Support OpenSSL FIPS mode

Disable the builtin hashlib hashes except blake2
2024-01-18 16:44:31 +01:00 · 2024-01-18 16:44:31 +01:00 · 5d0db014f8
commit 5d0db014f8
parent 5ce5d3f07a
2 changed files with 1119 additions and 9 deletions
--- a/00329-fips.patch
+++ b/00329-fips.patch
--- a/python3.12.spec
+++ b/python3.12.spec
@ -20,7 +20,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: Python


@ -348,6 +348,21 @@ Source11: idle3.appdata.xml
 # pypa/distutils integration: https://github.com/pypa/distutils/pull/70
 Patch251: 00251-change-user-install-location.patch

+# 00329 #
+# Support OpenSSL FIPS mode
+# - In FIPS mode, OpenSSL wrappers are always used in hashlib
+# - The "usedforsecurity" keyword argument can be used to the various digest
+#   algorithms in hashlib so that you can whitelist a callsite with
+#   "usedforsecurity=False"
+# - OpenSSL wrappers for the hashes blake2{b512,s256},
+# - In FIPS mode, the blake2 hashes use OpenSSL wrappers
+#   and do not offer extended functionality (keys, tree hashing, custom digest size)
+#
+# - In FIPS mode, hmac.HMAC can only be instantiated with an OpenSSL wrapper
+#   or a string with OpenSSL hash name as the "digestmod" argument.
+#   The argument must be specified (instead of defaulting to ‘md5’).
+Patch329: 00329-fips.patch
+
 # 00371 # d917a50238c94c652bc30ae9061d65f60cc8accd
 # Revert "bpo-1596321: Fix threading._shutdown() for the main thread (GH-28549) (GH-28589)"
 #
@ -842,6 +857,7 @@ BuildPython() {
  --with-dtrace \
  --with-lto \
  --with-ssl-default-suites=openssl \
+  --with-builtin-hashlib-hashes=blake2 \
  --without-static-libpython \
 %if %{with rpmwheels}
  --with-wheel-pkg-dir=%{python_wheel_dir} \
@ -1435,10 +1451,6 @@ fi
 %{pylibdir}/pydoc_data

 %{dynload_dir}/_blake2.%{SOABI_optimized}.so
-%{dynload_dir}/_md5.%{SOABI_optimized}.so
-%{dynload_dir}/_sha1.%{SOABI_optimized}.so
-%{dynload_dir}/_sha2.%{SOABI_optimized}.so
-%{dynload_dir}/_sha3.%{SOABI_optimized}.so

 %{dynload_dir}/_asyncio.%{SOABI_optimized}.so
 %{dynload_dir}/_bisect.%{SOABI_optimized}.so
@ -1730,10 +1742,6 @@ fi
 # ...with debug builds of the built-in "extension" modules:

 %{dynload_dir}/_blake2.%{SOABI_debug}.so
-%{dynload_dir}/_md5.%{SOABI_debug}.so
-%{dynload_dir}/_sha1.%{SOABI_debug}.so
-%{dynload_dir}/_sha2.%{SOABI_debug}.so
-%{dynload_dir}/_sha3.%{SOABI_debug}.so

 %{dynload_dir}/_asyncio.%{SOABI_debug}.so
 %{dynload_dir}/_bisect.%{SOABI_debug}.so
@ -1862,6 +1870,10 @@ fi
 # ======================================================

 %changelog
+* Thu Jan 18 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.1-3
+- Support OpenSSL FIPS mode
+- Disable the builtin hashlib hashes except blake2
+
 * Wed Dec 20 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.12.1-2
 - Disable bootstrap