Hi,
(2nd attempt, first mail didn't make it)
I have a bunch of tickets with security-related improvements or features
for Python 3.6. Most of the tickets come with patches and tests. Some of
the patches might be outdated or conflict with tip. I have branches on
my private github fork for all patches.
Please review the patches and decide which features you like to include
in future releases.
Make ssl module compatible with OpenSSL 1.1.0
---------------------------------------------
http://bugs.python.org/issue26470https://github.com/tiran/cpython/commits/feature/openssl110https://github.com/tiran/cpython/commits/feature/openssl110_27
OpenSSL 1.1.0 changes several APIs, e.g. it makes structs opaque. The
ticket has patches for 2.7 and 3.x series. It should be applied to all
Python versions that are open for security patches.
Add ChaCha20 Poly1305 to SSL ciphers
------------------------------------
http://bugs.python.org/issue27766https://github.com/tiran/cpython/commits/feature/chacha20
The ticket changes the default cipher list and moves ChaCha20 Poly1305
up front. For now the patch makes only sense with OpenSSL 1.1.0 since
1.0.2 does not include the cipher. I expect to see backports, though. It
should be applied to all Python versions, too.
ssl: add public API for IA-32 processor capabilities vector
-----------------------------------------------------------
http://bugs.python.org/issue27768
This ticket doesn't have a patch yet. I'm going to move code from ticket
27766 to a separate ticket. Alex and Cory have requested to make the API
public.
Add AF_ALG (Linux Kernel crypto) to socket module
-------------------------------------------------
http://bugs.python.org/issue27744https://github.com/tiran/cpython/commits/feature/af_alg
AF_ALG is a Linux-only socket it to interface with Kernel space crypto.
It's limited but has a couple of really useful properties, e.g.
zero-copy hashing of files with sendfile() or storing key material
securely in Kernel memory.
Add BLAKE2 to hashlib
---------------------
http://bugs.python.org/issue26798https://github.com/tiran/cpython/commits/feature/blake2
BLAKE2 is a fast and powerful hash algorithm. It's as secure as SHA-2
family, faster than MD5 and has built-in features like MAC support,
variable output length, salting and personalization. Donald uses BLAKE2
for PyPI. The patch was refused on python-dev because it introduces too
much new code.
Add SHA-3 and SHAKE (Keccak) support
------------------------------------
http://bugs.python.org/issue16113https://github.com/tiran/cpython/commits/feature/sha3
SHA-3 is the successor of SHA-2. Like BLAKE2 the patch was refused on
python-dev because it introduces too much new code.
Add truncated SHA512/224 and SHA512/256
---------------------------------------
http://bugs.python.org/issue26834https://github.com/tiran/cpython/commits/feature/sha512truncated
Truncated SHA512/224 and SHA512/256 use the SHA512 algorithm instead of
SHA256 algorithm. Like SHA384 it's SHA512 with a different init vector
and truncated output.
Christian
Hi,
Would it be possible to take a decision on the PEP 522 and PEP 524?
Deadline for new features in Python 3.6 is in one month or something like
that, no?
My PEP:
https://www.python.org/dev/peps/pep-0524/
"PEP 524 -- Make os.urandom() blocking on Linux"
Nick's PEP:
https://www.python.org/dev/peps/pep-0522/
"PEP 522 -- Allow BlockingIOError in security sensitive APIs"
Victor
