challenge/response. hmac implicitly defaults to using MD5. MD5 should no longer be used for security purposes. See e.g. http://www.kb.cert.org/vuls/id/836068 This fails in a FIPS-compliant environment (e.g. with the patches I apply to hashlib in issue 9216). There's thus a possibility of an attacker defeating the multiprocessing authenticator. I'm attaching a patch which changes multiprocessing to use a clearly identified algorithm (for the day when it needs changing again), hardcoding it as "sha256"; presumably all processes within a multiprocess program that share authkey can share the algorithm. It's not clear to me whether hmac.py should also be changed (this would seem to have tougher backwards-compat concerns). [Note to self: I'm tracking this downstream for RHEL as https://bugzilla.redhat.com/show_bug.cgi?id=879695 (this bug is currently only visible to RH employees)]

Within multiprocessing.connection, deliver_challenge() and
answer_challenge() use hmac for a challenge/response.

hmac implicitly defaults to using MD5.

MD5 should no longer be used for security purposes.  See e.g. 
http://www.kb.cert.org/vuls/id/836068

This fails in a FIPS-compliant environment (e.g. with the patches I
apply to hashlib in issue 9216).

There's thus a possibility of an attacker defeating the multiprocessing
authenticator.

I'm attaching a patch which changes multiprocessing to use a clearly
identified algorithm (for the day when it needs changing again),
hardcoding it as "sha256"; presumably all processes within a
multiprocess program that share authkey can share the algorithm.

It's not clear to me whether hmac.py should also be changed (this would
seem to have tougher backwards-compat concerns).

[Note to self: I'm tracking this downstream for RHEL as
https://bugzilla.redhat.com/show_bug.cgi?id=879695 (this bug is
currently only visible to RH employees)]

History
Date	User	Action	Args
2013-02-20 20:11:36	dmalcolm	set	recipients: + dmalcolm, sbt
2013-02-20 20:11:36	dmalcolm	set	messageid: <[email protected]>
2013-02-20 20:11:36	dmalcolm	link	issue17258 messages
2013-02-20 20:11:36	dmalcolm	create