Add preliminary FIPS mode patch

Related: rhbz#1942527
2021-09-03 17:38:09 +02:00 · 2021-09-03 17:38:09 +02:00 · 7e5d89a573
commit 7e5d89a573
parent d7c19675f3
2 changed files with 1248 additions and 1 deletions
--- a/00329-fips.patch
+++ b/00329-fips.patch
--- a/python3.9.spec
+++ b/python3.9.spec
@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: Python


@ -353,6 +353,20 @@ Patch251: 00251-change-user-install-location.patch
 # Ideally, we should talk to upstream and explain why we don't want this
 Patch328: 00328-pyc-timestamp-invalidation-mode.patch

+# 00329 #
+# Support OpenSSL FIPS mode
+# - In FIPS mode, OpenSSL wrappers are always used in hashlib
+# - The "usedforsecurity" keyword argument can be used to the various digest
+#   algorithms in hashlib so that you can whitelist a callsite with
+#   "usedforsecurity=False"
+# - OpenSSL wrappers for the hashes blake2{b512,s256},
+# - In FIPS mode, the blake2 hashes use OpenSSL wrappers
+#   and do not offer extended functionality (keys, tree hashing, custom digest size)
+#
+# - The patch, in its current state, is in a preliminary form to set the groundwork
+#   for refining Python's FIPS compatibility until OpenSSL is FIPS ready.
+Patch329: 00329-fips.patch
+
 # 00353 # ab4cc97b643cfe99f567e3a03e5617b507183771
 # Original names for architectures with different names downstream
 #
@ -1772,6 +1786,10 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Fri Sep 03 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.9.6-7
+- Add preliminary FIPS mode patch
+Related: rhbz#1942527
+
 * Thu Aug 19 2021 DJ Delorie <dj@redhat.com> - 3.9.6-6
 - Rebuilt for libffi 3.4.2 SONAME transition.
  Related: rhbz#1891914