From 3791bd3c9e71c510ec7f6c3e214c3724037bb7ad Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google]" Date: Sun, 13 Nov 2022 04:04:47 +0000 Subject: [PATCH 1/2] Switch multiprocessing socket auth to hmac-sha256 This avoids using MD5. Even though hmac-md5 in the use case here was never really a problematic use of md5, it is easier never to have such questions asked. --- Lib/multiprocessing/connection.py | 4 ++-- Lib/test/_test_multiprocessing.py | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py index b08144f7a1a169..d1eeca01f30b0f 100644 --- a/Lib/multiprocessing/connection.py +++ b/Lib/multiprocessing/connection.py @@ -735,7 +735,7 @@ def deliver_challenge(connection, authkey): "Authkey must be bytes, not {0!s}".format(type(authkey))) message = os.urandom(MESSAGE_LENGTH) connection.send_bytes(CHALLENGE + message) - digest = hmac.new(authkey, message, 'md5').digest() + digest = hmac.new(authkey, message, 'sha256').digest() response = connection.recv_bytes(256) # reject large message if response == digest: connection.send_bytes(WELCOME) @@ -751,7 +751,7 @@ def answer_challenge(connection, authkey): message = connection.recv_bytes(256) # reject large message assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message message = message[len(CHALLENGE):] - digest = hmac.new(authkey, message, 'md5').digest() + digest = hmac.new(authkey, message, 'sha256').digest() connection.send_bytes(digest) response = connection.recv_bytes(256) # reject large message if response != WELCOME: diff --git a/Lib/test/_test_multiprocessing.py b/Lib/test/_test_multiprocessing.py index a66f4f5b897cd3..6ba0e402dabcbf 100644 --- a/Lib/test/_test_multiprocessing.py +++ b/Lib/test/_test_multiprocessing.py @@ -3042,7 +3042,7 @@ def test_remote(self): del queue -@hashlib_helper.requires_hashdigest('md5') +@hashlib_helper.requires_hashdigest('sha256') class _TestManagerRestart(BaseTestCase): @classmethod @@ -3531,7 +3531,7 @@ def test_dont_merge(self): # @unittest.skipUnless(HAS_REDUCTION, "test needs multiprocessing.reduction") -@hashlib_helper.requires_hashdigest('md5') +@hashlib_helper.requires_hashdigest('sha256') class _TestPicklingConnections(BaseTestCase): ALLOWED_TYPES = ('processes',) @@ -3834,7 +3834,7 @@ def test_copy(self): @unittest.skipUnless(HAS_SHMEM, "requires multiprocessing.shared_memory") -@hashlib_helper.requires_hashdigest('md5') +@hashlib_helper.requires_hashdigest('sha256') class _TestSharedMemory(BaseTestCase): ALLOWED_TYPES = ('processes',) @@ -4636,7 +4636,7 @@ def test_invalid_handles(self): -@hashlib_helper.requires_hashdigest('md5') +@hashlib_helper.requires_hashdigest('sha256') class OtherTest(unittest.TestCase): # TODO: add more tests for deliver/answer challenge. def test_deliver_challenge_auth_failure(self): @@ -4673,7 +4673,7 @@ def send_bytes(self, data): def initializer(ns): ns.test += 1 -@hashlib_helper.requires_hashdigest('md5') +@hashlib_helper.requires_hashdigest('sha256') class TestInitializers(unittest.TestCase): def setUp(self): self.mgr = multiprocessing.Manager() @@ -5533,7 +5533,7 @@ def is_alive(self): any(process.is_alive() for process in forked_processes)) -@hashlib_helper.requires_hashdigest('md5') +@hashlib_helper.requires_hashdigest('sha256') class TestSyncManagerTypes(unittest.TestCase): """Test all the types which can be shared between a parent and a child process by using a manager which acts as an intermediary @@ -5965,7 +5965,7 @@ def install_tests_in_module_dict(remote_globs, start_method): class Temp(base, Mixin, unittest.TestCase): pass if type_ == 'manager': - Temp = hashlib_helper.requires_hashdigest('md5')(Temp) + Temp = hashlib_helper.requires_hashdigest('sha256')(Temp) Temp.__name__ = Temp.__qualname__ = newname Temp.__module__ = __module__ remote_globs[newname] = Temp From b582d6b0df89fc87a81ba0849a95729d09a07d51 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google]" Date: Sun, 13 Nov 2022 04:08:50 +0000 Subject: [PATCH 2/2] news entry --- .../next/Library/2022-11-13-04-08-19.gh-issue-61460.tgIuKy.rst | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 Misc/NEWS.d/next/Library/2022-11-13-04-08-19.gh-issue-61460.tgIuKy.rst diff --git a/Misc/NEWS.d/next/Library/2022-11-13-04-08-19.gh-issue-61460.tgIuKy.rst b/Misc/NEWS.d/next/Library/2022-11-13-04-08-19.gh-issue-61460.tgIuKy.rst new file mode 100644 index 00000000000000..8df34a55d83167 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2022-11-13-04-08-19.gh-issue-61460.tgIuKy.rst @@ -0,0 +1,2 @@ +The socket authentication shared secret confirmation handshake used +internally by multiprocessing has been changed from hmac-md5 to hmac-sha256.