Pending security features for 3.6
Hi, (2nd attempt, first mail didn't make it) I have a bunch of tickets with security-related improvements or features for Python 3.6. Most of the tickets come with patches and tests. Some of the patches might be outdated or conflict with tip. I have branches on my private github fork for all patches. Please review the patches and decide which features you like to include in future releases. Make ssl module compatible with OpenSSL 1.1.0 --------------------------------------------- http://bugs.python.org/issue26470 https://github.com/tiran/cpython/commits/feature/openssl110 https://github.com/tiran/cpython/commits/feature/openssl110_27 OpenSSL 1.1.0 changes several APIs, e.g. it makes structs opaque. The ticket has patches for 2.7 and 3.x series. It should be applied to all Python versions that are open for security patches. Add ChaCha20 Poly1305 to SSL ciphers ------------------------------------ http://bugs.python.org/issue27766 https://github.com/tiran/cpython/commits/feature/chacha20 The ticket changes the default cipher list and moves ChaCha20 Poly1305 up front. For now the patch makes only sense with OpenSSL 1.1.0 since 1.0.2 does not include the cipher. I expect to see backports, though. It should be applied to all Python versions, too. ssl: add public API for IA-32 processor capabilities vector ----------------------------------------------------------- http://bugs.python.org/issue27768 This ticket doesn't have a patch yet. I'm going to move code from ticket 27766 to a separate ticket. Alex and Cory have requested to make the API public. Add AF_ALG (Linux Kernel crypto) to socket module ------------------------------------------------- http://bugs.python.org/issue27744 https://github.com/tiran/cpython/commits/feature/af_alg AF_ALG is a Linux-only socket it to interface with Kernel space crypto. It's limited but has a couple of really useful properties, e.g. zero-copy hashing of files with sendfile() or storing key material securely in Kernel memory. Add BLAKE2 to hashlib --------------------- http://bugs.python.org/issue26798 https://github.com/tiran/cpython/commits/feature/blake2 BLAKE2 is a fast and powerful hash algorithm. It's as secure as SHA-2 family, faster than MD5 and has built-in features like MAC support, variable output length, salting and personalization. Donald uses BLAKE2 for PyPI. The patch was refused on python-dev because it introduces too much new code. Add SHA-3 and SHAKE (Keccak) support ------------------------------------ http://bugs.python.org/issue16113 https://github.com/tiran/cpython/commits/feature/sha3 SHA-3 is the successor of SHA-2. Like BLAKE2 the patch was refused on python-dev because it introduces too much new code. Add truncated SHA512/224 and SHA512/256 --------------------------------------- http://bugs.python.org/issue26834 https://github.com/tiran/cpython/commits/feature/sha512truncated Truncated SHA512/224 and SHA512/256 use the SHA512 algorithm instead of SHA256 algorithm. Like SHA384 it's SHA512 with a different init vector and truncated output. Christian
On Aug 15, 2016, at 1:12 PM, Christian Heimes
wrote: Add BLAKE2 to hashlib --------------------- http://bugs.python.org/issue26798 https://github.com/tiran/cpython/commits/feature/blake2
BLAKE2 is a fast and powerful hash algorithm. It's as secure as SHA-2 family, faster than MD5 and has built-in features like MAC support, variable output length, salting and personalization. Donald uses BLAKE2 for PyPI. The patch was refused on python-dev because it introduces too much new code.
This in particular is something I’m very hoping will land. I’m hoping to transition PyPI over to primarily using blake2 (though will need others for backwards compatibility) and not having blake2 in the stdlib makes this much less feasible. — Donald Stufft
For what it’s worth, I’d like to highlight the things that are extremely important to my area of the world (namely, securing HTTPS connections).
On 15 Aug 2016, at 18:12, Christian Heimes
wrote: Make ssl module compatible with OpenSSL 1.1.0 --------------------------------------------- http://bugs.python.org/issue26470 https://github.com/tiran/cpython/commits/feature/openssl110 https://github.com/tiran/cpython/commits/feature/openssl110_27
OpenSSL 1.1.0 changes several APIs, e.g. it makes structs opaque. The ticket has patches for 2.7 and 3.x series. It should be applied to all Python versions that are open for security patches.
This is extremely important. The 1.1 series of OpenSSL releases is going to be the only collection of OpenSSLs that get support for TLS 1.3, which contains several substantial security and resiliency enhancements. The fact that they’re dramatically changing their API, while annoying for backported Python releases, is not a good reason not to backport this. We should backport to 2.7 and the active 3.x releases for sure.
Add ChaCha20 Poly1305 to SSL ciphers ------------------------------------ http://bugs.python.org/issue27766 https://github.com/tiran/cpython/commits/feature/chacha20
The ticket changes the default cipher list and moves ChaCha20 Poly1305 up front. For now the patch makes only sense with OpenSSL 1.1.0 since 1.0.2 does not include the cipher. I expect to see backports, though. It should be applied to all Python versions, too.
There’s no reason not to backport this too. ChaCha20-Poly1305 is not currently a security enhancement over the state of the art in TLS (AES-GCM), but it has performance advantages on some platforms and, more importantly, provides us another good AEAD to move to if AES-GCM is broken in any form. Backporting this would also be advantageous, though not required for Requests or Twisted, which have already provided their equivalent patches.
ssl: add public API for IA-32 processor capabilities vector ----------------------------------------------------------- http://bugs.python.org/issue27768
This ticket doesn't have a patch yet. I'm going to move code from ticket 27766 to a separate ticket. Alex and Cory have requested to make the API public.
I noted above that ChaCha20-Poly1305 performs better on some platforms. Specifically, it performs better on platforms without the AES-NI extended instruction set. Ideally on platforms without those instructions we’d prioritise ChaCha20-Poly1305 over AES-GCM, but right now we cannot ask that question from Python code. This API would allow us to do so. It’s not urgent, and I don’t mind if we don’t backport it, but it’d be extremely useful to have access to the API (and, to be clear, Requests will almost certainly use the API if it’s available from Python code, *even* if it’s private). The rest are all good, but matter far less to the TLS crowd. =) Cory
On 16 August 2016 at 03:12, Christian Heimes
Hi,
(2nd attempt, first mail didn't make it)
I have a bunch of tickets with security-related improvements or features for Python 3.6. Most of the tickets come with patches and tests. Some of the patches might be outdated or conflict with tip. I have branches on my private github fork for all patches.
Please review the patches and decide which features you like to include in future releases.
I think they all make sense for Python 3.6 - while I acknowledge the maintainability concerns raised on python-dev with the expansion of security related features, I also think that's an ongoing sustainability problem we need to tackle by getting commercial redistributors to better earn their support fees, rather than refusing to allow the work to be done in the interim. For Python 3.5 and 2.7, we're probably due for a successor to PEP 466 that syncs the ssl support in those versions with the 3.6 version of the module - that should hopefully be less controversial this time around. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
Hi, thanks for the feedback. Since my last mail a couple of things have happened. Victor has reviewed my AF_ALG patch and I got some feedback on a new variant of setsockopt() on python-dev. The patch is almost ready. I have submitted updated patch for SHA-3 and BLAKE2 support. Both need a final review and ACK. OpenSSL 1.1 has been released and block ciphers with small blocks have been found insecure. This affects 3DES i our default cipher list. OpenSSL 1.1.0 has removed 3DES, which broke one test. I'm going to update my OpenSSL 1.1 patch soonish. I have two more security tickets in the queue. Please give feedback. Remove 3DES from cipher list (sweet32 CVE-2016-2183) ---------------------------------------------------- https://bugs.python.org/issue27850 Fix for https://sweet32.info/ ssl: get list of enabled ciphers -------------------------------- https://github.com/tiran/cpython/tree/feature/openssl_ciphers https://bugs.python.org/issue27866 Counter part of SSLContext.set_ciphers(), SSLContext.get_ciphers() returns list of dicts with enabled ciphers.
Hi, thanks for the feedback. Since my last mail a couple of things have happened. Victor has reviewed my AF_ALG patch and I got some feedback on a new variant of setsockopt() on python-dev. The patch is almost ready. I have submitted updated patch for SHA-3 and BLAKE2 support. Both need a final review and ACK. OpenSSL 1.1 has been released and block ciphers with small blocks have been found insecure. This affects 3DES i our default cipher list. OpenSSL 1.1.0 has removed 3DES, which broke one test. I'm going to update my OpenSSL 1.1 patch soonish. I have two more security tickets in the queue. Please give feedback. Remove 3DES from cipher list (sweet32 CVE-2016-2183) ---------------------------------------------------- https://bugs.python.org/issue27850 Fix for https://sweet32.info/ ssl: get list of enabled ciphers -------------------------------- https://github.com/tiran/cpython/tree/feature/openssl_ciphers https://bugs.python.org/issue27866 Counter part of SSLContext.set_ciphers(), SSLContext.get_ciphers() returns list of dicts with enabled ciphers.
participants (5)
-
Christian Heimes
-
Christian Heimes
-
Cory Benfield
-
Donald Stufft
-
Nick Coghlan