From bb10d28d6b0106702fa9f3eac2c77a9c4889b843 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 16 May 2023 06:12:19 +0000 Subject: [PATCH] import python38-3.8.16-1.module+el8.8.0+17624+9a09af5a --- .gitignore | 1 + .python38.metadata | 1 + SOURCES/00001-rpath.patch | 33 + SOURCES/00102-lib64.patch | 261 + SOURCES/00111-no-static-lib.patch | 78 + SOURCES/00189-use-rpm-wheels.patch | 76 + .../00251-change-user-install-location.patch | 64 + ...0328-pyc-timestamp-invalidation-mode.patch | 55 + SOURCES/00329-fips.patch | 7146 +++++++++++++++++ ...chitecture-names-upstream-downstream.patch | 97 + SOURCES/00359-CVE-2021-23336.patch | 567 ++ SOURCES/00378-support-expat-2-4-5.patch | 36 + SOURCES/check-pyc-timestamps.py | 55 + SOURCES/get-source.sh | 28 + SOURCES/idle3.appdata.xml | 35 + SOURCES/idle3.desktop | 11 + SOURCES/macros.python38 | 6 + SPECS/python38.spec | 3202 ++++++++ 18 files changed, 11752 insertions(+) create mode 100644 .gitignore create mode 100644 .python38.metadata create mode 100644 SOURCES/00001-rpath.patch create mode 100644 SOURCES/00102-lib64.patch create mode 100644 SOURCES/00111-no-static-lib.patch create mode 100644 SOURCES/00189-use-rpm-wheels.patch create mode 100644 SOURCES/00251-change-user-install-location.patch create mode 100644 SOURCES/00328-pyc-timestamp-invalidation-mode.patch create mode 100644 SOURCES/00329-fips.patch create mode 100644 SOURCES/00353-architecture-names-upstream-downstream.patch create mode 100644 SOURCES/00359-CVE-2021-23336.patch create mode 100644 SOURCES/00378-support-expat-2-4-5.patch create mode 100644 SOURCES/check-pyc-timestamps.py create mode 100755 SOURCES/get-source.sh create mode 100644 SOURCES/idle3.appdata.xml create mode 100644 SOURCES/idle3.desktop create mode 100644 SOURCES/macros.python38 create mode 100644 SPECS/python38.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..65d9de8 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/Python-3.8.16-noexe.tar.xz diff --git a/.python38.metadata b/.python38.metadata new file mode 100644 index 0000000..596d6f6 --- /dev/null +++ b/.python38.metadata @@ -0,0 +1 @@ +ec97523b167d5b0e915b37e58f03da6384b15caa SOURCES/Python-3.8.16-noexe.tar.xz diff --git a/SOURCES/00001-rpath.patch b/SOURCES/00001-rpath.patch new file mode 100644 index 0000000..15f95a9 --- /dev/null +++ b/SOURCES/00001-rpath.patch @@ -0,0 +1,33 @@ +From 08c67bfedd07ebec54f5087b59045b8c78fa2a6d Mon Sep 17 00:00:00 2001 +From: David Malcolm +Date: Wed, 13 Jan 2010 21:25:18 +0000 +Subject: [PATCH] 00001: Fixup distutils/unixccompiler.py to remove standard + library path from rpath Was Patch0 in ivazquez' python3000 specfile + +--- + Lib/distutils/unixccompiler.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/Lib/distutils/unixccompiler.py b/Lib/distutils/unixccompiler.py +index 4d7a6de740..353086a648 100644 +--- a/Lib/distutils/unixccompiler.py ++++ b/Lib/distutils/unixccompiler.py +@@ -82,6 +82,15 @@ class UnixCCompiler(CCompiler): + if sys.platform == "cygwin": + exe_extension = ".exe" + ++ def _fix_lib_args(self, libraries, library_dirs, runtime_library_dirs): ++ """Remove standard library path from rpath""" ++ libraries, library_dirs, runtime_library_dirs = super()._fix_lib_args( ++ libraries, library_dirs, runtime_library_dirs) ++ libdir = sysconfig.get_config_var('LIBDIR') ++ if runtime_library_dirs and (libdir in runtime_library_dirs): ++ runtime_library_dirs.remove(libdir) ++ return libraries, library_dirs, runtime_library_dirs ++ + def preprocess(self, source, output_file=None, macros=None, + include_dirs=None, extra_preargs=None, extra_postargs=None): + fixed_args = self._fix_compile_args(None, macros, include_dirs) +-- +2.26.2 + diff --git a/SOURCES/00102-lib64.patch b/SOURCES/00102-lib64.patch new file mode 100644 index 0000000..5acaf5c --- /dev/null +++ b/SOURCES/00102-lib64.patch @@ -0,0 +1,261 @@ +From be6b9803109c3702dbff0ed8b0953913206008ca Mon Sep 17 00:00:00 2001 +From: David Malcolm +Date: Wed, 13 Jan 2010 21:25:18 +0000 +Subject: [PATCH] 00102: Change the various install paths to use /usr/lib64/ + instead or /usr/lib/ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Only used when "%{_lib}" == "lib64". + +Co-authored-by: David Malcolm +Co-authored-by: Thomas Spura +Co-authored-by: Slavek Kabrda +Co-authored-by: Matej Stuchlik +Co-authored-by: Tomas Orsava +Co-authored-by: Charalampos Stratakis +Co-authored-by: Petr Viktorin +Co-authored-by: Miro Hrončok +Co-authored-by: Iryna Shcherbina +--- + Lib/distutils/command/install.py | 4 ++-- + Lib/distutils/sysconfig.py | 6 +++++- + Lib/distutils/tests/test_install.py | 3 ++- + Lib/site.py | 4 ++++ + Lib/sysconfig.py | 12 ++++++------ + Lib/test/test_site.py | 4 ++-- + Makefile.pre.in | 2 +- + Modules/getpath.c | 6 +++--- + configure | 4 ++-- + configure.ac | 4 ++-- + setup.py | 6 +++--- + 11 files changed, 32 insertions(+), 23 deletions(-) + +diff --git a/Lib/distutils/command/install.py b/Lib/distutils/command/install.py +index c625c95bf7..ae4f915669 100644 +--- a/Lib/distutils/command/install.py ++++ b/Lib/distutils/command/install.py +@@ -30,14 +30,14 @@ WINDOWS_SCHEME = { + INSTALL_SCHEMES = { + 'unix_prefix': { + 'purelib': '$base/lib/python$py_version_short/site-packages', +- 'platlib': '$platbase/lib/python$py_version_short/site-packages', ++ 'platlib': '$platbase/lib64/python$py_version_short/site-packages', + 'headers': '$base/include/python$py_version_short$abiflags/$dist_name', + 'scripts': '$base/bin', + 'data' : '$base', + }, + 'unix_home': { + 'purelib': '$base/lib/python', +- 'platlib': '$base/lib/python', ++ 'platlib': '$base/lib64/python', + 'headers': '$base/include/python/$dist_name', + 'scripts': '$base/bin', + 'data' : '$base', +diff --git a/Lib/distutils/sysconfig.py b/Lib/distutils/sysconfig.py +index b51629eb94..9a4892a737 100644 +--- a/Lib/distutils/sysconfig.py ++++ b/Lib/distutils/sysconfig.py +@@ -146,8 +146,12 @@ def get_python_lib(plat_specific=0, standard_lib=0, prefix=None): + prefix = plat_specific and EXEC_PREFIX or PREFIX + + if os.name == "posix": ++ if plat_specific or standard_lib: ++ lib = "lib64" ++ else: ++ lib = "lib" + libpython = os.path.join(prefix, +- "lib", "python" + get_python_version()) ++ lib, "python" + get_python_version()) + if standard_lib: + return libpython + else: +diff --git a/Lib/distutils/tests/test_install.py b/Lib/distutils/tests/test_install.py +index 287ab1989e..d4c05e0ab1 100644 +--- a/Lib/distutils/tests/test_install.py ++++ b/Lib/distutils/tests/test_install.py +@@ -57,8 +57,9 @@ class InstallTestCase(support.TempdirManager, + self.assertEqual(got, expected) + + libdir = os.path.join(destination, "lib", "python") ++ platlibdir = os.path.join(destination, "lib64", "python") + check_path(cmd.install_lib, libdir) +- check_path(cmd.install_platlib, libdir) ++ check_path(cmd.install_platlib, platlibdir) + check_path(cmd.install_purelib, libdir) + check_path(cmd.install_headers, + os.path.join(destination, "include", "python", "foopkg")) +diff --git a/Lib/site.py b/Lib/site.py +index a065ab0b5d..22d53fa562 100644 +--- a/Lib/site.py ++++ b/Lib/site.py +@@ -335,11 +335,15 @@ def getsitepackages(prefixes=None): + seen.add(prefix) + + if os.sep == '/': ++ sitepackages.append(os.path.join(prefix, "lib64", ++ "python" + sys.version[:3], ++ "site-packages")) + sitepackages.append(os.path.join(prefix, "lib", + "python%d.%d" % sys.version_info[:2], + "site-packages")) + else: + sitepackages.append(prefix) ++ sitepackages.append(os.path.join(prefix, "lib64", "site-packages")) + sitepackages.append(os.path.join(prefix, "lib", "site-packages")) + return sitepackages + +diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py +index b9e2fafbc0..0ae6d35b69 100644 +--- a/Lib/sysconfig.py ++++ b/Lib/sysconfig.py +@@ -20,10 +20,10 @@ __all__ = [ + + _INSTALL_SCHEMES = { + 'posix_prefix': { +- 'stdlib': '{installed_base}/lib/python{py_version_short}', +- 'platstdlib': '{platbase}/lib/python{py_version_short}', ++ 'stdlib': '{installed_base}/lib64/python{py_version_short}', ++ 'platstdlib': '{platbase}/lib64/python{py_version_short}', + 'purelib': '{base}/lib/python{py_version_short}/site-packages', +- 'platlib': '{platbase}/lib/python{py_version_short}/site-packages', ++ 'platlib': '{platbase}/lib64/python{py_version_short}/site-packages', + 'include': + '{installed_base}/include/python{py_version_short}{abiflags}', + 'platinclude': +@@ -62,10 +62,10 @@ _INSTALL_SCHEMES = { + 'data': '{userbase}', + }, + 'posix_user': { +- 'stdlib': '{userbase}/lib/python{py_version_short}', +- 'platstdlib': '{userbase}/lib/python{py_version_short}', ++ 'stdlib': '{userbase}/lib64/python{py_version_short}', ++ 'platstdlib': '{userbase}/lib64/python{py_version_short}', + 'purelib': '{userbase}/lib/python{py_version_short}/site-packages', +- 'platlib': '{userbase}/lib/python{py_version_short}/site-packages', ++ 'platlib': '{userbase}/lib64/python{py_version_short}/site-packages', + 'include': '{userbase}/include/python{py_version_short}', + 'scripts': '{userbase}/bin', + 'data': '{userbase}', +diff --git a/Lib/test/test_site.py b/Lib/test/test_site.py +index 1bbc697936..9a7e80dfa0 100644 +--- a/Lib/test/test_site.py ++++ b/Lib/test/test_site.py +@@ -267,8 +267,8 @@ class HelperFunctionsTests(unittest.TestCase): + dirs = site.getsitepackages() + if os.sep == '/': + # OS X, Linux, FreeBSD, etc +- self.assertEqual(len(dirs), 1) +- wanted = os.path.join('xoxo', 'lib', ++ self.assertEqual(len(dirs), 2) ++ wanted = os.path.join('xoxo', 'lib64', + 'python%d.%d' % sys.version_info[:2], + 'site-packages') + self.assertEqual(dirs[0], wanted) +diff --git a/Makefile.pre.in b/Makefile.pre.in +index a914a9c70f..406a441082 100644 +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -143,7 +143,7 @@ LIBDIR= @libdir@ + MANDIR= @mandir@ + INCLUDEDIR= @includedir@ + CONFINCLUDEDIR= $(exec_prefix)/include +-SCRIPTDIR= $(prefix)/lib ++SCRIPTDIR= $(prefix)/lib64 + ABIFLAGS= @ABIFLAGS@ + + # Detailed destination directories +diff --git a/Modules/getpath.c b/Modules/getpath.c +index b727f66953..a0c5fb6139 100644 +--- a/Modules/getpath.c ++++ b/Modules/getpath.c +@@ -730,7 +730,7 @@ calculate_exec_prefix(PyCalculatePath *calculate, _PyPathConfig *pathconfig, + if (safe_wcscpy(exec_prefix, calculate->exec_prefix, exec_prefix_len) < 0) { + return PATHLEN_ERR(); + } +- status = joinpath(exec_prefix, L"lib/lib-dynload", exec_prefix_len); ++ status = joinpath(exec_prefix, L"lib64/lib-dynload", exec_prefix_len); + if (_PyStatus_EXCEPTION(status)) { + return status; + } +@@ -1067,7 +1067,7 @@ calculate_zip_path(PyCalculatePath *calculate, const wchar_t *prefix, + return PATHLEN_ERR(); + } + } +- status = joinpath(zip_path, L"lib/python00.zip", zip_path_len); ++ status = joinpath(zip_path, L"lib64/python00.zip", zip_path_len); + if (_PyStatus_EXCEPTION(status)) { + return status; + } +@@ -1197,7 +1197,7 @@ calculate_init(PyCalculatePath *calculate, const PyConfig *config) + if (!calculate->exec_prefix) { + return DECODE_LOCALE_ERR("EXEC_PREFIX define", len); + } +- calculate->lib_python = Py_DecodeLocale("lib/python" VERSION, &len); ++ calculate->lib_python = Py_DecodeLocale("lib64/python" VERSION, &len); + if (!calculate->lib_python) { + return DECODE_LOCALE_ERR("EXEC_PREFIX define", len); + } +diff --git a/configure b/configure +index 8886561645..78867c6ffc 100755 +--- a/configure ++++ b/configure +@@ -15214,9 +15214,9 @@ fi + + + if test x$PLATFORM_TRIPLET = x; then +- LIBPL='$(prefix)'"/lib/python${VERSION}/config-${LDVERSION}" ++ LIBPL='$(prefix)'"/lib64/python${VERSION}/config-${LDVERSION}" + else +- LIBPL='$(prefix)'"/lib/python${VERSION}/config-${LDVERSION}-${PLATFORM_TRIPLET}" ++ LIBPL='$(prefix)'"/lib64/python${VERSION}/config-${LDVERSION}-${PLATFORM_TRIPLET}" + fi + + +diff --git a/configure.ac b/configure.ac +index d8de9d4943..477a5ff1cb 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -4689,9 +4689,9 @@ fi + dnl define LIBPL after ABIFLAGS and LDVERSION is defined. + AC_SUBST(PY_ENABLE_SHARED) + if test x$PLATFORM_TRIPLET = x; then +- LIBPL='$(prefix)'"/lib/python${VERSION}/config-${LDVERSION}" ++ LIBPL='$(prefix)'"/lib64/python${VERSION}/config-${LDVERSION}" + else +- LIBPL='$(prefix)'"/lib/python${VERSION}/config-${LDVERSION}-${PLATFORM_TRIPLET}" ++ LIBPL='$(prefix)'"/lib64/python${VERSION}/config-${LDVERSION}-${PLATFORM_TRIPLET}" + fi + AC_SUBST(LIBPL) + +diff --git a/setup.py b/setup.py +index b168ed4082..8628b9d1cd 100644 +--- a/setup.py ++++ b/setup.py +@@ -649,7 +649,7 @@ class PyBuildExt(build_ext): + # directories (i.e. '.' and 'Include') must be first. See issue + # 10520. + if not CROSS_COMPILING: +- add_dir_to_list(self.compiler.library_dirs, '/usr/local/lib') ++ add_dir_to_list(self.compiler.library_dirs, '/usr/local/lib64') + add_dir_to_list(self.compiler.include_dirs, '/usr/local/include') + # only change this for cross builds for 3.3, issues on Mageia + if CROSS_COMPILING: +@@ -953,11 +953,11 @@ class PyBuildExt(build_ext): + elif curses_library: + readline_libs.append(curses_library) + elif self.compiler.find_library_file(self.lib_dirs + +- ['/usr/lib/termcap'], ++ ['/usr/lib64/termcap'], + 'termcap'): + readline_libs.append('termcap') + self.add(Extension('readline', ['readline.c'], +- library_dirs=['/usr/lib/termcap'], ++ library_dirs=['/usr/lib64/termcap'], + extra_link_args=readline_extra_link_args, + libraries=readline_libs)) + else: +-- +2.26.2 + diff --git a/SOURCES/00111-no-static-lib.patch b/SOURCES/00111-no-static-lib.patch new file mode 100644 index 0000000..ed8ca3e --- /dev/null +++ b/SOURCES/00111-no-static-lib.patch @@ -0,0 +1,78 @@ +From 50236468e82a7a19ed3dd7e13cb922e7d3e0ff7f Mon Sep 17 00:00:00 2001 +From: David Malcolm +Date: Mon, 18 Jan 2010 17:59:07 +0000 +Subject: [PATCH] 00111: Don't try to build a libpythonMAJOR.MINOR.a +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Downstream only: not appropriate for upstream. + +See https://bugzilla.redhat.com/show_bug.cgi?id=556092 + +Co-authored-by: David Malcolm +Co-authored-by: Bohuslav Kabrda +Co-authored-by: Matej Stuchlik +Co-authored-by: Robert Kuska +Co-authored-by: Charalampos Stratakis +Co-authored-by: Miro Hrončok +--- + Makefile.pre.in | 21 ++------------------- + 1 file changed, 2 insertions(+), 19 deletions(-) + +diff --git a/Makefile.pre.in b/Makefile.pre.in +index 406a441082..917303dd92 100644 +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -562,7 +562,7 @@ clinic: check-clean-src $(srcdir)/Modules/_blake2/blake2s_impl.c + $(PYTHON_FOR_REGEN) $(srcdir)/Tools/clinic/clinic.py --make --srcdir $(srcdir) + + # Build the interpreter +-$(BUILDPYTHON): Programs/python.o $(LIBRARY) $(LDLIBRARY) $(PY3LIBRARY) ++$(BUILDPYTHON): Programs/python.o $(LDLIBRARY) $(PY3LIBRARY) + $(LINKCC) $(PY_CORE_LDFLAGS) $(LINKFORSHARED) -o $@ Programs/python.o $(BLDLIBRARY) $(LIBS) $(MODLIBS) $(SYSLIBS) + + platform: $(BUILDPYTHON) pybuilddir.txt +@@ -610,12 +610,6 @@ sharedmods: $(BUILDPYTHON) pybuilddir.txt Modules/_math.o + _TCLTK_INCLUDES='$(TCLTK_INCLUDES)' _TCLTK_LIBS='$(TCLTK_LIBS)' \ + $(PYTHON_FOR_BUILD) $(srcdir)/setup.py $$quiet build + +- +-# Build static library +-$(LIBRARY): $(LIBRARY_OBJS) +- -rm -f $@ +- $(AR) $(ARFLAGS) $@ $(LIBRARY_OBJS) +- + libpython$(LDVERSION).so: $(LIBRARY_OBJS) $(DTRACE_OBJS) + if test $(INSTSONAME) != $(LDLIBRARY); then \ + $(BLDSHARED) -Wl,-h$(INSTSONAME) -o $(INSTSONAME) $(LIBRARY_OBJS) $(MODLIBS) $(SHLIBS) $(LIBC) $(LIBM); \ +@@ -693,7 +687,7 @@ Makefile Modules/config.c: Makefile.pre \ + @echo "The Makefile was updated, you may need to re-run make." + + +-Programs/_testembed: Programs/_testembed.o $(LIBRARY) $(LDLIBRARY) $(PY3LIBRARY) ++Programs/_testembed: Programs/_testembed.o $(LDLIBRARY) $(PY3LIBRARY) + $(LINKCC) $(PY_CORE_LDFLAGS) $(LINKFORSHARED) -o $@ Programs/_testembed.o $(BLDLIBRARY) $(LIBS) $(MODLIBS) $(SYSLIBS) + + ############################################################################ +@@ -1557,17 +1551,6 @@ libainstall: @DEF_MAKE_RULE@ python-config + else true; \ + fi; \ + done +- @if test -d $(LIBRARY); then :; else \ +- if test "$(PYTHONFRAMEWORKDIR)" = no-framework; then \ +- if test "$(SHLIB_SUFFIX)" = .dll; then \ +- $(INSTALL_DATA) $(LDLIBRARY) $(DESTDIR)$(LIBPL) ; \ +- else \ +- $(INSTALL_DATA) $(LIBRARY) $(DESTDIR)$(LIBPL)/$(LIBRARY) ; \ +- fi; \ +- else \ +- echo Skip install of $(LIBRARY) - use make frameworkinstall; \ +- fi; \ +- fi + $(INSTALL_DATA) Modules/config.c $(DESTDIR)$(LIBPL)/config.c + $(INSTALL_DATA) Programs/python.o $(DESTDIR)$(LIBPL)/python.o + $(INSTALL_DATA) $(srcdir)/Modules/config.c.in $(DESTDIR)$(LIBPL)/config.c.in +-- +2.26.2 + diff --git a/SOURCES/00189-use-rpm-wheels.patch b/SOURCES/00189-use-rpm-wheels.patch new file mode 100644 index 0000000..15021bf --- /dev/null +++ b/SOURCES/00189-use-rpm-wheels.patch @@ -0,0 +1,76 @@ +From ff07393a8c9c3d69090a775a8d4b89a3019f71a9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= +Date: Wed, 15 Aug 2018 15:36:29 +0200 +Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels + +We keep them in /usr/share/python-wheels + +Downstream only: upstream bundles +We might eventually pursuit upstream support, but it's low prio +--- + Lib/ensurepip/__init__.py | 36 ++++++++++++++++++++++++++---------- + 1 file changed, 26 insertions(+), 10 deletions(-) + +diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py +index b291e9a..798d0f4 100644 +--- a/Lib/ensurepip/__init__.py ++++ b/Lib/ensurepip/__init__.py +@@ -1,6 +1,7 @@ ++import distutils.version ++import glob + import os + import os.path +-import pkgutil + import sys + import runpy + import tempfile +@@ -9,8 +10,26 @@ import subprocess + + __all__ = ["version", "bootstrap"] + _PACKAGE_NAMES = ('setuptools', 'pip') +-_SETUPTOOLS_VERSION = "56.0.0" +-_PIP_VERSION = "22.0.4" ++ ++_WHEEL_DIR = "/usr/share/python38-wheels/" ++ ++_wheels = {} ++ ++def _get_most_recent_wheel_version(pkg): ++ prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg)) ++ _wheels[pkg] = {} ++ for suffix in "-py2.py3-none-any.whl", "-py3-none-any.whl": ++ pattern = "{}*{}".format(prefix, suffix) ++ for path in glob.glob(pattern): ++ version_str = path[len(prefix):-len(suffix)] ++ _wheels[pkg][version_str] = os.path.basename(path) ++ return str(max(_wheels[pkg], key=distutils.version.LooseVersion)) ++ ++ ++_SETUPTOOLS_VERSION = _get_most_recent_wheel_version("setuptools") ++ ++_PIP_VERSION = _get_most_recent_wheel_version("pip") ++ + _PROJECTS = [ + ("setuptools", _SETUPTOOLS_VERSION, "py3"), + ("pip", _PIP_VERSION, "py3"), +@@ -99,13 +118,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False, + # additional paths that need added to sys.path + additional_paths = [] + for project, version, py_tag in _PROJECTS: +- wheel_name = "{}-{}-{}-none-any.whl".format(project, version, py_tag) +- whl = pkgutil.get_data( +- "ensurepip", +- "_bundled/{}".format(wheel_name), +- ) +- with open(os.path.join(tmpdir, wheel_name), "wb") as fp: +- fp.write(whl) ++ wheel_name = _wheels[project][version] ++ with open(os.path.join(_WHEEL_DIR, wheel_name), "rb") as sfp: ++ with open(os.path.join(tmpdir, wheel_name), "wb") as fp: ++ fp.write(sfp.read()) + + additional_paths.append(os.path.join(tmpdir, wheel_name)) + +-- +2.35.3 + diff --git a/SOURCES/00251-change-user-install-location.patch b/SOURCES/00251-change-user-install-location.patch new file mode 100644 index 0000000..e993c42 --- /dev/null +++ b/SOURCES/00251-change-user-install-location.patch @@ -0,0 +1,64 @@ +From 197b8de27ebcd17fc5dd51426a639950c6f6c284 Mon Sep 17 00:00:00 2001 +From: Michal Cyprian +Date: Mon, 26 Jun 2017 16:32:56 +0200 +Subject: [PATCH] 00251: Change user install location + +Set values of prefix and exec_prefix in distutils install command +to /usr/local if executable is /usr/bin/python* and RPM build +is not detected to make pip and distutils install into separate location. + +Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe +--- + Lib/distutils/command/install.py | 15 +++++++++++++-- + Lib/site.py | 9 ++++++++- + 2 files changed, 21 insertions(+), 3 deletions(-) + +diff --git a/Lib/distutils/command/install.py b/Lib/distutils/command/install.py +index ae4f915669..0e4fd5b74a 100644 +--- a/Lib/distutils/command/install.py ++++ b/Lib/distutils/command/install.py +@@ -418,8 +418,19 @@ class install(Command): + raise DistutilsOptionError( + "must not supply exec-prefix without prefix") + +- self.prefix = os.path.normpath(sys.prefix) +- self.exec_prefix = os.path.normpath(sys.exec_prefix) ++ # self.prefix is set to sys.prefix + /local/ ++ # if neither RPM build nor virtual environment is ++ # detected to make pip and distutils install packages ++ # into the separate location. ++ if (not (hasattr(sys, 'real_prefix') or ++ sys.prefix != sys.base_prefix) and ++ 'RPM_BUILD_ROOT' not in os.environ): ++ addition = "/local" ++ else: ++ addition = "" ++ ++ self.prefix = os.path.normpath(sys.prefix) + addition ++ self.exec_prefix = os.path.normpath(sys.exec_prefix) + addition + + else: + if self.exec_prefix is None: +diff --git a/Lib/site.py b/Lib/site.py +index 22d53fa562..9513526109 100644 +--- a/Lib/site.py ++++ b/Lib/site.py +@@ -348,7 +348,14 @@ def getsitepackages(prefixes=None): + return sitepackages + + def addsitepackages(known_paths, prefixes=None): +- """Add site-packages to sys.path""" ++ """Add site-packages to sys.path ++ ++ '/usr/local' is included in PREFIXES if RPM build is not detected ++ to make packages installed into this location visible. ++ ++ """ ++ if ENABLE_USER_SITE and 'RPM_BUILD_ROOT' not in os.environ: ++ PREFIXES.insert(0, "/usr/local") + for sitedir in getsitepackages(prefixes): + if os.path.isdir(sitedir): + addsitedir(sitedir, known_paths) +-- +2.26.2 + diff --git a/SOURCES/00328-pyc-timestamp-invalidation-mode.patch b/SOURCES/00328-pyc-timestamp-invalidation-mode.patch new file mode 100644 index 0000000..2980b2d --- /dev/null +++ b/SOURCES/00328-pyc-timestamp-invalidation-mode.patch @@ -0,0 +1,55 @@ +From aedd897c6371bc54d3b2e2c9420fce6730c2acff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= +Date: Thu, 11 Jul 2019 13:44:13 +0200 +Subject: [PATCH] 00328: Restore pyc to TIMESTAMP invalidation mode as default + in rpmbuild + +Since Fedora 31, the $SOURCE_DATE_EPOCH is set in rpmbuild to the latest +%changelog date. This makes Python default to the CHECKED_HASH pyc +invalidation mode, bringing more reproducible builds traded for an import +performance decrease. To avoid that, we don't default to CHECKED_HASH +when $RPM_BUILD_ROOT is set (i.e. when we are building RPM packages). + +See https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/57#comment-27426 +--- + Lib/py_compile.py | 3 ++- + Lib/test/test_py_compile.py | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Lib/py_compile.py b/Lib/py_compile.py +index 21736896af..310bed5620 100644 +--- a/Lib/py_compile.py ++++ b/Lib/py_compile.py +@@ -70,7 +70,8 @@ class PycInvalidationMode(enum.Enum): + + + def _get_default_invalidation_mode(): +- if os.environ.get('SOURCE_DATE_EPOCH'): ++ if (os.environ.get('SOURCE_DATE_EPOCH') and not ++ os.environ.get('RPM_BUILD_ROOT')): + return PycInvalidationMode.CHECKED_HASH + else: + return PycInvalidationMode.TIMESTAMP +diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py +index d4a68c9320..ed09874023 100644 +--- a/Lib/test/test_py_compile.py ++++ b/Lib/test/test_py_compile.py +@@ -17,6 +17,7 @@ def without_source_date_epoch(fxn): + def wrapper(*args, **kwargs): + with support.EnvironmentVarGuard() as env: + env.unset('SOURCE_DATE_EPOCH') ++ env.unset('RPM_BUILD_ROOT') + return fxn(*args, **kwargs) + return wrapper + +@@ -27,6 +28,7 @@ def with_source_date_epoch(fxn): + def wrapper(*args, **kwargs): + with support.EnvironmentVarGuard() as env: + env['SOURCE_DATE_EPOCH'] = '123456789' ++ env.unset('RPM_BUILD_ROOT') + return fxn(*args, **kwargs) + return wrapper + +-- +2.26.2 + diff --git a/SOURCES/00329-fips.patch b/SOURCES/00329-fips.patch new file mode 100644 index 0000000..590bda6 --- /dev/null +++ b/SOURCES/00329-fips.patch @@ -0,0 +1,7146 @@ +From 31ae5d3189a0b8ec07c55df3785d27d769bc90a5 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Thu, 25 Jul 2019 16:19:52 +0200 +Subject: [PATCH 01/36] Expose OpenSSL FIPS_mode() as hashlib.get_fips_mode() + +--- + Lib/hashlib.py | 5 +++++ + Modules/_hashopenssl.c | 37 +++++++++++++++++++++++++++++++++ + Modules/clinic/_hashopenssl.c.h | 25 +++++++++++++++++++++- + 3 files changed, 66 insertions(+), 1 deletion(-) + +diff --git a/Lib/hashlib.py b/Lib/hashlib.py +index 56873b7..63ae836 100644 +--- a/Lib/hashlib.py ++++ b/Lib/hashlib.py +@@ -243,6 +243,11 @@ try: + except ImportError: + pass + ++try: ++ from _hashlib import get_fips_mode ++except ImportError: ++ pass ++ + + for __func_name in __always_supported: + # try them all, some may not work due to the OpenSSL +diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c +index 93bf25f..2409522 100644 +--- a/Modules/_hashopenssl.c ++++ b/Modules/_hashopenssl.c +@@ -33,6 +33,9 @@ + #include + #include + ++/* Expose FIPS_mode */ ++#include ++ + #ifndef OPENSSL_THREADS + # error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL" + #endif +@@ -1079,12 +1082,46 @@ generate_hash_name_list(void) + return state.set; + } + ++/*[clinic input] ++_hashlib.get_fips_mode ++ ++Determine the OpenSSL FIPS mode of operation. ++ ++Effectively any non-zero return value indicates FIPS mode; ++values other than 1 may have additional significance. ++ ++See OpenSSL documentation for the FIPS_mode() function for details. ++[clinic start generated code]*/ ++ ++static PyObject * ++_hashlib_get_fips_mode_impl(PyObject *module) ++/*[clinic end generated code: output=ad8a7793310d3f98 input=f42a2135df2a5e11]*/ ++ ++{ ++ int result = FIPS_mode(); ++ if (result == 0) { ++ // "If the library was built without support of the FIPS Object Module, ++ // then the function will return 0 with an error code of ++ // CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0x0f06d065)." ++ // But 0 is also a valid result value. ++ ++ unsigned long errcode = ERR_peek_last_error(); ++ if (errcode) { ++ _setException(PyExc_ValueError); ++ return NULL; ++ } ++ } ++ return PyLong_FromLong(result); ++} ++ ++ + /* List of functions exported by this module */ + + static struct PyMethodDef EVP_functions[] = { + EVP_NEW_METHODDEF + PBKDF2_HMAC_METHODDEF + _HASHLIB_SCRYPT_METHODDEF ++ _HASHLIB_GET_FIPS_MODE_METHODDEF + _HASHLIB_HMAC_DIGEST_METHODDEF + _HASHLIB_OPENSSL_MD5_METHODDEF + _HASHLIB_OPENSSL_SHA1_METHODDEF +diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h +index 9aaea47..30fd8a9 100644 +--- a/Modules/clinic/_hashopenssl.c.h ++++ b/Modules/clinic/_hashopenssl.c.h +@@ -620,7 +620,30 @@ exit: + return return_value; + } + ++PyDoc_STRVAR(_hashlib_get_fips_mode__doc__, ++"get_fips_mode($module, /)\n" ++"--\n" ++"\n" ++"Determine the OpenSSL FIPS mode of operation.\n" ++"\n" ++"Effectively any non-zero return value indicates FIPS mode;\n" ++"values other than 1 may have additional significance.\n" ++"\n" ++"See OpenSSL documentation for the FIPS_mode() function for details."); ++ ++#define _HASHLIB_GET_FIPS_MODE_METHODDEF \ ++ {"get_fips_mode", (PyCFunction)_hashlib_get_fips_mode, METH_NOARGS, _hashlib_get_fips_mode__doc__}, ++ ++static PyObject * ++_hashlib_get_fips_mode_impl(PyObject *module); ++ ++static PyObject * ++_hashlib_get_fips_mode(PyObject *module, PyObject *Py_UNUSED(ignored)) ++{ ++ return _hashlib_get_fips_mode_impl(module); ++} ++ + #ifndef _HASHLIB_SCRYPT_METHODDEF + #define _HASHLIB_SCRYPT_METHODDEF + #endif /* !defined(_HASHLIB_SCRYPT_METHODDEF) */ +-/*[clinic end generated code: output=38c2637f67e9bb79 input=a9049054013a1b77]*/ ++/*[clinic end generated code: output=5467006d93e7479e input=a9049054013a1b77]*/ +-- +2.38.1 + + +From 9e12b2fdecca4fba5d777923f7742fffb7b6240d Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Thu, 25 Jul 2019 17:04:06 +0200 +Subject: [PATCH 02/36] Use python's fall backs for the crypto it implements + only if we are not in FIPS mode + +--- + Lib/hashlib.py | 207 +++++++++++++++------------------------ + Lib/test/test_hashlib.py | 1 + + 2 files changed, 81 insertions(+), 127 deletions(-) + +diff --git a/Lib/hashlib.py b/Lib/hashlib.py +index 63ae836..1bcfdf9 100644 +--- a/Lib/hashlib.py ++++ b/Lib/hashlib.py +@@ -68,7 +68,6 @@ __all__ = __always_supported + ('new', 'algorithms_guaranteed', + 'algorithms_available', 'pbkdf2_hmac') + + +-__builtin_constructor_cache = {} + + __block_openssl_constructor = { + 'sha3_224', 'sha3_256', 'sha3_384', 'sha3_512', +@@ -76,54 +75,64 @@ __block_openssl_constructor = { + 'blake2b', 'blake2s', + } + +-def __get_builtin_constructor(name): +- cache = __builtin_constructor_cache +- constructor = cache.get(name) +- if constructor is not None: +- return constructor +- try: +- if name in {'SHA1', 'sha1'}: +- import _sha1 +- cache['SHA1'] = cache['sha1'] = _sha1.sha1 +- elif name in {'MD5', 'md5'}: +- import _md5 +- cache['MD5'] = cache['md5'] = _md5.md5 +- elif name in {'SHA256', 'sha256', 'SHA224', 'sha224'}: +- import _sha256 +- cache['SHA224'] = cache['sha224'] = _sha256.sha224 +- cache['SHA256'] = cache['sha256'] = _sha256.sha256 +- elif name in {'SHA512', 'sha512', 'SHA384', 'sha384'}: +- import _sha512 +- cache['SHA384'] = cache['sha384'] = _sha512.sha384 +- cache['SHA512'] = cache['sha512'] = _sha512.sha512 +- elif name in {'blake2b', 'blake2s'}: +- import _blake2 +- cache['blake2b'] = _blake2.blake2b +- cache['blake2s'] = _blake2.blake2s +- elif name in {'sha3_224', 'sha3_256', 'sha3_384', 'sha3_512'}: +- import _sha3 +- cache['sha3_224'] = _sha3.sha3_224 +- cache['sha3_256'] = _sha3.sha3_256 +- cache['sha3_384'] = _sha3.sha3_384 +- cache['sha3_512'] = _sha3.sha3_512 +- elif name in {'shake_128', 'shake_256'}: +- import _sha3 +- cache['shake_128'] = _sha3.shake_128 +- cache['shake_256'] = _sha3.shake_256 +- except ImportError: +- pass # no extension module, this hash is unsupported. +- +- constructor = cache.get(name) +- if constructor is not None: +- return constructor +- +- raise ValueError('unsupported hash type ' + name) ++try: ++ from _hashlib import get_fips_mode ++except ImportError: ++ def get_fips_mode(): ++ return 0 ++ ++if not get_fips_mode(): ++ __builtin_constructor_cache = {} ++ ++ def __get_builtin_constructor(name): ++ cache = __builtin_constructor_cache ++ constructor = cache.get(name) ++ if constructor is not None: ++ return constructor ++ try: ++ if name in {'SHA1', 'sha1'}: ++ import _sha1 ++ cache['SHA1'] = cache['sha1'] = _sha1.sha1 ++ elif name in {'MD5', 'md5'}: ++ import _md5 ++ cache['MD5'] = cache['md5'] = _md5.md5 ++ elif name in {'SHA256', 'sha256', 'SHA224', 'sha224'}: ++ import _sha256 ++ cache['SHA224'] = cache['sha224'] = _sha256.sha224 ++ cache['SHA256'] = cache['sha256'] = _sha256.sha256 ++ elif name in {'SHA512', 'sha512', 'SHA384', 'sha384'}: ++ import _sha512 ++ cache['SHA384'] = cache['sha384'] = _sha512.sha384 ++ cache['SHA512'] = cache['sha512'] = _sha512.sha512 ++ elif name in {'blake2b', 'blake2s'}: ++ import _blake2 ++ cache['blake2b'] = _blake2.blake2b ++ cache['blake2s'] = _blake2.blake2s ++ elif name in {'sha3_224', 'sha3_256', 'sha3_384', 'sha3_512'}: ++ import _sha3 ++ cache['sha3_224'] = _sha3.sha3_224 ++ cache['sha3_256'] = _sha3.sha3_256 ++ cache['sha3_384'] = _sha3.sha3_384 ++ cache['sha3_512'] = _sha3.sha3_512 ++ elif name in {'shake_128', 'shake_256'}: ++ import _sha3 ++ cache['shake_128'] = _sha3.shake_128 ++ cache['shake_256'] = _sha3.shake_256 ++ except ImportError: ++ pass # no extension module, this hash is unsupported. ++ ++ constructor = cache.get(name) ++ if constructor is not None: ++ return constructor ++ ++ raise ValueError('unsupported hash type ' + name) + + + def __get_openssl_constructor(name): +- if name in __block_openssl_constructor: +- # Prefer our blake2 and sha3 implementation. +- return __get_builtin_constructor(name) ++ if not get_fips_mode(): ++ if name in __block_openssl_constructor: ++ # Prefer our blake2 and sha3 implementation. ++ return __get_builtin_constructor(name) + try: + f = getattr(_hashlib, 'openssl_' + name) + # Allow the C module to raise ValueError. The function will be +@@ -132,27 +141,31 @@ def __get_openssl_constructor(name): + # Use the C function directly (very fast) + return f + except (AttributeError, ValueError): ++ if get_fips_mode(): ++ raise + return __get_builtin_constructor(name) + + +-def __py_new(name, data=b'', **kwargs): +- """new(name, data=b'', **kwargs) - Return a new hashing object using the +- named algorithm; optionally initialized with data (which must be +- a bytes-like object). +- """ +- return __get_builtin_constructor(name)(data, **kwargs) ++if not get_fips_mode(): ++ def __py_new(name, data=b'', **kwargs): ++ """new(name, data=b'', **kwargs) - Return a new hashing object using the ++ named algorithm; optionally initialized with data (which must be ++ a bytes-like object). ++ """ ++ return __get_builtin_constructor(name)(data, **kwargs) + + + def __hash_new(name, data=b'', **kwargs): + """new(name, data=b'') - Return a new hashing object using the named algorithm; + optionally initialized with data (which must be a bytes-like object). + """ +- if name in __block_openssl_constructor: +- # Prefer our blake2 and sha3 implementation +- # OpenSSL 1.1.0 comes with a limited implementation of blake2b/s. +- # It does neither support keyed blake2 nor advanced features like +- # salt, personal, tree hashing or SSE. +- return __get_builtin_constructor(name)(data, **kwargs) ++ if not get_fips_mode(): ++ if name in __block_openssl_constructor: ++ # Prefer our blake2 and sha3 implementation ++ # OpenSSL 1.1.0 comes with a limited implementation of blake2b/s. ++ # It does neither support keyed blake2 nor advanced features like ++ # salt, personal, tree hashing or SSE. ++ return __get_builtin_constructor(name)(data, **kwargs) + try: + return _hashlib.new(name, data) + except ValueError: +@@ -160,6 +173,8 @@ def __hash_new(name, data=b'', **kwargs): + # hash, try using our builtin implementations. + # This allows for SHA224/256 and SHA384/512 support even though + # the OpenSSL library prior to 0.9.8 doesn't provide them. ++ if get_fips_mode(): ++ raise + return __get_builtin_constructor(name)(data) + + +@@ -170,72 +185,13 @@ try: + algorithms_available = algorithms_available.union( + _hashlib.openssl_md_meth_names) + except ImportError: ++ if get_fips_mode(): ++ raise + new = __py_new + __get_hash = __get_builtin_constructor + +-try: +- # OpenSSL's PKCS5_PBKDF2_HMAC requires OpenSSL 1.0+ with HMAC and SHA +- from _hashlib import pbkdf2_hmac +-except ImportError: +- _trans_5C = bytes((x ^ 0x5C) for x in range(256)) +- _trans_36 = bytes((x ^ 0x36) for x in range(256)) +- +- def pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None): +- """Password based key derivation function 2 (PKCS #5 v2.0) +- +- This Python implementations based on the hmac module about as fast +- as OpenSSL's PKCS5_PBKDF2_HMAC for short passwords and much faster +- for long passwords. +- """ +- if not isinstance(hash_name, str): +- raise TypeError(hash_name) +- +- if not isinstance(password, (bytes, bytearray)): +- password = bytes(memoryview(password)) +- if not isinstance(salt, (bytes, bytearray)): +- salt = bytes(memoryview(salt)) +- +- # Fast inline HMAC implementation +- inner = new(hash_name) +- outer = new(hash_name) +- blocksize = getattr(inner, 'block_size', 64) +- if len(password) > blocksize: +- password = new(hash_name, password).digest() +- password = password + b'\x00' * (blocksize - len(password)) +- inner.update(password.translate(_trans_36)) +- outer.update(password.translate(_trans_5C)) +- +- def prf(msg, inner=inner, outer=outer): +- # PBKDF2_HMAC uses the password as key. We can re-use the same +- # digest objects and just update copies to skip initialization. +- icpy = inner.copy() +- ocpy = outer.copy() +- icpy.update(msg) +- ocpy.update(icpy.digest()) +- return ocpy.digest() +- +- if iterations < 1: +- raise ValueError(iterations) +- if dklen is None: +- dklen = outer.digest_size +- if dklen < 1: +- raise ValueError(dklen) +- +- dkey = b'' +- loop = 1 +- from_bytes = int.from_bytes +- while len(dkey) < dklen: +- prev = prf(salt + loop.to_bytes(4, 'big')) +- # endianness doesn't matter here as long to / from use the same +- rkey = int.from_bytes(prev, 'big') +- for i in range(iterations - 1): +- prev = prf(prev) +- # rkey = rkey ^ prev +- rkey ^= from_bytes(prev, 'big') +- loop += 1 +- dkey += rkey.to_bytes(inner.digest_size, 'big') +- +- return dkey[:dklen] ++# OpenSSL's PKCS5_PBKDF2_HMAC requires OpenSSL 1.0+ with HMAC and SHA ++from _hashlib import pbkdf2_hmac + + try: + # OpenSSL's scrypt requires OpenSSL 1.1+ +@@ -243,11 +199,6 @@ try: + except ImportError: + pass + +-try: +- from _hashlib import get_fips_mode +-except ImportError: +- pass +- + + for __func_name in __always_supported: + # try them all, some may not work due to the OpenSSL +@@ -261,4 +212,6 @@ for __func_name in __always_supported: + + # Cleanup locals() + del __always_supported, __func_name, __get_hash +-del __py_new, __hash_new, __get_openssl_constructor ++del __hash_new, __get_openssl_constructor ++if not get_fips_mode(): ++ del __py_new +diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py +index e6cec4e..f40cc83 100644 +--- a/Lib/test/test_hashlib.py ++++ b/Lib/test/test_hashlib.py +@@ -954,6 +954,7 @@ class KDFTests(unittest.TestCase): + iterations=1, dklen=None) + self.assertEqual(out, self.pbkdf2_results['sha1'][0][0]) + ++ @unittest.skip("The python implementation of pbkdf2_hmac has been removed") + def test_pbkdf2_hmac_py(self): + self._test_pbkdf2_hmac(py_hashlib.pbkdf2_hmac) + +-- +2.38.1 + + +From a7711c418ea72f9ea18bbb70a2d52ab44489066b Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Thu, 25 Jul 2019 17:19:06 +0200 +Subject: [PATCH 03/36] Disable Python's hash implementations in FIPS mode, + forcing OpenSSL + +--- + Include/_hashopenssl.h | 66 ++++++++++++++++++++++++++++++++++ + Modules/_blake2/blake2b_impl.c | 5 +++ + Modules/_blake2/blake2module.c | 3 ++ + Modules/_blake2/blake2s_impl.c | 5 +++ + Modules/_hashopenssl.c | 37 +------------------ + Modules/_sha3/sha3module.c | 5 +++ + setup.py | 48 +++++++++++++------------ + 7 files changed, 111 insertions(+), 58 deletions(-) + create mode 100644 Include/_hashopenssl.h + +diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h +new file mode 100644 +index 0000000..a726c0d +--- /dev/null ++++ b/Include/_hashopenssl.h +@@ -0,0 +1,66 @@ ++#ifndef Py_HASHOPENSSL_H ++#define Py_HASHOPENSSL_H ++ ++#include "Python.h" ++#include ++#include ++ ++/* LCOV_EXCL_START */ ++static PyObject * ++_setException(PyObject *exc) ++{ ++ unsigned long errcode; ++ const char *lib, *func, *reason; ++ ++ errcode = ERR_peek_last_error(); ++ if (!errcode) { ++ PyErr_SetString(exc, "unknown reasons"); ++ return NULL; ++ } ++ ERR_clear_error(); ++ ++ lib = ERR_lib_error_string(errcode); ++ func = ERR_func_error_string(errcode); ++ reason = ERR_reason_error_string(errcode); ++ ++ if (lib && func) { ++ PyErr_Format(exc, "[%s: %s] %s", lib, func, reason); ++ } ++ else if (lib) { ++ PyErr_Format(exc, "[%s] %s", lib, reason); ++ } ++ else { ++ PyErr_SetString(exc, reason); ++ } ++ return NULL; ++} ++/* LCOV_EXCL_STOP */ ++ ++ ++__attribute__((__unused__)) ++static int ++_Py_hashlib_fips_error(char *name) { ++ int result = FIPS_mode(); ++ if (result == 0) { ++ // "If the library was built without support of the FIPS Object Module, ++ // then the function will return 0 with an error code of ++ // CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0x0f06d065)." ++ // But 0 is also a valid result value. ++ ++ unsigned long errcode = ERR_peek_last_error(); ++ if (errcode) { ++ _setException(PyExc_ValueError); ++ return 1; ++ } ++ return 0; ++ } ++ PyErr_Format(PyExc_ValueError, "%s is not available in FIPS mode", ++ name); ++ return 1; ++} ++ ++#define FAIL_RETURN_IN_FIPS_MODE(name) do { \ ++ if (_Py_hashlib_fips_error(name)) return NULL; \ ++} while (0) ++ ++#endif // !Py_HASHOPENSSL_H +diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c +index edab31e..1daf5c3 100644 +--- a/Modules/_blake2/blake2b_impl.c ++++ b/Modules/_blake2/blake2b_impl.c +@@ -14,6 +14,7 @@ + */ + + #include "Python.h" ++#include "_hashopenssl.h" + #include "pystrhex.h" + #include "pythread.h" + +@@ -96,6 +97,8 @@ py_blake2b_new_impl(PyTypeObject *type, PyObject *data, int digest_size, + BLAKE2bObject *self = NULL; + Py_buffer buf; + ++ FAIL_RETURN_IN_FIPS_MODE("_blake2"); ++ + self = new_BLAKE2bObject(type); + if (self == NULL) { + goto error; +@@ -274,6 +277,8 @@ _blake2_blake2b_update(BLAKE2bObject *self, PyObject *data) + { + Py_buffer buf; + ++ FAIL_RETURN_IN_FIPS_MODE("_blake2"); ++ + GET_BUFFER_VIEW_OR_ERROUT(data, &buf); + + if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE) +diff --git a/Modules/_blake2/blake2module.c b/Modules/_blake2/blake2module.c +index e2a3d42..817b716 100644 +--- a/Modules/_blake2/blake2module.c ++++ b/Modules/_blake2/blake2module.c +@@ -9,6 +9,7 @@ + */ + + #include "Python.h" ++#include "_hashopenssl.h" + + #include "impl/blake2.h" + +@@ -57,6 +58,8 @@ PyInit__blake2(void) + PyObject *m; + PyObject *d; + ++ FAIL_RETURN_IN_FIPS_MODE("blake2"); ++ + m = PyModule_Create(&blake2_module); + if (m == NULL) + return NULL; +diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c +index ef2f7e1..389711a 100644 +--- a/Modules/_blake2/blake2s_impl.c ++++ b/Modules/_blake2/blake2s_impl.c +@@ -14,6 +14,7 @@ + */ + + #include "Python.h" ++#include "_hashopenssl.h" + #include "pystrhex.h" + #include "pythread.h" + +@@ -96,6 +97,8 @@ py_blake2s_new_impl(PyTypeObject *type, PyObject *data, int digest_size, + BLAKE2sObject *self = NULL; + Py_buffer buf; + ++ FAIL_RETURN_IN_FIPS_MODE("_blake2"); ++ + self = new_BLAKE2sObject(type); + if (self == NULL) { + goto error; +@@ -274,6 +277,8 @@ _blake2_blake2s_update(BLAKE2sObject *self, PyObject *data) + { + Py_buffer buf; + ++ FAIL_RETURN_IN_FIPS_MODE("_blake2"); ++ + GET_BUFFER_VIEW_OR_ERROUT(data, &buf); + + if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE) +diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c +index 2409522..a51c502 100644 +--- a/Modules/_hashopenssl.c ++++ b/Modules/_hashopenssl.c +@@ -24,6 +24,7 @@ + #include "structmember.h" + #include "hashlib.h" + #include "pystrhex.h" ++#include "_hashopenssl.h" + + + /* EVP is the preferred interface to hashing in OpenSSL */ +@@ -31,10 +32,6 @@ + #include + /* We use the object interface to discover what hashes OpenSSL supports. */ + #include +-#include +- +-/* Expose FIPS_mode */ +-#include + + #ifndef OPENSSL_THREADS + # error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL" +@@ -76,38 +73,6 @@ class _hashlib.HASH "EVPobject *" "&EVPtype" + [clinic start generated code]*/ + /*[clinic end generated code: output=da39a3ee5e6b4b0d input=a881a5092eecad28]*/ + +- +-/* LCOV_EXCL_START */ +-static PyObject * +-_setException(PyObject *exc) +-{ +- unsigned long errcode; +- const char *lib, *func, *reason; +- +- errcode = ERR_peek_last_error(); +- if (!errcode) { +- PyErr_SetString(exc, "unknown reasons"); +- return NULL; +- } +- ERR_clear_error(); +- +- lib = ERR_lib_error_string(errcode); +- func = ERR_func_error_string(errcode); +- reason = ERR_reason_error_string(errcode); +- +- if (lib && func) { +- PyErr_Format(exc, "[%s: %s] %s", lib, func, reason); +- } +- else if (lib) { +- PyErr_Format(exc, "[%s] %s", lib, reason); +- } +- else { +- PyErr_SetString(exc, reason); +- } +- return NULL; +-} +-/* LCOV_EXCL_STOP */ +- + static PyObject* + py_digest_name(const EVP_MD *md) + { +diff --git a/Modules/_sha3/sha3module.c b/Modules/_sha3/sha3module.c +index c1fb618..34d09b4 100644 +--- a/Modules/_sha3/sha3module.c ++++ b/Modules/_sha3/sha3module.c +@@ -18,6 +18,7 @@ + #include "Python.h" + #include "pystrhex.h" + #include "../hashlib.h" ++#include "_hashopenssl.h" + + /* ************************************************************************** + * SHA-3 (Keccak) and SHAKE +@@ -160,6 +161,7 @@ static PyTypeObject SHAKE256type; + static SHA3object * + newSHA3object(PyTypeObject *type) + { ++ FAIL_RETURN_IN_FIPS_MODE("_sha3"); + SHA3object *newobj; + newobj = (SHA3object *)PyObject_New(SHA3object, type); + if (newobj == NULL) { +@@ -173,6 +175,7 @@ newSHA3object(PyTypeObject *type) + static PyObject * + py_sha3_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) + { ++ FAIL_RETURN_IN_FIPS_MODE("_sha3"); + SHA3object *self = NULL; + Py_buffer buf = {NULL, NULL}; + HashReturn res; +@@ -704,6 +707,8 @@ PyInit__sha3(void) + { + PyObject *m = NULL; + ++ FAIL_RETURN_IN_FIPS_MODE("_sha3"); ++ + if ((m = PyModule_Create(&_SHA3module)) == NULL) { + return NULL; + } +diff --git a/setup.py b/setup.py +index 0b24dd6..f7c4be1 100644 +--- a/setup.py ++++ b/setup.py +@@ -1677,7 +1677,6 @@ class PyBuildExt(build_ext): + def detect_modules(self): + self.configure_compiler() + self.init_inc_lib_dirs() +- + self.detect_simple_extensions() + if TEST_EXTENSIONS: + self.detect_test_extensions() +@@ -2165,7 +2164,7 @@ class PyBuildExt(build_ext): + sources=sources, + depends=depends)) + +- def detect_openssl_hashlib(self): ++ def detect_openssl_args(self): + # Detect SSL support for the socket module (via _ssl) + config_vars = sysconfig.get_config_vars() + +@@ -2186,7 +2185,7 @@ class PyBuildExt(build_ext): + if not openssl_libs: + # libssl and libcrypto not found + self.missing.extend(['_ssl', '_hashlib']) +- return None, None ++ raise ValueError('Cannot build for RHEL without OpenSSL') + + # Find OpenSSL includes + ssl_incs = find_file( +@@ -2194,7 +2193,7 @@ class PyBuildExt(build_ext): + ) + if ssl_incs is None: + self.missing.extend(['_ssl', '_hashlib']) +- return None, None ++ raise ValueError('Cannot build for RHEL without OpenSSL') + + # OpenSSL 1.0.2 uses Kerberos for KRB5 ciphers + krb5_h = find_file( +@@ -2204,12 +2203,24 @@ class PyBuildExt(build_ext): + if krb5_h: + ssl_incs.extend(krb5_h) + ++ ++ ssl_args = { ++ 'include_dirs': openssl_includes, ++ 'library_dirs': openssl_libdirs, ++ 'libraries': ['ssl', 'crypto'], ++ } ++ ++ return ssl_args ++ ++ def detect_openssl_hashlib(self): ++ ++ config_vars = sysconfig.get_config_vars() ++ ++ + if config_vars.get("HAVE_X509_VERIFY_PARAM_SET1_HOST"): + self.add(Extension( + '_ssl', ['_ssl.c'], +- include_dirs=openssl_includes, +- library_dirs=openssl_libdirs, +- libraries=openssl_libs, ++ **self.detect_openssl_args(), + depends=[ + 'socketmodule.h', + '_ssl/debughelpers.c', +@@ -2222,22 +2233,12 @@ class PyBuildExt(build_ext): + + self.add(Extension('_hashlib', ['_hashopenssl.c'], + depends=['hashlib.h'], +- include_dirs=openssl_includes, +- library_dirs=openssl_libdirs, +- libraries=openssl_libs)) ++ **self.detect_openssl_args()) ) + + def detect_hash_builtins(self): +- # We always compile these even when OpenSSL is available (issue #14693). +- # It's harmless and the object code is tiny (40-50 KiB per module, +- # only loaded when actually used). +- self.add(Extension('_sha256', ['sha256module.c'], +- depends=['hashlib.h'])) +- self.add(Extension('_sha512', ['sha512module.c'], +- depends=['hashlib.h'])) +- self.add(Extension('_md5', ['md5module.c'], +- depends=['hashlib.h'])) +- self.add(Extension('_sha1', ['sha1module.c'], +- depends=['hashlib.h'])) ++ # RHEL: Always force OpenSSL for md5, sha1, sha256, sha512; ++ # don't build Python's implementations. ++ # sha3 and blake2 have extra functionality, so do build those: + + blake2_deps = glob(os.path.join(escape(self.srcdir), + 'Modules/_blake2/impl/*')) +@@ -2247,6 +2248,7 @@ class PyBuildExt(build_ext): + ['_blake2/blake2module.c', + '_blake2/blake2b_impl.c', + '_blake2/blake2s_impl.c'], ++ **self.detect_openssl_args(), + depends=blake2_deps)) + + sha3_deps = glob(os.path.join(escape(self.srcdir), +@@ -2254,7 +2256,9 @@ class PyBuildExt(build_ext): + sha3_deps.append('hashlib.h') + self.add(Extension('_sha3', + ['_sha3/sha3module.c'], +- depends=sha3_deps)) ++ **self.detect_openssl_args(), ++ depends=sha3_deps + ['hashlib.h'])) ++ + + def detect_nis(self): + if MS_WINDOWS or CYGWIN or HOST_PLATFORM == 'qnx6': +-- +2.38.1 + + +From 5928affee1e8306877918efc417090512faea14d Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Thu, 12 Dec 2019 16:58:31 +0100 +Subject: [PATCH 04/36] Expose all hashes available to OpenSSL + +--- + Modules/_hashopenssl.c | 150 ++++++++++++++++ + Modules/clinic/_hashopenssl.c.h | 298 +++++++++++++++++++++++++++++++- + 2 files changed, 447 insertions(+), 1 deletion(-) + +diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c +index a51c502..713e15a 100644 +--- a/Modules/_hashopenssl.c ++++ b/Modules/_hashopenssl.c +@@ -201,6 +201,12 @@ py_digest_by_name(const char *name) + else if (!strcmp(name, "blake2b512")) { + digest = EVP_blake2b512(); + } ++ else if (!strcmp(name, "blake2s")) { ++ digest = EVP_blake2s256(); ++ } ++ else if (!strcmp(name, "blake2b")) { ++ digest = EVP_blake2b512(); ++ } + #endif + } + +@@ -719,6 +725,142 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj) + return EVP_fast_new(module, data_obj, EVP_sha512()); + } + ++/*[clinic input] ++_hashlib.openssl_blake2b ++ ++ string as data_obj: object(py_default="b''") = NULL ++ ++Returns a blake2b hash object; optionally initialized with a string ++ ++[clinic start generated code]*/ ++ ++static PyObject * ++_hashlib_openssl_blake2b_impl(PyObject *module, PyObject *data_obj) ++/*[clinic end generated code: output=0d65acd1d9bb5e3f input=d9e6f84fa97e630d]*/ ++ ++{ ++ return EVP_fast_new(module, data_obj, EVP_blake2b512()); ++} ++ ++/*[clinic input] ++_hashlib.openssl_blake2s ++ ++ string as data_obj: object(py_default="b''") = NULL ++ ++Returns a blake2s hash object; optionally initialized with a string ++ ++[clinic start generated code]*/ ++ ++static PyObject * ++_hashlib_openssl_blake2s_impl(PyObject *module, PyObject *data_obj) ++/*[clinic end generated code: output=0f1330138041ec22 input=f1aec29465fc49c6]*/ ++ ++{ ++ return EVP_fast_new(module, data_obj, EVP_blake2s256()); ++} ++ ++/*[clinic input] ++_hashlib.openssl_sha3_224 ++ ++ string as data_obj: object(py_default="b''") = NULL ++ ++Returns a sha3_224 hash object; optionally initialized with a string ++ ++[clinic start generated code]*/ ++ ++static PyObject * ++_hashlib_openssl_sha3_224_impl(PyObject *module, PyObject *data_obj) ++/*[clinic end generated code: output=e3817bed6ecafc20 input=adc74bf14410af70]*/ ++ ++{ ++ return EVP_fast_new(module, data_obj, EVP_sha3_224()); ++} ++ ++/*[clinic input] ++_hashlib.openssl_sha3_256 ++ ++ string as data_obj: object(py_default="b''") = NULL ++ ++Returns a sha3_256 hash object; optionally initialized with a string ++ ++[clinic start generated code]*/ ++ ++static PyObject * ++_hashlib_openssl_sha3_256_impl(PyObject *module, PyObject *data_obj) ++/*[clinic end generated code: output=9c15fac1ce09cd62 input=2922c3e78ab8bd2d]*/ ++ ++{ ++ return EVP_fast_new(module, data_obj, EVP_sha3_256()); ++} ++ ++/*[clinic input] ++_hashlib.openssl_sha3_384 ++ ++ string as data_obj: object(py_default="b''") = NULL ++ ++Returns a sha3_384 hash object; optionally initialized with a string ++ ++[clinic start generated code]*/ ++ ++static PyObject * ++_hashlib_openssl_sha3_384_impl(PyObject *module, PyObject *data_obj) ++/*[clinic end generated code: output=0923a782b9b81a40 input=742b499c372c8316]*/ ++ ++{ ++ return EVP_fast_new(module, data_obj, EVP_sha3_384()); ++} ++ ++/*[clinic input] ++_hashlib.openssl_sha3_512 ++ ++ string as data_obj: object(py_default="b''") = NULL ++ ++Returns a sha3-512 hash object; optionally initialized with a string ++ ++[clinic start generated code]*/ ++ ++static PyObject * ++_hashlib_openssl_sha3_512_impl(PyObject *module, PyObject *data_obj) ++/*[clinic end generated code: output=34bbe194704dbce4 input=46383f88e59a0385]*/ ++ ++{ ++ return EVP_fast_new(module, data_obj, EVP_sha3_512()); ++} ++ ++/*[clinic input] ++_hashlib.openssl_shake_128 ++ ++ string as data_obj: object(py_default="b''") = NULL ++ ++Returns a shake_128 hash object; optionally initialized with a string ++ ++[clinic start generated code]*/ ++ ++static PyObject * ++_hashlib_openssl_shake_128_impl(PyObject *module, PyObject *data_obj) ++/*[clinic end generated code: output=a6ea5917ce65ef10 input=f256751eb810fdaa]*/ ++ ++{ ++ return EVP_fast_new(module, data_obj, EVP_shake128()); ++} ++ ++/*[clinic input] ++_hashlib.openssl_shake_256 ++ ++ string as data_obj: object(py_default="b''") = NULL ++ ++Returns a shake_256 hash object; optionally initialized with a string ++ ++[clinic start generated code]*/ ++ ++static PyObject * ++_hashlib_openssl_shake_256_impl(PyObject *module, PyObject *data_obj) ++/*[clinic end generated code: output=c91aaa96b000e186 input=d1331313db34116c]*/ ++ ++{ ++ return EVP_fast_new(module, data_obj, EVP_shake256()); ++} ++ + + /*[clinic input] + _hashlib.pbkdf2_hmac as pbkdf2_hmac +@@ -1094,6 +1236,14 @@ static struct PyMethodDef EVP_functions[] = { + _HASHLIB_OPENSSL_SHA256_METHODDEF + _HASHLIB_OPENSSL_SHA384_METHODDEF + _HASHLIB_OPENSSL_SHA512_METHODDEF ++ _HASHLIB_OPENSSL_BLAKE2B_METHODDEF ++ _HASHLIB_OPENSSL_BLAKE2S_METHODDEF ++ _HASHLIB_OPENSSL_SHA3_224_METHODDEF ++ _HASHLIB_OPENSSL_SHA3_256_METHODDEF ++ _HASHLIB_OPENSSL_SHA3_384_METHODDEF ++ _HASHLIB_OPENSSL_SHA3_512_METHODDEF ++ _HASHLIB_OPENSSL_SHAKE_128_METHODDEF ++ _HASHLIB_OPENSSL_SHAKE_256_METHODDEF + {NULL, NULL} /* Sentinel */ + }; + +diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h +index 30fd8a9..e96a752 100644 +--- a/Modules/clinic/_hashopenssl.c.h ++++ b/Modules/clinic/_hashopenssl.c.h +@@ -331,6 +331,302 @@ exit: + return return_value; + } + ++PyDoc_STRVAR(_hashlib_openssl_blake2b__doc__, ++"openssl_blake2b($module, /, string=b\'\')\n" ++"--\n" ++"\n" ++"Returns a blake2b hash object; optionally initialized with a string"); ++ ++#define _HASHLIB_OPENSSL_BLAKE2B_METHODDEF \ ++ {"openssl_blake2b", (PyCFunction)(void(*)(void))_hashlib_openssl_blake2b, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_blake2b__doc__}, ++ ++static PyObject * ++_hashlib_openssl_blake2b_impl(PyObject *module, PyObject *data_obj); ++ ++static PyObject * ++_hashlib_openssl_blake2b(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) ++{ ++ PyObject *return_value = NULL; ++ static const char * const _keywords[] = {"string", NULL}; ++ static _PyArg_Parser _parser = {NULL, _keywords, "openssl_blake2b", 0}; ++ PyObject *argsbuf[1]; ++ Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; ++ PyObject *data_obj = NULL; ++ ++ args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); ++ if (!args) { ++ goto exit; ++ } ++ if (!noptargs) { ++ goto skip_optional_pos; ++ } ++ data_obj = args[0]; ++skip_optional_pos: ++ return_value = _hashlib_openssl_blake2b_impl(module, data_obj); ++ ++exit: ++ return return_value; ++} ++ ++PyDoc_STRVAR(_hashlib_openssl_blake2s__doc__, ++"openssl_blake2s($module, /, string=b\'\')\n" ++"--\n" ++"\n" ++"Returns a blake2s hash object; optionally initialized with a string"); ++ ++#define _HASHLIB_OPENSSL_BLAKE2S_METHODDEF \ ++ {"openssl_blake2s", (PyCFunction)(void(*)(void))_hashlib_openssl_blake2s, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_blake2s__doc__}, ++ ++static PyObject * ++_hashlib_openssl_blake2s_impl(PyObject *module, PyObject *data_obj); ++ ++static PyObject * ++_hashlib_openssl_blake2s(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) ++{ ++ PyObject *return_value = NULL; ++ static const char * const _keywords[] = {"string", NULL}; ++ static _PyArg_Parser _parser = {NULL, _keywords, "openssl_blake2s", 0}; ++ PyObject *argsbuf[1]; ++ Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; ++ PyObject *data_obj = NULL; ++ ++ args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); ++ if (!args) { ++ goto exit; ++ } ++ if (!noptargs) { ++ goto skip_optional_pos; ++ } ++ data_obj = args[0]; ++skip_optional_pos: ++ return_value = _hashlib_openssl_blake2s_impl(module, data_obj); ++ ++exit: ++ return return_value; ++} ++ ++PyDoc_STRVAR(_hashlib_openssl_sha3_224__doc__, ++"openssl_sha3_224($module, /, string=b\'\')\n" ++"--\n" ++"\n" ++"Returns a sha3_224 hash object; optionally initialized with a string"); ++ ++#define _HASHLIB_OPENSSL_SHA3_224_METHODDEF \ ++ {"openssl_sha3_224", (PyCFunction)(void(*)(void))_hashlib_openssl_sha3_224, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_sha3_224__doc__}, ++ ++static PyObject * ++_hashlib_openssl_sha3_224_impl(PyObject *module, PyObject *data_obj); ++ ++static PyObject * ++_hashlib_openssl_sha3_224(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) ++{ ++ PyObject *return_value = NULL; ++ static const char * const _keywords[] = {"string", NULL}; ++ static _PyArg_Parser _parser = {NULL, _keywords, "openssl_sha3_224", 0}; ++ PyObject *argsbuf[1]; ++ Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; ++ PyObject *data_obj = NULL; ++ ++ args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); ++ if (!args) { ++ goto exit; ++ } ++ if (!noptargs) { ++ goto skip_optional_pos; ++ } ++ data_obj = args[0]; ++skip_optional_pos: ++ return_value = _hashlib_openssl_sha3_224_impl(module, data_obj); ++ ++exit: ++ return return_value; ++} ++ ++PyDoc_STRVAR(_hashlib_openssl_sha3_256__doc__, ++"openssl_sha3_256($module, /, string=b\'\')\n" ++"--\n" ++"\n" ++"Returns a sha3_256 hash object; optionally initialized with a string"); ++ ++#define _HASHLIB_OPENSSL_SHA3_256_METHODDEF \ ++ {"openssl_sha3_256", (PyCFunction)(void(*)(void))_hashlib_openssl_sha3_256, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_sha3_256__doc__}, ++ ++static PyObject * ++_hashlib_openssl_sha3_256_impl(PyObject *module, PyObject *data_obj); ++ ++static PyObject * ++_hashlib_openssl_sha3_256(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) ++{ ++ PyObject *return_value = NULL; ++ static const char * const _keywords[] = {"string", NULL}; ++ static _PyArg_Parser _parser = {NULL, _keywords, "openssl_sha3_256", 0}; ++ PyObject *argsbuf[1]; ++ Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; ++ PyObject *data_obj = NULL; ++ ++ args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); ++ if (!args) { ++ goto exit; ++ } ++ if (!noptargs) { ++ goto skip_optional_pos; ++ } ++ data_obj = args[0]; ++skip_optional_pos: ++ return_value = _hashlib_openssl_sha3_256_impl(module, data_obj); ++ ++exit: ++ return return_value; ++} ++ ++PyDoc_STRVAR(_hashlib_openssl_sha3_384__doc__, ++"openssl_sha3_384($module, /, string=b\'\')\n" ++"--\n" ++"\n" ++"Returns a sha3_384 hash object; optionally initialized with a string"); ++ ++#define _HASHLIB_OPENSSL_SHA3_384_METHODDEF \ ++ {"openssl_sha3_384", (PyCFunction)(void(*)(void))_hashlib_openssl_sha3_384, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_sha3_384__doc__}, ++ ++static PyObject * ++_hashlib_openssl_sha3_384_impl(PyObject *module, PyObject *data_obj); ++ ++static PyObject * ++_hashlib_openssl_sha3_384(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) ++{ ++ PyObject *return_value = NULL; ++ static const char * const _keywords[] = {"string", NULL}; ++ static _PyArg_Parser _parser = {NULL, _keywords, "openssl_sha3_384", 0}; ++ PyObject *argsbuf[1]; ++ Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; ++ PyObject *data_obj = NULL; ++ ++ args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); ++ if (!args) { ++ goto exit; ++ } ++ if (!noptargs) { ++ goto skip_optional_pos; ++ } ++ data_obj = args[0]; ++skip_optional_pos: ++ return_value = _hashlib_openssl_sha3_384_impl(module, data_obj); ++ ++exit: ++ return return_value; ++} ++ ++PyDoc_STRVAR(_hashlib_openssl_sha3_512__doc__, ++"openssl_sha3_512($module, /, string=b\'\')\n" ++"--\n" ++"\n" ++"Returns a sha3-512 hash object; optionally initialized with a string"); ++ ++#define _HASHLIB_OPENSSL_SHA3_512_METHODDEF \ ++ {"openssl_sha3_512", (PyCFunction)(void(*)(void))_hashlib_openssl_sha3_512, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_sha3_512__doc__}, ++ ++static PyObject * ++_hashlib_openssl_sha3_512_impl(PyObject *module, PyObject *data_obj); ++ ++static PyObject * ++_hashlib_openssl_sha3_512(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) ++{ ++ PyObject *return_value = NULL; ++ static const char * const _keywords[] = {"string", NULL}; ++ static _PyArg_Parser _parser = {NULL, _keywords, "openssl_sha3_512", 0}; ++ PyObject *argsbuf[1]; ++ Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; ++ PyObject *data_obj = NULL; ++ ++ args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); ++ if (!args) { ++ goto exit; ++ } ++ if (!noptargs) { ++ goto skip_optional_pos; ++ } ++ data_obj = args[0]; ++skip_optional_pos: ++ return_value = _hashlib_openssl_sha3_512_impl(module, data_obj); ++ ++exit: ++ return return_value; ++} ++ ++PyDoc_STRVAR(_hashlib_openssl_shake_128__doc__, ++"openssl_shake_128($module, /, string=b\'\')\n" ++"--\n" ++"\n" ++"Returns a shake_128 hash object; optionally initialized with a string"); ++ ++#define _HASHLIB_OPENSSL_SHAKE_128_METHODDEF \ ++ {"openssl_shake_128", (PyCFunction)(void(*)(void))_hashlib_openssl_shake_128, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_shake_128__doc__}, ++ ++static PyObject * ++_hashlib_openssl_shake_128_impl(PyObject *module, PyObject *data_obj); ++ ++static PyObject * ++_hashlib_openssl_shake_128(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) ++{ ++ PyObject *return_value = NULL; ++ static const char * const _keywords[] = {"string", NULL}; ++ static _PyArg_Parser _parser = {NULL, _keywords, "openssl_shake_128", 0}; ++ PyObject *argsbuf[1]; ++ Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; ++ PyObject *data_obj = NULL; ++ ++ args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); ++ if (!args) { ++ goto exit; ++ } ++ if (!noptargs) { ++ goto skip_optional_pos; ++ } ++ data_obj = args[0]; ++skip_optional_pos: ++ return_value = _hashlib_openssl_shake_128_impl(module, data_obj); ++ ++exit: ++ return return_value; ++} ++ ++PyDoc_STRVAR(_hashlib_openssl_shake_256__doc__, ++"openssl_shake_256($module, /, string=b\'\')\n" ++"--\n" ++"\n" ++"Returns a shake_256 hash object; optionally initialized with a string"); ++ ++#define _HASHLIB_OPENSSL_SHAKE_256_METHODDEF \ ++ {"openssl_shake_256", (PyCFunction)(void(*)(void))_hashlib_openssl_shake_256, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_shake_256__doc__}, ++ ++static PyObject * ++_hashlib_openssl_shake_256_impl(PyObject *module, PyObject *data_obj); ++ ++static PyObject * ++_hashlib_openssl_shake_256(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) ++{ ++ PyObject *return_value = NULL; ++ static const char * const _keywords[] = {"string", NULL}; ++ static _PyArg_Parser _parser = {NULL, _keywords, "openssl_shake_256", 0}; ++ PyObject *argsbuf[1]; ++ Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; ++ PyObject *data_obj = NULL; ++ ++ args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); ++ if (!args) { ++ goto exit; ++ } ++ if (!noptargs) { ++ goto skip_optional_pos; ++ } ++ data_obj = args[0]; ++skip_optional_pos: ++ return_value = _hashlib_openssl_shake_256_impl(module, data_obj); ++ ++exit: ++ return return_value; ++} ++ + PyDoc_STRVAR(pbkdf2_hmac__doc__, + "pbkdf2_hmac($module, /, hash_name, password, salt, iterations,\n" + " dklen=None)\n" +@@ -646,4 +942,4 @@ _hashlib_get_fips_mode(PyObject *module, PyObject *Py_UNUSED(ignored)) + #ifndef _HASHLIB_SCRYPT_METHODDEF + #define _HASHLIB_SCRYPT_METHODDEF + #endif /* !defined(_HASHLIB_SCRYPT_METHODDEF) */ +-/*[clinic end generated code: output=5467006d93e7479e input=a9049054013a1b77]*/ ++/*[clinic end generated code: output=be8e21a10dff71e7 input=a9049054013a1b77]*/ +-- +2.38.1 + + +From eb264b74a2a6fc820813edbfa611b782edcda088 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Thu, 25 Jul 2019 18:13:45 +0200 +Subject: [PATCH 05/36] Fix tests + +--- + Lib/test/test_hashlib.py | 58 +++++++++++++++++++++++++++++++--------- + 1 file changed, 45 insertions(+), 13 deletions(-) + +diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py +index f40cc83..972eda1 100644 +--- a/Lib/test/test_hashlib.py ++++ b/Lib/test/test_hashlib.py +@@ -190,7 +190,9 @@ class HashLibTestCase(unittest.TestCase): + a = array.array("b", range(10)) + for cons in self.hash_constructors: + c = cons(a) +- if c.name in self.shakes: ++ if (c.name in self.shakes ++ and not cons.__name__.startswith('openssl_') ++ ): + c.hexdigest(16) + else: + c.hexdigest() +@@ -240,7 +242,9 @@ class HashLibTestCase(unittest.TestCase): + def test_hexdigest(self): + for cons in self.hash_constructors: + h = cons() +- if h.name in self.shakes: ++ if (h.name in self.shakes ++ and not cons.__name__.startswith('openssl_') ++ ): + self.assertIsInstance(h.digest(16), bytes) + self.assertEqual(hexstr(h.digest(16)), h.hexdigest(16)) + else: +@@ -254,6 +258,8 @@ class HashLibTestCase(unittest.TestCase): + h = cons() + if h.name not in self.shakes: + continue ++ if cons.__name__.startswith('openssl_'): ++ continue + for digest in h.digest, h.hexdigest: + self.assertRaises(ValueError, digest, -10) + for length in large_sizes: +@@ -282,7 +288,9 @@ class HashLibTestCase(unittest.TestCase): + m1.update(bees) + m1.update(cees) + m1.update(dees) +- if m1.name in self.shakes: ++ if (m1.name in self.shakes ++ and not cons.__name__.startswith('openssl_') ++ ): + args = (16,) + else: + args = () +@@ -309,15 +317,36 @@ class HashLibTestCase(unittest.TestCase): + # 2 is for hashlib.name(...) and hashlib.new(name, ...) + self.assertGreaterEqual(len(constructors), 2) + for hash_object_constructor in constructors: ++ if ( ++ kwargs ++ and hash_object_constructor.__name__.startswith('openssl_') ++ ): ++ return + m = hash_object_constructor(data, **kwargs) +- computed = m.hexdigest() if not shake else m.hexdigest(length) ++ if shake: ++ if hash_object_constructor.__name__.startswith('openssl_'): ++ if length > m.digest_size: ++ # OpenSSL doesn't give long digests ++ return ++ computed = m.hexdigest()[:length*2] ++ hexdigest = hexdigest[:length*2] ++ else: ++ computed = m.hexdigest(length) ++ else: ++ computed = m.hexdigest() + self.assertEqual( + computed, hexdigest, + "Hash algorithm %s constructed using %s returned hexdigest" + " %r for %d byte input data that should have hashed to %r." + % (name, hash_object_constructor, + computed, len(data), hexdigest)) +- computed = m.digest() if not shake else m.digest(length) ++ if shake: ++ if hash_object_constructor.__name__.startswith('openssl_'): ++ computed = m.digest()[:length] ++ else: ++ computed = m.digest(length) ++ else: ++ computed = m.digest() + digest = bytes.fromhex(hexdigest) + self.assertEqual(computed, digest) + if not shake: +@@ -357,12 +386,14 @@ class HashLibTestCase(unittest.TestCase): + for hash_object_constructor in constructors: + m = hash_object_constructor() + self.assertEqual(m.block_size, block_size) +- self.assertEqual(m.digest_size, digest_size) ++ if not hash_object_constructor.__name__.startswith('openssl_'): ++ self.assertEqual(m.digest_size, digest_size) + if digest_length: +- self.assertEqual(len(m.digest(digest_length)), +- digest_length) +- self.assertEqual(len(m.hexdigest(digest_length)), +- 2*digest_length) ++ if not hash_object_constructor.__name__.startswith('openssl_'): ++ self.assertEqual(len(m.digest(digest_length)), ++ digest_length) ++ self.assertEqual(len(m.hexdigest(digest_length)), ++ 2*digest_length) + else: + self.assertEqual(len(m.digest()), digest_size) + self.assertEqual(len(m.hexdigest()), 2*digest_size) +@@ -395,9 +426,10 @@ class HashLibTestCase(unittest.TestCase): + # _hashopenssl's variant does not have extra SHA3 attributes + continue + self.assertEqual(capacity + rate, 1600) +- self.assertEqual(m._capacity_bits, capacity) +- self.assertEqual(m._rate_bits, rate) +- self.assertEqual(m._suffix, suffix) ++ if not hash_object_constructor.__name__.startswith('openssl_'): ++ self.assertEqual(m._capacity_bits, capacity) ++ self.assertEqual(m._rate_bits, rate) ++ self.assertEqual(m._suffix, suffix) + + @requires_sha3 + def test_extra_sha3(self): +-- +2.38.1 + + +From 7c34172f398cdea804e8a4671f996e9b3706ec7d Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Fri, 26 Jul 2019 11:27:57 +0200 +Subject: [PATCH 06/36] Change FIPS exceptions from _blake2, _sha3 module init + to ImportError + +--- + Include/_hashopenssl.h | 11 +++++------ + Modules/_blake2/blake2b_impl.c | 4 ++-- + Modules/_blake2/blake2module.c | 2 +- + Modules/_blake2/blake2s_impl.c | 4 ++-- + Modules/_sha3/sha3module.c | 6 +++--- + 5 files changed, 13 insertions(+), 14 deletions(-) + +diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h +index a726c0d..47ed003 100644 +--- a/Include/_hashopenssl.h ++++ b/Include/_hashopenssl.h +@@ -39,7 +39,7 @@ _setException(PyObject *exc) + + __attribute__((__unused__)) + static int +-_Py_hashlib_fips_error(char *name) { ++_Py_hashlib_fips_error(PyObject *exc, char *name) { + int result = FIPS_mode(); + if (result == 0) { + // "If the library was built without support of the FIPS Object Module, +@@ -49,18 +49,17 @@ _Py_hashlib_fips_error(char *name) { + + unsigned long errcode = ERR_peek_last_error(); + if (errcode) { +- _setException(PyExc_ValueError); ++ _setException(exc); + return 1; + } + return 0; + } +- PyErr_Format(PyExc_ValueError, "%s is not available in FIPS mode", +- name); ++ PyErr_Format(exc, "%s is not available in FIPS mode", name); + return 1; + } + +-#define FAIL_RETURN_IN_FIPS_MODE(name) do { \ +- if (_Py_hashlib_fips_error(name)) return NULL; \ ++#define FAIL_RETURN_IN_FIPS_MODE(exc, name) do { \ ++ if (_Py_hashlib_fips_error(exc, name)) return NULL; \ + } while (0) + + #endif // !Py_HASHOPENSSL_H +diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c +index 1daf5c3..97ce89d 100644 +--- a/Modules/_blake2/blake2b_impl.c ++++ b/Modules/_blake2/blake2b_impl.c +@@ -97,7 +97,7 @@ py_blake2b_new_impl(PyTypeObject *type, PyObject *data, int digest_size, + BLAKE2bObject *self = NULL; + Py_buffer buf; + +- FAIL_RETURN_IN_FIPS_MODE("_blake2"); ++ FAIL_RETURN_IN_FIPS_MODE(PyExc_ValueError, "_blake2"); + + self = new_BLAKE2bObject(type); + if (self == NULL) { +@@ -277,7 +277,7 @@ _blake2_blake2b_update(BLAKE2bObject *self, PyObject *data) + { + Py_buffer buf; + +- FAIL_RETURN_IN_FIPS_MODE("_blake2"); ++ FAIL_RETURN_IN_FIPS_MODE(PyExc_ValueError, "_blake2"); + + GET_BUFFER_VIEW_OR_ERROUT(data, &buf); + +diff --git a/Modules/_blake2/blake2module.c b/Modules/_blake2/blake2module.c +index 817b716..a9c7cbc 100644 +--- a/Modules/_blake2/blake2module.c ++++ b/Modules/_blake2/blake2module.c +@@ -58,7 +58,7 @@ PyInit__blake2(void) + PyObject *m; + PyObject *d; + +- FAIL_RETURN_IN_FIPS_MODE("blake2"); ++ FAIL_RETURN_IN_FIPS_MODE(PyExc_ImportError, "blake2"); + + m = PyModule_Create(&blake2_module); + if (m == NULL) +diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c +index 389711a..c4447b4 100644 +--- a/Modules/_blake2/blake2s_impl.c ++++ b/Modules/_blake2/blake2s_impl.c +@@ -97,7 +97,7 @@ py_blake2s_new_impl(PyTypeObject *type, PyObject *data, int digest_size, + BLAKE2sObject *self = NULL; + Py_buffer buf; + +- FAIL_RETURN_IN_FIPS_MODE("_blake2"); ++ FAIL_RETURN_IN_FIPS_MODE(PyExc_ValueError, "_blake2"); + + self = new_BLAKE2sObject(type); + if (self == NULL) { +@@ -277,7 +277,7 @@ _blake2_blake2s_update(BLAKE2sObject *self, PyObject *data) + { + Py_buffer buf; + +- FAIL_RETURN_IN_FIPS_MODE("_blake2"); ++ FAIL_RETURN_IN_FIPS_MODE(PyExc_ValueError, "_blake2"); + + GET_BUFFER_VIEW_OR_ERROUT(data, &buf); + +diff --git a/Modules/_sha3/sha3module.c b/Modules/_sha3/sha3module.c +index 34d09b4..3079e1e 100644 +--- a/Modules/_sha3/sha3module.c ++++ b/Modules/_sha3/sha3module.c +@@ -161,7 +161,7 @@ static PyTypeObject SHAKE256type; + static SHA3object * + newSHA3object(PyTypeObject *type) + { +- FAIL_RETURN_IN_FIPS_MODE("_sha3"); ++ FAIL_RETURN_IN_FIPS_MODE(PyExc_ValueError, "_sha3"); + SHA3object *newobj; + newobj = (SHA3object *)PyObject_New(SHA3object, type); + if (newobj == NULL) { +@@ -175,7 +175,7 @@ newSHA3object(PyTypeObject *type) + static PyObject * + py_sha3_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) + { +- FAIL_RETURN_IN_FIPS_MODE("_sha3"); ++ FAIL_RETURN_IN_FIPS_MODE(PyExc_ValueError, "_sha3"); + SHA3object *self = NULL; + Py_buffer buf = {NULL, NULL}; + HashReturn res; +@@ -707,7 +707,7 @@ PyInit__sha3(void) + { + PyObject *m = NULL; + +- FAIL_RETURN_IN_FIPS_MODE("_sha3"); ++ FAIL_RETURN_IN_FIPS_MODE(PyExc_ImportError, "_sha3"); + + if ((m = PyModule_Create(&_SHA3module)) == NULL) { + return NULL; +-- +2.38.1 + + +From c968e85d077123510f8b6441b169b46f6e0e9d26 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Fri, 26 Jul 2019 11:24:09 +0200 +Subject: [PATCH 07/36] Make hashlib importable under FIPS mode + +--- + Lib/hashlib.py | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/Lib/hashlib.py b/Lib/hashlib.py +index 1bcfdf9..898e6dc 100644 +--- a/Lib/hashlib.py ++++ b/Lib/hashlib.py +@@ -137,12 +137,14 @@ def __get_openssl_constructor(name): + f = getattr(_hashlib, 'openssl_' + name) + # Allow the C module to raise ValueError. The function will be + # defined but the hash not actually available thanks to OpenSSL. +- f() ++ if not get_fips_mode(): ++ # N.B. In "FIPS mode", there is no fallback. ++ # If this test fails, we want to export the broken hash ++ # constructor anyway. ++ f() + # Use the C function directly (very fast) + return f + except (AttributeError, ValueError): +- if get_fips_mode(): +- raise + return __get_builtin_constructor(name) + + +-- +2.38.1 + + +From ea2a87a494c36eae2cc2cf343074ff0214e37517 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Fri, 26 Jul 2019 15:41:10 +0200 +Subject: [PATCH 08/36] Implement hmac.new using new built-in module, + _hmacopenssl + +--- + Lib/hmac.py | 32 ++- + Modules/_hmacopenssl.c | 396 ++++++++++++++++++++++++++++++++ + Modules/clinic/_hmacopenssl.c.h | 133 +++++++++++ + setup.py | 4 + + 4 files changed, 564 insertions(+), 1 deletion(-) + create mode 100644 Modules/_hmacopenssl.c + create mode 100644 Modules/clinic/_hmacopenssl.c.h + +diff --git a/Lib/hmac.py b/Lib/hmac.py +index b769876..daabc8c 100644 +--- a/Lib/hmac.py ++++ b/Lib/hmac.py +@@ -13,6 +13,8 @@ except ImportError: + else: + _openssl_md_meths = frozenset(_hashopenssl.openssl_md_meth_names) + import hashlib as _hashlib ++import _hashlib as _hashlibopenssl ++import _hmacopenssl + + trans_5C = bytes((x ^ 0x5C) for x in range(256)) + trans_36 = bytes((x ^ 0x36) for x in range(256)) +@@ -43,6 +45,11 @@ class HMAC: + msg argument. Passing it as a keyword argument is + recommended, though not required for legacy API reasons. + """ ++ if _hashlib.get_fips_mode(): ++ raise ValueError( ++ 'hmac.HMAC is not available in FIPS mode. ' ++ + 'Use hmac.new().' ++ ) + + if not isinstance(key, (bytes, bytearray)): + raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__) +@@ -93,6 +100,8 @@ class HMAC: + + def update(self, msg): + """Feed data from msg into this hashing object.""" ++ if _hashlib.get_fips_mode(): ++ raise ValueError('hmac.HMAC is not available in FIPS mode') + self.inner.update(msg) + + def copy(self): +@@ -133,6 +142,18 @@ class HMAC: + h = self._current() + return h.hexdigest() + ++def _get_openssl_name(digestmod): ++ if isinstance(digestmod, str): ++ return digestmod.lower() ++ elif callable(digestmod): ++ digestmod = digestmod(b'') ++ ++ if not isinstance(digestmod, _hashlibopenssl.HASH): ++ raise TypeError( ++ 'Only OpenSSL hashlib hashes are accepted in FIPS mode.') ++ ++ return digestmod.name.lower().replace('_', '-') ++ + def new(key, msg=None, digestmod=''): + """Create a new hashing object and return it. + +@@ -150,7 +171,16 @@ def new(key, msg=None, digestmod=''): + method, and can ask for the hash value at any time by calling its digest() + or hexdigest() methods. + """ +- return HMAC(key, msg, digestmod) ++ if _hashlib.get_fips_mode(): ++ if digestmod is None: ++ digestmod = 'md5' ++ name = _get_openssl_name(digestmod) ++ result = _hmacopenssl.new(key, digestmod=name) ++ if msg: ++ result.update(msg) ++ return result ++ else: ++ return HMAC(key, msg, digestmod) + + + def digest(key, msg, digest): +diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c +new file mode 100644 +index 0000000..ca95d72 +--- /dev/null ++++ b/Modules/_hmacopenssl.c +@@ -0,0 +1,396 @@ ++/* Module that wraps all OpenSSL MHAC algorithm */ ++ ++/* Copyright (C) 2019 Red Hat, Inc. Red Hat, Inc. and/or its affiliates ++ * ++ * Based on _hashopenssl.c, which is: ++ * Copyright (C) 2005-2010 Gregory P. Smith (greg@krypto.org) ++ * Licensed to PSF under a Contributor Agreement. ++ * ++ * Derived from a skeleton of shamodule.c containing work performed by: ++ * ++ * Andrew Kuchling (amk@amk.ca) ++ * Greg Stein (gstein@lyra.org) ++ * ++ */ ++ ++#define PY_SSIZE_T_CLEAN ++ ++#include "Python.h" ++#include "structmember.h" ++#include "hashlib.h" ++#include "pystrhex.h" ++#include "_hashopenssl.h" ++ ++ ++#include ++ ++static PyTypeObject HmacType; ++ ++typedef struct { ++ PyObject_HEAD ++ PyObject *name; /* name of the hash algorithm */ ++ HMAC_CTX *ctx; /* OpenSSL hmac context */ ++ PyThread_type_lock lock; /* HMAC context lock */ ++} HmacObject; ++ ++#include "clinic/_hmacopenssl.c.h" ++/*[clinic input] ++module _hmacopenssl ++class _hmacopenssl.HMAC "HmacObject *" "&HmacType" ++[clinic start generated code]*/ ++/*[clinic end generated code: output=da39a3ee5e6b4b0d input=c98d3f2af591c085]*/ ++ ++ ++/*[clinic input] ++_hmacopenssl.new ++ ++ key: Py_buffer ++ * ++ digestmod: str ++ ++Return a new hmac object. ++[clinic start generated code]*/ ++ ++static PyObject * ++_hmacopenssl_new_impl(PyObject *module, Py_buffer *key, ++ const char *digestmod) ++/*[clinic end generated code: output=46f1cb4e02921922 input=be8c0c2e4fad508c]*/ ++{ ++ if (digestmod == NULL) { ++ PyErr_SetString(PyExc_ValueError, "digestmod must be specified"); ++ return NULL; ++ } ++ ++ /* name mut be lowercase */ ++ for (int i=0; digestmod[i]; i++) { ++ if ( ++ ((digestmod[i] < 'a') || (digestmod[i] > 'z')) ++ && ((digestmod[i] < '0') || (digestmod[i] > '9')) ++ && digestmod[i] != '-' ++ ) { ++ PyErr_SetString(PyExc_ValueError, "digestmod must be lowercase"); ++ return NULL; ++ } ++ } ++ ++ const EVP_MD *digest = EVP_get_digestbyname(digestmod); ++ if (!digest) { ++ PyErr_SetString(PyExc_ValueError, "unknown hash function"); ++ return NULL; ++ } ++ ++ PyObject *name = NULL; ++ HMAC_CTX *ctx = NULL; ++ HmacObject *retval = NULL; ++ ++ name = PyUnicode_FromFormat("hmac-%s", digestmod); ++ if (name == NULL) { ++ goto error; ++ } ++ ++ ctx = HMAC_CTX_new(); ++ if (ctx == NULL) { ++ _setException(PyExc_ValueError); ++ goto error; ++ } ++ ++ int r = HMAC_Init_ex( ++ ctx, ++ (const char*)key->buf, ++ key->len, ++ digest, ++ NULL /*impl*/); ++ if (r == 0) { ++ _setException(PyExc_ValueError); ++ goto error; ++ } ++ ++ retval = (HmacObject *)PyObject_New(HmacObject, &HmacType); ++ if (retval == NULL) { ++ goto error; ++ } ++ ++ retval->name = name; ++ retval->ctx = ctx; ++ retval->lock = NULL; ++ ++ return (PyObject*)retval; ++ ++error: ++ if (ctx) HMAC_CTX_free(ctx); ++ if (name) Py_DECREF(name); ++ if (retval) PyObject_Del(name); ++ return NULL; ++} ++ ++/*[clinic input] ++_hmacopenssl.HMAC.copy ++ ++Return a copy (“clone”) of the HMAC object. ++[clinic start generated code]*/ ++ ++static PyObject * ++_hmacopenssl_HMAC_copy_impl(HmacObject *self) ++/*[clinic end generated code: output=fe5ee41faf30dcf0 input=f5ed20feec42d8d0]*/ ++{ ++ HmacObject *retval = (HmacObject *)PyObject_New(HmacObject, &HmacType); ++ if (retval == NULL) { ++ return NULL; ++ } ++ ++ Py_INCREF(self->name); ++ retval->name = self->name; ++ ++ int r = HMAC_CTX_copy(retval->ctx, self->ctx); ++ if (r == 0) { ++ PyObject_Del(retval); ++ return _setException(PyExc_ValueError); ++ } ++ ++ return (PyObject*)retval; ++} ++ ++static void ++_hmac_dealloc(HmacObject *self) ++{ ++ if (self->lock != NULL) { ++ PyThread_free_lock(self->lock); ++ } ++ HMAC_CTX_free(self->ctx); ++ Py_XDECREF(self->name); ++ PyObject_Del(self); ++} ++ ++static PyObject * ++_hmac_repr(HmacObject *self) ++{ ++ return PyUnicode_FromFormat("<%U HMAC object @ %p>", self->name, self); ++} ++ ++/*[clinic input] ++_hmacopenssl.HMAC.update ++ ++ msg: Py_buffer ++ ++Update the HMAC object with msg. ++[clinic start generated code]*/ ++ ++static PyObject * ++_hmacopenssl_HMAC_update_impl(HmacObject *self, Py_buffer *msg) ++/*[clinic end generated code: output=0efeee663a98cee5 input=0683d64f35808cb9]*/ ++{ ++ if (self->lock == NULL && msg->len >= HASHLIB_GIL_MINSIZE) { ++ self->lock = PyThread_allocate_lock(); ++ /* fail? lock = NULL and we fail over to non-threaded code. */ ++ } ++ ++ int r; ++ ++ if (self->lock != NULL) { ++ Py_BEGIN_ALLOW_THREADS ++ PyThread_acquire_lock(self->lock, 1); ++ r = HMAC_Update(self->ctx, (const unsigned char*)msg->buf, msg->len); ++ PyThread_release_lock(self->lock); ++ Py_END_ALLOW_THREADS ++ } else { ++ r = HMAC_Update(self->ctx, (const unsigned char*)msg->buf, msg->len); ++ } ++ ++ if (r == 0) { ++ _setException(PyExc_ValueError); ++ return NULL; ++ } ++ Py_RETURN_NONE; ++} ++ ++static unsigned int ++_digest_size(HmacObject *self) ++{ ++ const EVP_MD *md = HMAC_CTX_get_md(self->ctx); ++ if (md == NULL) { ++ _setException(PyExc_ValueError); ++ return 0; ++ } ++ return EVP_MD_size(md); ++} ++ ++static int ++_digest(HmacObject *self, unsigned char *buf, unsigned int len) ++{ ++ HMAC_CTX *temp_ctx = HMAC_CTX_new(); ++ if (temp_ctx == NULL) { ++ PyErr_NoMemory(); ++ return 0; ++ } ++ int r = HMAC_CTX_copy(temp_ctx, self->ctx); ++ if (r == 0) { ++ _setException(PyExc_ValueError); ++ return 0; ++ } ++ r = HMAC_Final(temp_ctx, buf, &len); ++ HMAC_CTX_free(temp_ctx); ++ if (r == 0) { ++ _setException(PyExc_ValueError); ++ return 0; ++ } ++ return 1; ++} ++ ++/*[clinic input] ++_hmacopenssl.HMAC.digest ++ ++Return the digest of the bytes passed to the update() method so far. ++[clinic start generated code]*/ ++ ++static PyObject * ++_hmacopenssl_HMAC_digest_impl(HmacObject *self) ++/*[clinic end generated code: output=3aa6dbfc46ec4957 input=bf769a10b1d9edd9]*/ ++{ ++ unsigned int digest_size = _digest_size(self); ++ if (digest_size == 0) { ++ return _setException(PyExc_ValueError); ++ } ++ unsigned char buf[digest_size]; /* FIXME: C99 feature */ ++ int r = _digest(self, buf, digest_size); ++ if (r == 0) { ++ return NULL; ++ } ++ return PyBytes_FromStringAndSize((const char *)buf, digest_size); ++} ++ ++/*[clinic input] ++_hmacopenssl.HMAC.hexdigest ++ ++Return hexadecimal digest of the bytes passed to the update() method so far. ++ ++This may be used to exchange the value safely in email or other non-binary ++environments. ++[clinic start generated code]*/ ++ ++static PyObject * ++_hmacopenssl_HMAC_hexdigest_impl(HmacObject *self) ++/*[clinic end generated code: output=630f6fa89f9f1e48 input=b8e60ec8b811c4cd]*/ ++{ ++ unsigned int digest_size = _digest_size(self); ++ if (digest_size == 0) { ++ return _setException(PyExc_ValueError); ++ } ++ unsigned char buf[digest_size]; /* FIXME: C99 feature */ ++ int r = _digest(self, buf, digest_size); ++ if (r == 0) { ++ return NULL; ++ } ++ return _Py_strhex((const char *)buf, digest_size); ++} ++ ++ ++ ++static PyObject * ++_hmacopenssl_get_digest_size(HmacObject *self, void *closure) ++{ ++ unsigned int digest_size = _digest_size(self); ++ if (digest_size == 0) { ++ return _setException(PyExc_ValueError); ++ } ++ return PyLong_FromLong(digest_size); ++} ++ ++static PyObject * ++_hmacopenssl_get_block_size(HmacObject *self, void *closure) ++{ ++ const EVP_MD *md = HMAC_CTX_get_md(self->ctx); ++ if (md == NULL) { ++ return _setException(PyExc_ValueError); ++ } ++ return PyLong_FromLong(EVP_MD_size(md)); ++} ++ ++static PyMethodDef Hmac_methods[] = { ++ _HMACOPENSSL_HMAC_UPDATE_METHODDEF ++ _HMACOPENSSL_HMAC_DIGEST_METHODDEF ++ _HMACOPENSSL_HMAC_HEXDIGEST_METHODDEF ++ _HMACOPENSSL_HMAC_COPY_METHODDEF ++ {NULL, NULL} /* sentinel */ ++}; ++ ++static PyGetSetDef Hmac_getset[] = { ++ {"digest_size", (getter)_hmacopenssl_get_digest_size, NULL, NULL, NULL}, ++ {"block_size", (getter)_hmacopenssl_get_block_size, NULL, NULL, NULL}, ++ {NULL} /* Sentinel */ ++}; ++ ++static PyMemberDef Hmac_members[] = { ++ {"name", T_OBJECT, offsetof(HmacObject, name), READONLY, PyDoc_STR("HMAC name")}, ++}; ++ ++PyDoc_STRVAR(hmactype_doc, ++"The object used to calculate HMAC of a message.\n\ ++\n\ ++Methods:\n\ ++\n\ ++update() -- updates the current digest with an additional string\n\ ++digest() -- return the current digest value\n\ ++hexdigest() -- return the current digest as a string of hexadecimal digits\n\ ++copy() -- return a copy of the current hash object\n\ ++\n\ ++Attributes:\n\ ++\n\ ++name -- the name, including the hash algorithm used by this object\n\ ++digest_size -- number of bytes in digest() output\n"); ++ ++static PyTypeObject HmacType = { ++ PyVarObject_HEAD_INIT(NULL, 0) ++ "_hmacopenssl.HMAC", /*tp_name*/ ++ sizeof(HmacObject), /*tp_basicsize*/ ++ .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, ++ .tp_doc = hmactype_doc, ++ .tp_repr = (reprfunc)_hmac_repr, ++ .tp_dealloc = (destructor)_hmac_dealloc, ++ .tp_methods = Hmac_methods, ++ .tp_getset = Hmac_getset, ++ .tp_members = Hmac_members, ++}; ++ ++static struct PyMethodDef hmacopenssl_functions[] = { ++ _HMACOPENSSL_NEW_METHODDEF ++ {NULL, NULL} /* Sentinel */ ++}; ++ ++ ++ ++/* Initialize this module. */ ++ ++ ++static struct PyModuleDef _hmacopenssl_module = { ++ PyModuleDef_HEAD_INIT, ++ "_hmacopenssl", ++ NULL, ++ -1, ++ hmacopenssl_functions, ++ NULL, ++ NULL, ++ NULL, ++ NULL ++}; ++ ++PyMODINIT_FUNC ++PyInit__hmacopenssl(void) ++{ ++ /* TODO build EVP_functions openssl_* entries dynamically based ++ * on what hashes are supported rather than listing many ++ * but having some be unsupported. Only init appropriate ++ * constants. */ ++ ++ Py_TYPE(&HmacType) = &PyType_Type; ++ if (PyType_Ready(&HmacType) < 0) ++ return NULL; ++ ++ PyObject *m = PyModule_Create(&_hmacopenssl_module); ++ if (m == NULL) ++ return NULL; ++ ++ Py_INCREF((PyObject *)&HmacType); ++ PyModule_AddObject(m, "HMAC", (PyObject *)&HmacType); ++ ++ return m; ++} +diff --git a/Modules/clinic/_hmacopenssl.c.h b/Modules/clinic/_hmacopenssl.c.h +new file mode 100644 +index 0000000..b472a6e +--- /dev/null ++++ b/Modules/clinic/_hmacopenssl.c.h +@@ -0,0 +1,133 @@ ++/*[clinic input] ++preserve ++[clinic start generated code]*/ ++ ++PyDoc_STRVAR(_hmacopenssl_new__doc__, ++"new($module, /, key, *, digestmod)\n" ++"--\n" ++"\n" ++"Return a new hmac object."); ++ ++#define _HMACOPENSSL_NEW_METHODDEF \ ++ {"new", (PyCFunction)_hmacopenssl_new, METH_FASTCALL, _hmacopenssl_new__doc__}, ++ ++static PyObject * ++_hmacopenssl_new_impl(PyObject *module, Py_buffer *key, ++ const char *digestmod); ++ ++static PyObject * ++_hmacopenssl_new(PyObject *module, PyObject **args, Py_ssize_t nargs, PyObject *kwnames) ++{ ++ PyObject *return_value = NULL; ++ static const char * const _keywords[] = {"key", "digestmod", NULL}; ++ static _PyArg_Parser _parser = {"y*$s:new", _keywords, 0}; ++ Py_buffer key = {NULL, NULL}; ++ const char *digestmod; ++ ++ if (!_PyArg_ParseStack(args, nargs, kwnames, &_parser, ++ &key, &digestmod)) { ++ goto exit; ++ } ++ return_value = _hmacopenssl_new_impl(module, &key, digestmod); ++ ++exit: ++ /* Cleanup for key */ ++ if (key.obj) { ++ PyBuffer_Release(&key); ++ } ++ ++ return return_value; ++} ++ ++PyDoc_STRVAR(_hmacopenssl_HMAC_copy__doc__, ++"copy($self, /)\n" ++"--\n" ++"\n" ++"Return a copy (“clone”) of the HMAC object."); ++ ++#define _HMACOPENSSL_HMAC_COPY_METHODDEF \ ++ {"copy", (PyCFunction)_hmacopenssl_HMAC_copy, METH_NOARGS, _hmacopenssl_HMAC_copy__doc__}, ++ ++static PyObject * ++_hmacopenssl_HMAC_copy_impl(HmacObject *self); ++ ++static PyObject * ++_hmacopenssl_HMAC_copy(HmacObject *self, PyObject *Py_UNUSED(ignored)) ++{ ++ return _hmacopenssl_HMAC_copy_impl(self); ++} ++ ++PyDoc_STRVAR(_hmacopenssl_HMAC_update__doc__, ++"update($self, /, msg)\n" ++"--\n" ++"\n" ++"Update the HMAC object with msg."); ++ ++#define _HMACOPENSSL_HMAC_UPDATE_METHODDEF \ ++ {"update", (PyCFunction)_hmacopenssl_HMAC_update, METH_FASTCALL, _hmacopenssl_HMAC_update__doc__}, ++ ++static PyObject * ++_hmacopenssl_HMAC_update_impl(HmacObject *self, Py_buffer *msg); ++ ++static PyObject * ++_hmacopenssl_HMAC_update(HmacObject *self, PyObject **args, Py_ssize_t nargs, PyObject *kwnames) ++{ ++ PyObject *return_value = NULL; ++ static const char * const _keywords[] = {"msg", NULL}; ++ static _PyArg_Parser _parser = {"y*:update", _keywords, 0}; ++ Py_buffer msg = {NULL, NULL}; ++ ++ if (!_PyArg_ParseStack(args, nargs, kwnames, &_parser, ++ &msg)) { ++ goto exit; ++ } ++ return_value = _hmacopenssl_HMAC_update_impl(self, &msg); ++ ++exit: ++ /* Cleanup for msg */ ++ if (msg.obj) { ++ PyBuffer_Release(&msg); ++ } ++ ++ return return_value; ++} ++ ++PyDoc_STRVAR(_hmacopenssl_HMAC_digest__doc__, ++"digest($self, /)\n" ++"--\n" ++"\n" ++"Return the digest of the bytes passed to the update() method so far."); ++ ++#define _HMACOPENSSL_HMAC_DIGEST_METHODDEF \ ++ {"digest", (PyCFunction)_hmacopenssl_HMAC_digest, METH_NOARGS, _hmacopenssl_HMAC_digest__doc__}, ++ ++static PyObject * ++_hmacopenssl_HMAC_digest_impl(HmacObject *self); ++ ++static PyObject * ++_hmacopenssl_HMAC_digest(HmacObject *self, PyObject *Py_UNUSED(ignored)) ++{ ++ return _hmacopenssl_HMAC_digest_impl(self); ++} ++ ++PyDoc_STRVAR(_hmacopenssl_HMAC_hexdigest__doc__, ++"hexdigest($self, /)\n" ++"--\n" ++"\n" ++"Return hexadecimal digest of the bytes passed to the update() method so far.\n" ++"\n" ++"This may be used to exchange the value safely in email or other non-binary\n" ++"environments."); ++ ++#define _HMACOPENSSL_HMAC_HEXDIGEST_METHODDEF \ ++ {"hexdigest", (PyCFunction)_hmacopenssl_HMAC_hexdigest, METH_NOARGS, _hmacopenssl_HMAC_hexdigest__doc__}, ++ ++static PyObject * ++_hmacopenssl_HMAC_hexdigest_impl(HmacObject *self); ++ ++static PyObject * ++_hmacopenssl_HMAC_hexdigest(HmacObject *self, PyObject *Py_UNUSED(ignored)) ++{ ++ return _hmacopenssl_HMAC_hexdigest_impl(self); ++} ++/*[clinic end generated code: output=10b6e8cac6d7a2c9 input=a9049054013a1b77]*/ +diff --git a/setup.py b/setup.py +index f7c4be1..6fc7e72 100644 +--- a/setup.py ++++ b/setup.py +@@ -2235,6 +2235,10 @@ class PyBuildExt(build_ext): + depends=['hashlib.h'], + **self.detect_openssl_args()) ) + ++ self.add(Extension('_hmacopenssl', ['_hmacopenssl.c'], ++ depends = ['hashlib.h'], ++ **self.detect_openssl_args()) ) ++ + def detect_hash_builtins(self): + # RHEL: Always force OpenSSL for md5, sha1, sha256, sha512; + # don't build Python's implementations. +-- +2.38.1 + + +From 03ac0fc03e418f73ed76b203f779a083312aaff9 Mon Sep 17 00:00:00 2001 +From: Marcel Plch +Date: Mon, 29 Jul 2019 12:45:11 +0200 +Subject: [PATCH 09/36] FIPS review + +* Port _hmacopenssl to multiphase init. +* Make _hmacopenssl.HMAC.copy create same type as self. +* hmac.py cosmetic nitpick +--- + Lib/hmac.py | 2 +- + Modules/_hmacopenssl.c | 112 +++++++++++++++++++++++++---------------- + 2 files changed, 70 insertions(+), 44 deletions(-) + +diff --git a/Lib/hmac.py b/Lib/hmac.py +index daabc8c..2ec24da 100644 +--- a/Lib/hmac.py ++++ b/Lib/hmac.py +@@ -48,7 +48,7 @@ class HMAC: + if _hashlib.get_fips_mode(): + raise ValueError( + 'hmac.HMAC is not available in FIPS mode. ' +- + 'Use hmac.new().' ++ 'Use hmac.new().' + ) + + if not isinstance(key, (bytes, bytearray)): +diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c +index ca95d72..216ed04 100644 +--- a/Modules/_hmacopenssl.c ++++ b/Modules/_hmacopenssl.c +@@ -24,7 +24,10 @@ + + #include + +-static PyTypeObject HmacType; ++typedef struct hmacopenssl_state { ++ PyTypeObject *HmacType; ++} hmacopenssl_state; ++ + + typedef struct { + PyObject_HEAD +@@ -36,9 +39,9 @@ typedef struct { + #include "clinic/_hmacopenssl.c.h" + /*[clinic input] + module _hmacopenssl +-class _hmacopenssl.HMAC "HmacObject *" "&HmacType" ++class _hmacopenssl.HMAC "HmacObject *" "PyModule_GetState(module)->HmacType" + [clinic start generated code]*/ +-/*[clinic end generated code: output=da39a3ee5e6b4b0d input=c98d3f2af591c085]*/ ++/*[clinic end generated code: output=da39a3ee5e6b4b0d input=204b7f45847f57b4]*/ + + + /*[clinic input] +@@ -56,11 +59,18 @@ _hmacopenssl_new_impl(PyObject *module, Py_buffer *key, + const char *digestmod) + /*[clinic end generated code: output=46f1cb4e02921922 input=be8c0c2e4fad508c]*/ + { ++ hmacopenssl_state *state; ++ + if (digestmod == NULL) { + PyErr_SetString(PyExc_ValueError, "digestmod must be specified"); + return NULL; + } + ++ state = PyModule_GetState(module); ++ if (state == NULL) { ++ return NULL; ++ } ++ + /* name mut be lowercase */ + for (int i=0; digestmod[i]; i++) { + if ( +@@ -105,7 +115,7 @@ _hmacopenssl_new_impl(PyObject *module, Py_buffer *key, + goto error; + } + +- retval = (HmacObject *)PyObject_New(HmacObject, &HmacType); ++ retval = (HmacObject *)PyObject_New(HmacObject, state->HmacType); + if (retval == NULL) { + goto error; + } +@@ -133,7 +143,9 @@ static PyObject * + _hmacopenssl_HMAC_copy_impl(HmacObject *self) + /*[clinic end generated code: output=fe5ee41faf30dcf0 input=f5ed20feec42d8d0]*/ + { +- HmacObject *retval = (HmacObject *)PyObject_New(HmacObject, &HmacType); ++ HmacObject *retval; ++ ++ retval = (HmacObject *)PyObject_New(HmacObject, (PyTypeObject *)PyObject_Type((PyObject *)self)); + if (retval == NULL) { + return NULL; + } +@@ -147,7 +159,7 @@ _hmacopenssl_HMAC_copy_impl(HmacObject *self) + return _setException(PyExc_ValueError); + } + +- return (PyObject*)retval; ++ return (PyObject *)retval; + } + + static void +@@ -338,19 +350,24 @@ Attributes:\n\ + name -- the name, including the hash algorithm used by this object\n\ + digest_size -- number of bytes in digest() output\n"); + +-static PyTypeObject HmacType = { +- PyVarObject_HEAD_INIT(NULL, 0) +- "_hmacopenssl.HMAC", /*tp_name*/ +- sizeof(HmacObject), /*tp_basicsize*/ +- .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, +- .tp_doc = hmactype_doc, +- .tp_repr = (reprfunc)_hmac_repr, +- .tp_dealloc = (destructor)_hmac_dealloc, +- .tp_methods = Hmac_methods, +- .tp_getset = Hmac_getset, +- .tp_members = Hmac_members, ++static PyType_Slot HmacType_slots[] = { ++ {Py_tp_doc, hmactype_doc}, ++ {Py_tp_repr, (reprfunc)_hmac_repr}, ++ {Py_tp_dealloc,(destructor)_hmac_dealloc}, ++ {Py_tp_methods, Hmac_methods}, ++ {Py_tp_getset, Hmac_getset}, ++ {Py_tp_members, Hmac_members}, ++ {0, NULL} ++}; ++ ++PyType_Spec HmacType_spec = { ++ "_hmacopenssl.HMAC", /* name */ ++ sizeof(HmacObject), /* basicsize */ ++ .flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, ++ .slots = HmacType_slots, + }; + ++ + static struct PyMethodDef hmacopenssl_functions[] = { + _HMACOPENSSL_NEW_METHODDEF + {NULL, NULL} /* Sentinel */ +@@ -360,37 +377,46 @@ static struct PyMethodDef hmacopenssl_functions[] = { + + /* Initialize this module. */ + +- +-static struct PyModuleDef _hmacopenssl_module = { +- PyModuleDef_HEAD_INIT, +- "_hmacopenssl", +- NULL, +- -1, +- hmacopenssl_functions, +- NULL, +- NULL, +- NULL, +- NULL +-}; +- +-PyMODINIT_FUNC +-PyInit__hmacopenssl(void) +-{ ++static int ++hmacopenssl_exec(PyObject *m) { + /* TODO build EVP_functions openssl_* entries dynamically based + * on what hashes are supported rather than listing many +- * but having some be unsupported. Only init appropriate ++ * and having some unsupported. Only init appropriate + * constants. */ ++ PyObject *temp; + +- Py_TYPE(&HmacType) = &PyType_Type; +- if (PyType_Ready(&HmacType) < 0) +- return NULL; ++ temp = PyType_FromSpec(&HmacType_spec); ++ if (temp == NULL) { ++ goto fail; ++ } + +- PyObject *m = PyModule_Create(&_hmacopenssl_module); +- if (m == NULL) +- return NULL; ++ if (PyModule_AddObject(m, "HMAC", temp) == -1) { ++ goto fail; ++ } ++ ++ return 0; + +- Py_INCREF((PyObject *)&HmacType); +- PyModule_AddObject(m, "HMAC", (PyObject *)&HmacType); ++fail: ++ Py_XDECREF(temp); ++ return -1; ++} + +- return m; ++static PyModuleDef_Slot hmacopenssl_slots[] = { ++ {Py_mod_exec, hmacopenssl_exec}, ++ {0, NULL}, ++}; ++ ++static struct PyModuleDef _hmacopenssl_def = { ++ PyModuleDef_HEAD_INIT, /* m_base */ ++ .m_name = "_hmacopenssl", ++ .m_methods = hmacopenssl_functions, ++ .m_slots = hmacopenssl_slots, ++ .m_size = sizeof(hmacopenssl_state) ++}; ++ ++ ++PyMODINIT_FUNC ++PyInit__hmacopenssl(void) ++{ ++ return PyModuleDef_Init(&_hmacopenssl_def); + } +-- +2.38.1 + + +From f130424124b4cbd4b61f1dd84b69f1f4f9e766f6 Mon Sep 17 00:00:00 2001 +From: Marcel Plch +Date: Mon, 29 Jul 2019 13:05:04 +0200 +Subject: [PATCH 10/36] revert cosmetic nitpick and remove trailing whitespace + +--- + Lib/hmac.py | 2 +- + Modules/_hmacopenssl.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Lib/hmac.py b/Lib/hmac.py +index 2ec24da..daabc8c 100644 +--- a/Lib/hmac.py ++++ b/Lib/hmac.py +@@ -48,7 +48,7 @@ class HMAC: + if _hashlib.get_fips_mode(): + raise ValueError( + 'hmac.HMAC is not available in FIPS mode. ' +- 'Use hmac.new().' ++ + 'Use hmac.new().' + ) + + if not isinstance(key, (bytes, bytearray)): +diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c +index 216ed04..221714c 100644 +--- a/Modules/_hmacopenssl.c ++++ b/Modules/_hmacopenssl.c +@@ -363,7 +363,7 @@ static PyType_Slot HmacType_slots[] = { + PyType_Spec HmacType_spec = { + "_hmacopenssl.HMAC", /* name */ + sizeof(HmacObject), /* basicsize */ +- .flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, ++ .flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, + .slots = HmacType_slots, + }; + +@@ -407,7 +407,7 @@ static PyModuleDef_Slot hmacopenssl_slots[] = { + }; + + static struct PyModuleDef _hmacopenssl_def = { +- PyModuleDef_HEAD_INIT, /* m_base */ ++ PyModuleDef_HEAD_INIT, /* m_base */ + .m_name = "_hmacopenssl", + .m_methods = hmacopenssl_functions, + .m_slots = hmacopenssl_slots, +-- +2.38.1 + + +From 5259a4c7bd3d1ce2f0bdbcd0c95583c95d7d0d23 Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Wed, 31 Jul 2019 15:43:43 +0200 +Subject: [PATCH 11/36] Add initial tests for various hashes under FIPS mode + +--- + Lib/test/test_fips.py | 64 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 64 insertions(+) + create mode 100644 Lib/test/test_fips.py + +diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py +new file mode 100644 +index 0000000..bee911e +--- /dev/null ++++ b/Lib/test/test_fips.py +@@ -0,0 +1,64 @@ ++import unittest ++import hmac, _hmacopenssl ++import hashlib, _hashlib ++ ++ ++ ++class HashlibFipsTests(unittest.TestCase): ++ ++ @unittest.skipUnless(hashlib.get_fips_mode(), "Test only when FIPS is enabled") ++ def test_fips_imports(self): ++ """blake2s and blake2b should fail to import in FIPS mode ++ """ ++ with self.assertRaises(ValueError, msg='blake2s not available in FIPS'): ++ m = hashlib.blake2s() ++ with self.assertRaises(ValueError, msg='blake2b not available in FIPS'): ++ m = hashlib.blake2b() ++ ++ def compare_hashes(self, python_hash, openssl_hash): ++ """ ++ Compare between the python implementation and the openssl one that the digests ++ are the same ++ """ ++ if python_hash.name.startswith('shake_128'): ++ m = python_hash.hexdigest(16) ++ elif python_hash.name.startswith('shake_256'): ++ m = python_hash.hexdigest(32) ++ else: ++ m = python_hash.hexdigest() ++ h = openssl_hash.hexdigest() ++ ++ self.assertEqual(m, h) ++ ++ @unittest.skipIf(hashlib.get_fips_mode(), "blake2 hashes are not available under FIPS") ++ def test_blake2_hashes(self): ++ self.compare_hashes(hashlib.blake2b(b'abc'), _hashlib.openssl_blake2b(b'abc')) ++ self.compare_hashes(hashlib.blake2s(b'abc'), _hashlib.openssl_blake2s(b'abc')) ++ ++ def test_sha3_hashes(self): ++ self.compare_hashes(hashlib.sha3_224(b'abc'), _hashlib.openssl_sha3_224(b'abc')) ++ self.compare_hashes(hashlib.sha3_256(b'abc'), _hashlib.openssl_sha3_256(b'abc')) ++ self.compare_hashes(hashlib.sha3_384(b'abc'), _hashlib.openssl_sha3_384(b'abc')) ++ self.compare_hashes(hashlib.sha3_512(b'abc'), _hashlib.openssl_sha3_512(b'abc')) ++ ++ @unittest.skipIf(hashlib.get_fips_mode(), "shake hashes are not available under FIPS") ++ def test_shake_hashes(self): ++ self.compare_hashes(hashlib.shake_128(b'abc'), _hashlib.openssl_shake_128(b'abc')) ++ self.compare_hashes(hashlib.shake_256(b'abc'), _hashlib.openssl_shake_256(b'abc')) ++ ++ def test_sha(self): ++ self.compare_hashes(hashlib.sha1(b'abc'), _hashlib.openssl_sha1(b'abc')) ++ self.compare_hashes(hashlib.sha224(b'abc'), _hashlib.openssl_sha224(b'abc')) ++ self.compare_hashes(hashlib.sha256(b'abc'), _hashlib.openssl_sha256(b'abc')) ++ self.compare_hashes(hashlib.sha384(b'abc'), _hashlib.openssl_sha384(b'abc')) ++ self.compare_hashes(hashlib.sha512(b'abc'), _hashlib.openssl_sha512(b'abc')) ++ ++ def test_hmac_digests(self): ++ self.compare_hashes(_hmacopenssl.new(b'My hovercraft is full of eels', digestmod='sha384'), ++ hmac.new(b'My hovercraft is full of eels', digestmod='sha384')) ++ ++ ++ ++ ++if __name__ == "__main__": ++ unittest.main() +-- +2.38.1 + + +From c2b7ebc17d79f8c91572a790d425f9106d4dd70e Mon Sep 17 00:00:00 2001 +From: Marcel Plch +Date: Thu, 1 Aug 2019 16:39:37 +0200 +Subject: [PATCH 12/36] Initialize HMAC type. + +--- + Modules/_hmacopenssl.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c +index 221714c..239445a 100644 +--- a/Modules/_hmacopenssl.c ++++ b/Modules/_hmacopenssl.c +@@ -22,12 +22,12 @@ + #include "_hashopenssl.h" + + +-#include + + typedef struct hmacopenssl_state { + PyTypeObject *HmacType; + } hmacopenssl_state; + ++#include + + typedef struct { + PyObject_HEAD +@@ -39,7 +39,7 @@ typedef struct { + #include "clinic/_hmacopenssl.c.h" + /*[clinic input] + module _hmacopenssl +-class _hmacopenssl.HMAC "HmacObject *" "PyModule_GetState(module)->HmacType" ++class _hmacopenssl.HMAC "HmacObject *" "((hmacopenssl_state *)PyModule_GetState(module))->HmacType" + [clinic start generated code]*/ + /*[clinic end generated code: output=da39a3ee5e6b4b0d input=204b7f45847f57b4]*/ + +@@ -71,7 +71,7 @@ _hmacopenssl_new_impl(PyObject *module, Py_buffer *key, + return NULL; + } + +- /* name mut be lowercase */ ++ /* name must be lowercase */ + for (int i=0; digestmod[i]; i++) { + if ( + ((digestmod[i] < 'a') || (digestmod[i] > 'z')) +@@ -383,7 +383,8 @@ hmacopenssl_exec(PyObject *m) { + * on what hashes are supported rather than listing many + * and having some unsupported. Only init appropriate + * constants. */ +- PyObject *temp; ++ PyObject *temp = NULL; ++ hmacopenssl_state *state; + + temp = PyType_FromSpec(&HmacType_spec); + if (temp == NULL) { +@@ -394,6 +395,9 @@ hmacopenssl_exec(PyObject *m) { + goto fail; + } + ++ state = PyModule_GetState(m); ++ state->HmacType = (PyTypeObject *)temp; ++ + return 0; + + fail: +-- +2.38.1 + + +From 931784f1a431538486905ef1d3958dfefd5478e6 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Thu, 1 Aug 2019 17:57:05 +0200 +Subject: [PATCH 13/36] Use a stronger hash in multiprocessing handshake + +Adapted from patch by David Malcolm, +https://bugs.python.org/issue17258 +--- + Lib/multiprocessing/connection.py | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py +index 8e2facf..bb4acb6 100644 +--- a/Lib/multiprocessing/connection.py ++++ b/Lib/multiprocessing/connection.py +@@ -42,6 +42,10 @@ BUFSIZE = 8192 + # A very generous timeout when it comes to local connections... + CONNECTION_TIMEOUT = 20. + ++# The hmac module implicitly defaults to using MD5. ++# Support using a stronger algorithm for the challenge/response code: ++HMAC_DIGEST_NAME='sha256' ++ + _mmap_counter = itertools.count() + + default_family = 'AF_INET' +@@ -736,7 +740,7 @@ def deliver_challenge(connection, authkey): + "Authkey must be bytes, not {0!s}".format(type(authkey))) + message = os.urandom(MESSAGE_LENGTH) + connection.send_bytes(CHALLENGE + message) +- digest = hmac.new(authkey, message, 'md5').digest() ++ digest = hmac.new(authkey, message, HMAC_DIGEST_NAME).digest() + response = connection.recv_bytes(256) # reject large message + if response == digest: + connection.send_bytes(WELCOME) +@@ -752,7 +756,7 @@ def answer_challenge(connection, authkey): + message = connection.recv_bytes(256) # reject large message + assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message + message = message[len(CHALLENGE):] +- digest = hmac.new(authkey, message, 'md5').digest() ++ digest = hmac.new(authkey, message, HMAC_DIGEST_NAME).digest() + connection.send_bytes(digest) + response = connection.recv_bytes(256) # reject large message + if response != WELCOME: +-- +2.38.1 + + +From 8a68ba81a66181d9a4b6c7b1e77f944efada2aae Mon Sep 17 00:00:00 2001 +From: Marcel Plch +Date: Fri, 2 Aug 2019 17:36:01 +0200 +Subject: [PATCH 14/36] Fix refcounting + +--- + Modules/_hmacopenssl.c | 35 ++++++++++++++++++++++++++++++++++- + 1 file changed, 34 insertions(+), 1 deletion(-) + +diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c +index 239445a..9c28828 100644 +--- a/Modules/_hmacopenssl.c ++++ b/Modules/_hmacopenssl.c +@@ -373,6 +373,34 @@ static struct PyMethodDef hmacopenssl_functions[] = { + {NULL, NULL} /* Sentinel */ + }; + ++static int ++hmacopenssl_traverse(PyObject *self, visitproc visit, void *arg) ++{ ++ hmacopenssl_state *state; ++ ++ state = PyModule_GetState(self); ++ ++ if (state) { ++ Py_VISIT(state->HmacType); ++ } ++ ++ return 0; ++} ++ ++static int ++hmacopenssl_clear(PyObject *self) ++{ ++ hmacopenssl_state *state; ++ ++ state = PyModule_GetState(self); ++ ++ if (state) { ++ Py_CLEAR(state->HmacType); ++ } ++ ++ return 0; ++} ++ + + + /* Initialize this module. */ +@@ -396,7 +424,10 @@ hmacopenssl_exec(PyObject *m) { + } + + state = PyModule_GetState(m); ++ + state->HmacType = (PyTypeObject *)temp; ++ Py_INCREF(temp); ++ + + return 0; + +@@ -415,7 +446,9 @@ static struct PyModuleDef _hmacopenssl_def = { + .m_name = "_hmacopenssl", + .m_methods = hmacopenssl_functions, + .m_slots = hmacopenssl_slots, +- .m_size = sizeof(hmacopenssl_state) ++ .m_size = sizeof(hmacopenssl_state), ++ .m_traverse = hmacopenssl_traverse, ++ .m_clear = hmacopenssl_clear + }; + + +-- +2.38.1 + + +From 5d835c236b392e8741fabe9b9d83d5482842dd87 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Mon, 5 Aug 2019 13:37:05 +0200 +Subject: [PATCH 15/36] hmac: Don't default to md5 in FIPS mode + +--- + Lib/hmac.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Lib/hmac.py b/Lib/hmac.py +index daabc8c..0302364 100644 +--- a/Lib/hmac.py ++++ b/Lib/hmac.py +@@ -173,7 +173,7 @@ def new(key, msg=None, digestmod=''): + """ + if _hashlib.get_fips_mode(): + if digestmod is None: +- digestmod = 'md5' ++ raise ValueError("'digestmod' argument is mandatory in FIPS mode") + name = _get_openssl_name(digestmod) + result = _hmacopenssl.new(key, digestmod=name) + if msg: +-- +2.38.1 + + +From d865fb5a73ffaf39de68b69c9ccb81ca17b6c430 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Mon, 5 Aug 2019 14:20:58 +0200 +Subject: [PATCH 16/36] Make _hmacopenssl.HMAC subclassable; subclass it as + hmac.HMAC under FIPS + +This removes the _hmacopenssl.new function. +--- + Lib/hmac.py | 26 +++++++----- + Lib/test/test_fips.py | 2 +- + Modules/_hmacopenssl.c | 75 ++++++++++++++++----------------- + Modules/clinic/_hmacopenssl.c.h | 39 +---------------- + 4 files changed, 55 insertions(+), 87 deletions(-) + +diff --git a/Lib/hmac.py b/Lib/hmac.py +index 0302364..e4222be 100644 +--- a/Lib/hmac.py ++++ b/Lib/hmac.py +@@ -143,6 +143,8 @@ class HMAC: + return h.hexdigest() + + def _get_openssl_name(digestmod): ++ if digestmod is None: ++ raise ValueError("'digestmod' argument is mandatory in FIPS mode") + if isinstance(digestmod, str): + return digestmod.lower() + elif callable(digestmod): +@@ -154,6 +156,19 @@ def _get_openssl_name(digestmod): + + return digestmod.name.lower().replace('_', '-') + ++class HMAC_openssl(_hmacopenssl.HMAC): ++ def __new__(cls, key, msg = None, digestmod = None): ++ name = _get_openssl_name(digestmod) ++ result = _hmacopenssl.HMAC.__new__(cls, key, digestmod=name) ++ if msg: ++ result.update(msg) ++ return result ++ ++ ++if _hashlib.get_fips_mode(): ++ HMAC = HMAC_openssl ++ ++ + def new(key, msg=None, digestmod=''): + """Create a new hashing object and return it. + +@@ -171,16 +186,7 @@ def new(key, msg=None, digestmod=''): + method, and can ask for the hash value at any time by calling its digest() + or hexdigest() methods. + """ +- if _hashlib.get_fips_mode(): +- if digestmod is None: +- raise ValueError("'digestmod' argument is mandatory in FIPS mode") +- name = _get_openssl_name(digestmod) +- result = _hmacopenssl.new(key, digestmod=name) +- if msg: +- result.update(msg) +- return result +- else: +- return HMAC(key, msg, digestmod) ++ return HMAC(key, msg, digestmod) + + + def digest(key, msg, digest): +diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py +index bee911e..34812e6 100644 +--- a/Lib/test/test_fips.py ++++ b/Lib/test/test_fips.py +@@ -54,7 +54,7 @@ class HashlibFipsTests(unittest.TestCase): + self.compare_hashes(hashlib.sha512(b'abc'), _hashlib.openssl_sha512(b'abc')) + + def test_hmac_digests(self): +- self.compare_hashes(_hmacopenssl.new(b'My hovercraft is full of eels', digestmod='sha384'), ++ self.compare_hashes(_hmacopenssl.HMAC(b'My hovercraft is full of eels', digestmod='sha384'), + hmac.new(b'My hovercraft is full of eels', digestmod='sha384')) + + +diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c +index 9c28828..7d3d973 100644 +--- a/Modules/_hmacopenssl.c ++++ b/Modules/_hmacopenssl.c +@@ -41,33 +41,25 @@ typedef struct { + module _hmacopenssl + class _hmacopenssl.HMAC "HmacObject *" "((hmacopenssl_state *)PyModule_GetState(module))->HmacType" + [clinic start generated code]*/ +-/*[clinic end generated code: output=da39a3ee5e6b4b0d input=204b7f45847f57b4]*/ ++/*[clinic end generated code: output=da39a3ee5e6b4b0d input=9fe07a087adc2cf9]*/ + + +-/*[clinic input] +-_hmacopenssl.new +- +- key: Py_buffer +- * +- digestmod: str +- +-Return a new hmac object. +-[clinic start generated code]*/ +- + static PyObject * +-_hmacopenssl_new_impl(PyObject *module, Py_buffer *key, +- const char *digestmod) +-/*[clinic end generated code: output=46f1cb4e02921922 input=be8c0c2e4fad508c]*/ ++Hmac_new(PyTypeObject *subtype, PyObject *args, PyObject *kwds) + { +- hmacopenssl_state *state; +- +- if (digestmod == NULL) { +- PyErr_SetString(PyExc_ValueError, "digestmod must be specified"); ++ static char *kwarg_names[] = {"key", "digestmod", NULL}; ++ Py_buffer key = {NULL, NULL}; ++ char *digestmod = NULL; ++ ++ int ret = PyArg_ParseTupleAndKeywords( ++ args, kwds, "y*|$s:_hmacopenssl.HMAC", kwarg_names, ++ &key, &digestmod); ++ if (ret == 0) { + return NULL; + } + +- state = PyModule_GetState(module); +- if (state == NULL) { ++ if (digestmod == NULL) { ++ PyErr_SetString(PyExc_ValueError, "digestmod must be specified"); + return NULL; + } + +@@ -106,8 +98,8 @@ _hmacopenssl_new_impl(PyObject *module, Py_buffer *key, + + int r = HMAC_Init_ex( + ctx, +- (const char*)key->buf, +- key->len, ++ (const char*)key.buf, ++ key.len, + digest, + NULL /*impl*/); + if (r == 0) { +@@ -115,7 +107,10 @@ _hmacopenssl_new_impl(PyObject *module, Py_buffer *key, + goto error; + } + +- retval = (HmacObject *)PyObject_New(HmacObject, state->HmacType); ++ PyBuffer_Release(&key); ++ key.buf = NULL; ++ ++ retval = (HmacObject *)subtype->tp_alloc(subtype, 0); + if (retval == NULL) { + goto error; + } +@@ -130,6 +125,7 @@ error: + if (ctx) HMAC_CTX_free(ctx); + if (name) Py_DECREF(name); + if (retval) PyObject_Del(name); ++ if (key.buf) PyBuffer_Release(&key); + return NULL; + } + +@@ -145,19 +141,27 @@ _hmacopenssl_HMAC_copy_impl(HmacObject *self) + { + HmacObject *retval; + +- retval = (HmacObject *)PyObject_New(HmacObject, (PyTypeObject *)PyObject_Type((PyObject *)self)); ++ HMAC_CTX *ctx = HMAC_CTX_new(); ++ if (ctx == NULL) { ++ return _setException(PyExc_ValueError); ++ } ++ ++ int r = HMAC_CTX_copy(ctx, self->ctx); ++ if (r == 0) { ++ HMAC_CTX_free(ctx); ++ return _setException(PyExc_ValueError); ++ } ++ ++ retval = (HmacObject *)Py_TYPE(self)->tp_alloc(Py_TYPE(self), 0); + if (retval == NULL) { ++ HMAC_CTX_free(ctx); + return NULL; + } +- ++ retval->ctx = ctx; + Py_INCREF(self->name); + retval->name = self->name; + +- int r = HMAC_CTX_copy(retval->ctx, self->ctx); +- if (r == 0) { +- PyObject_Del(retval); +- return _setException(PyExc_ValueError); +- } ++ retval->lock = NULL; + + return (PyObject *)retval; + } +@@ -169,8 +173,8 @@ _hmac_dealloc(HmacObject *self) + PyThread_free_lock(self->lock); + } + HMAC_CTX_free(self->ctx); +- Py_XDECREF(self->name); +- PyObject_Del(self); ++ Py_CLEAR(self->name); ++ Py_TYPE(self)->tp_free(self); + } + + static PyObject * +@@ -357,6 +361,7 @@ static PyType_Slot HmacType_slots[] = { + {Py_tp_methods, Hmac_methods}, + {Py_tp_getset, Hmac_getset}, + {Py_tp_members, Hmac_members}, ++ {Py_tp_new, Hmac_new}, + {0, NULL} + }; + +@@ -368,11 +373,6 @@ PyType_Spec HmacType_spec = { + }; + + +-static struct PyMethodDef hmacopenssl_functions[] = { +- _HMACOPENSSL_NEW_METHODDEF +- {NULL, NULL} /* Sentinel */ +-}; +- + static int + hmacopenssl_traverse(PyObject *self, visitproc visit, void *arg) + { +@@ -444,7 +444,6 @@ static PyModuleDef_Slot hmacopenssl_slots[] = { + static struct PyModuleDef _hmacopenssl_def = { + PyModuleDef_HEAD_INIT, /* m_base */ + .m_name = "_hmacopenssl", +- .m_methods = hmacopenssl_functions, + .m_slots = hmacopenssl_slots, + .m_size = sizeof(hmacopenssl_state), + .m_traverse = hmacopenssl_traverse, +diff --git a/Modules/clinic/_hmacopenssl.c.h b/Modules/clinic/_hmacopenssl.c.h +index b472a6e..861acc1 100644 +--- a/Modules/clinic/_hmacopenssl.c.h ++++ b/Modules/clinic/_hmacopenssl.c.h +@@ -2,43 +2,6 @@ + preserve + [clinic start generated code]*/ + +-PyDoc_STRVAR(_hmacopenssl_new__doc__, +-"new($module, /, key, *, digestmod)\n" +-"--\n" +-"\n" +-"Return a new hmac object."); +- +-#define _HMACOPENSSL_NEW_METHODDEF \ +- {"new", (PyCFunction)_hmacopenssl_new, METH_FASTCALL, _hmacopenssl_new__doc__}, +- +-static PyObject * +-_hmacopenssl_new_impl(PyObject *module, Py_buffer *key, +- const char *digestmod); +- +-static PyObject * +-_hmacopenssl_new(PyObject *module, PyObject **args, Py_ssize_t nargs, PyObject *kwnames) +-{ +- PyObject *return_value = NULL; +- static const char * const _keywords[] = {"key", "digestmod", NULL}; +- static _PyArg_Parser _parser = {"y*$s:new", _keywords, 0}; +- Py_buffer key = {NULL, NULL}; +- const char *digestmod; +- +- if (!_PyArg_ParseStack(args, nargs, kwnames, &_parser, +- &key, &digestmod)) { +- goto exit; +- } +- return_value = _hmacopenssl_new_impl(module, &key, digestmod); +- +-exit: +- /* Cleanup for key */ +- if (key.obj) { +- PyBuffer_Release(&key); +- } +- +- return return_value; +-} +- + PyDoc_STRVAR(_hmacopenssl_HMAC_copy__doc__, + "copy($self, /)\n" + "--\n" +@@ -130,4 +93,4 @@ _hmacopenssl_HMAC_hexdigest(HmacObject *self, PyObject *Py_UNUSED(ignored)) + { + return _hmacopenssl_HMAC_hexdigest_impl(self); + } +-/*[clinic end generated code: output=10b6e8cac6d7a2c9 input=a9049054013a1b77]*/ ++/*[clinic end generated code: output=d93ad460795d49b5 input=a9049054013a1b77]*/ +-- +2.38.1 + + +From 0a75e9886721aa076542a40159b02fbd18bd8cd3 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Mon, 5 Aug 2019 16:10:36 +0200 +Subject: [PATCH 17/36] Fix _hmacopenssl.HMAC.block_size + +--- + Modules/_hmacopenssl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c +index 7d3d973..a24c8ba 100644 +--- a/Modules/_hmacopenssl.c ++++ b/Modules/_hmacopenssl.c +@@ -318,7 +318,7 @@ _hmacopenssl_get_block_size(HmacObject *self, void *closure) + if (md == NULL) { + return _setException(PyExc_ValueError); + } +- return PyLong_FromLong(EVP_MD_size(md)); ++ return PyLong_FromLong(EVP_MD_block_size(md)); + } + + static PyMethodDef Hmac_methods[] = { +-- +2.38.1 + + +From 68b4ee700ed23422472c9b96cf0631cb5a5dab6e Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Mon, 5 Aug 2019 15:02:08 +0200 +Subject: [PATCH 18/36] distutils upload: Skip md5 checksum in FIPS mode + +--- + Lib/distutils/command/upload.py | 12 +++++++++++- + Lib/distutils/tests/test_upload.py | 13 +++++++++++-- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/Lib/distutils/command/upload.py b/Lib/distutils/command/upload.py +index 11afa24..79a6315 100644 +--- a/Lib/distutils/command/upload.py ++++ b/Lib/distutils/command/upload.py +@@ -102,7 +102,6 @@ class upload(PyPIRCCommand): + 'content': (os.path.basename(filename),content), + 'filetype': command, + 'pyversion': pyversion, +- 'md5_digest': hashlib.md5(content).hexdigest(), + + # additional meta-data + 'metadata_version': '1.0', +@@ -122,6 +121,17 @@ class upload(PyPIRCCommand): + 'obsoletes': meta.get_obsoletes(), + } + ++ try: ++ digest = hashlib.md5(content).hexdigest() ++ except ValueError as e: ++ msg = 'calculating md5 checksum failed: %s' % e ++ self.announce(msg, log.ERROR) ++ if not hashlib.get_fips_mode(): ++ # this really shouldn't fail ++ raise ++ else: ++ data['md5_digest'] = digest ++ + data['comment'] = '' + + if self.sign: +diff --git a/Lib/distutils/tests/test_upload.py b/Lib/distutils/tests/test_upload.py +index c17d8e7..b4b64e9 100644 +--- a/Lib/distutils/tests/test_upload.py ++++ b/Lib/distutils/tests/test_upload.py +@@ -3,6 +3,7 @@ import os + import unittest + import unittest.mock as mock + from urllib.request import HTTPError ++import hashlib + + from test.support import run_unittest + +@@ -130,7 +131,11 @@ class uploadTestCase(BasePyPIRCCommandTestCase): + + # what did we send ? + headers = dict(self.last_open.req.headers) +- self.assertEqual(headers['Content-length'], '2162') ++ if hashlib.get_fips_mode(): ++ # md5 hash is omitted ++ self.assertEqual(headers['Content-length'], '2020') ++ else: ++ self.assertEqual(headers['Content-length'], '2162') + content_type = headers['Content-type'] + self.assertTrue(content_type.startswith('multipart/form-data')) + self.assertEqual(self.last_open.req.get_method(), 'POST') +@@ -166,7 +171,11 @@ class uploadTestCase(BasePyPIRCCommandTestCase): + cmd.run() + + headers = dict(self.last_open.req.headers) +- self.assertEqual(headers['Content-length'], '2172') ++ if hashlib.get_fips_mode(): ++ # md5 hash is omitted ++ self.assertEqual(headers['Content-length'], '2030') ++ else: ++ self.assertEqual(headers['Content-length'], '2172') + self.assertIn(b'long description\r', self.last_open.req.data) + + def test_upload_fails(self): +-- +2.38.1 + + +From 62c8250c2996af8e4d112676c0995616583fafa7 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Mon, 5 Aug 2019 15:32:25 +0200 +Subject: [PATCH 19/36] Fix HMAC tests on FIPS mode + +--- + Lib/hmac.py | 3 +++ + Lib/test/test_hmac.py | 26 ++++++++++++++++++++++++++ + 2 files changed, 29 insertions(+) + +diff --git a/Lib/hmac.py b/Lib/hmac.py +index e4222be..394c810 100644 +--- a/Lib/hmac.py ++++ b/Lib/hmac.py +@@ -158,6 +158,9 @@ def _get_openssl_name(digestmod): + + class HMAC_openssl(_hmacopenssl.HMAC): + def __new__(cls, key, msg = None, digestmod = None): ++ if not isinstance(key, (bytes, bytearray)): ++ raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__) ++ + name = _get_openssl_name(digestmod) + result = _hmacopenssl.HMAC.__new__(cls, key, digestmod=name) + if msg: +diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py +index 23c108f..0a85981 100644 +--- a/Lib/test/test_hmac.py ++++ b/Lib/test/test_hmac.py +@@ -288,6 +288,7 @@ class TestVectorsTestCase(unittest.TestCase): + def test_sha512_rfc4231(self): + self._rfc4231_test_cases(hashlib.sha512, 'sha512', 64, 128) + ++ @unittest.skipIf(hashlib.get_fips_mode(), 'MockCrazyHash unacceptable in FIPS mode.') + @requires_hashdigest('sha256') + def test_legacy_block_size_warnings(self): + class MockCrazyHash(object): +@@ -337,6 +338,14 @@ class ConstructorTestCase(unittest.TestCase): + except Exception: + self.fail("Standard constructor call raised exception.") + ++ def test_normal_digestmod(self): ++ # Standard constructor call. ++ failed = 0 ++ try: ++ h = hmac.HMAC(b"key", digestmod='sha1') ++ except Exception: ++ self.fail("Standard constructor call raised exception.") ++ + @requires_hashdigest('sha256') + def test_with_str_key(self): + # Pass a key of type str, which is an error, because it expects a key +@@ -404,6 +413,7 @@ class SanityTestCase(unittest.TestCase): + + class CopyTestCase(unittest.TestCase): + ++ @unittest.skipIf(hashlib.get_fips_mode(), "Internal attributes unavailable in FIPS mode") + @requires_hashdigest('sha256') + def test_attributes(self): + # Testing if attributes are of same type. +@@ -416,6 +426,7 @@ class CopyTestCase(unittest.TestCase): + self.assertEqual(type(h1.outer), type(h2.outer), + "Types of outer don't match.") + ++ @unittest.skipIf(hashlib.get_fips_mode(), "Internal attributes unavailable in FIPS mode") + @requires_hashdigest('sha256') + def test_realcopy(self): + # Testing if the copy method created a real copy. +@@ -428,6 +439,21 @@ class CopyTestCase(unittest.TestCase): + self.assertTrue(id(h1.outer) != id(h2.outer), + "No real copy of the attribute 'outer'.") + ++ def test_realcopy(self): ++ # Testing if the copy method created a real copy. ++ h1 = hmac.HMAC(b"key", digestmod="sha1") ++ h2 = h1.copy() ++ # Using id() in case somebody has overridden __eq__/__ne__. ++ self.assertTrue(id(h1) != id(h2), "No real copy of the HMAC instance.") ++ old_digest = h1.digest() ++ assert h1.digest() == h2.digest() ++ h1.update(b'hi') ++ assert h1.digest() != h2.digest() ++ assert h2.digest() == old_digest ++ new_digest = h1.digest() ++ h2.update(b'hi') ++ assert h1.digest() == h2.digest() == new_digest ++ + @requires_hashdigest('sha256') + def test_equality(self): + # Testing if the copy has the same digests. +-- +2.38.1 + + +From a7f5d3a4712694e6b74295ba6980c554b56d7227 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Mon, 5 Aug 2019 16:37:12 +0200 +Subject: [PATCH 20/36] test_tools: Skip md5sum tests in FIPS mode + +--- + Lib/test/test_tools/test_md5sum.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/Lib/test/test_tools/test_md5sum.py b/Lib/test/test_tools/test_md5sum.py +index fb565b7..7028a4d 100644 +--- a/Lib/test/test_tools/test_md5sum.py ++++ b/Lib/test/test_tools/test_md5sum.py +@@ -4,11 +4,15 @@ import os + import unittest + from test import support + from test.support.script_helper import assert_python_ok, assert_python_failure ++import hashlib + + from test.test_tools import scriptsdir, skip_if_missing + + skip_if_missing() + ++if hashlib.get_fips_mode(): ++ raise unittest.SkipTest("md5sum won't work at all in FIPS mode") ++ + class MD5SumTests(unittest.TestCase): + @classmethod + def setUpClass(cls): +-- +2.38.1 + + +From 9e6cfe34f7377761f758d57a1b68a62fd4d0f2d1 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Mon, 5 Aug 2019 18:23:57 +0200 +Subject: [PATCH 21/36] Make hashlib tests pass in FIPS mode + +--- + Lib/test/test_hashlib.py | 67 ++++++++++++++++++++++++++++------------ + 1 file changed, 48 insertions(+), 19 deletions(-) + +diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py +index 972eda1..19a9868 100644 +--- a/Lib/test/test_hashlib.py ++++ b/Lib/test/test_hashlib.py +@@ -28,6 +28,11 @@ COMPILED_WITH_PYDEBUG = hasattr(sys, 'gettotalrefcount') + c_hashlib = import_fresh_module('hashlib', fresh=['_hashlib']) + py_hashlib = import_fresh_module('hashlib', blocked=['_hashlib']) + ++if hashlib.get_fips_mode(): ++ FIPS_DISABLED = {'md5', 'MD5', 'blake2b', 'blake2s'} ++else: ++ FIPS_DISABLED = set() ++ + try: + from _hashlib import HASH + except ImportError: +@@ -88,6 +93,11 @@ class HashLibTestCase(unittest.TestCase): + # Issue #14693: fallback modules are always compiled under POSIX + _warn_on_extension_import = os.name == 'posix' or COMPILED_WITH_PYDEBUG + ++ if hashlib.get_fips_mode(): ++ shakes = set() ++ supported_hash_names = tuple( ++ n for n in supported_hash_names if n not in FIPS_DISABLED) ++ + def _conditional_import_module(self, module_name): + """Import a module and return a reference to it or None on failure.""" + try: +@@ -95,8 +105,20 @@ class HashLibTestCase(unittest.TestCase): + except ModuleNotFoundError as error: + if self._warn_on_extension_import: + warnings.warn('Did a C extension fail to compile? %s' % error) ++ except ImportError as error: ++ if not hashlib.get_fips_mode(): ++ raise + return None + ++ def _has_shake_extras(self, hasher): ++ """Return true if the hasher should have "shake" API (digest length)""" ++ if hasher.name not in self.shakes: ++ return False ++ _hashlib = self._conditional_import_module('_hashlib') ++ if _hashlib and isinstance(hasher, _hashlib.HASH): ++ return False ++ return True ++ + def __init__(self, *args, **kwargs): + algorithms = set() + for algorithm in self.supported_hash_names: +@@ -190,15 +212,13 @@ class HashLibTestCase(unittest.TestCase): + a = array.array("b", range(10)) + for cons in self.hash_constructors: + c = cons(a) +- if (c.name in self.shakes +- and not cons.__name__.startswith('openssl_') +- ): ++ if self._has_shake_extras(c): + c.hexdigest(16) + else: + c.hexdigest() + + def test_algorithms_guaranteed(self): +- self.assertEqual(hashlib.algorithms_guaranteed, ++ self.assertEqual(hashlib.algorithms_guaranteed - FIPS_DISABLED, + set(_algo for _algo in self.supported_hash_names + if _algo.islower())) + +@@ -213,6 +233,12 @@ class HashLibTestCase(unittest.TestCase): + def test_new_upper_to_lower(self): + self.assertEqual(hashlib.new("SHA256").name, "sha256") + ++ @unittest.skipUnless(hashlib.get_fips_mode(), "Builtin constructor only unavailable in FIPS mode") ++ def test_get_builtin_constructor_fips(self): ++ with self.assertRaises(AttributeError): ++ hashlib.__get_builtin_constructor ++ ++ @unittest.skipIf(hashlib.get_fips_mode(), "No builtin constructors in FIPS mode") + def test_get_builtin_constructor(self): + get_builtin_constructor = getattr(hashlib, + '__get_builtin_constructor') +@@ -242,9 +268,7 @@ class HashLibTestCase(unittest.TestCase): + def test_hexdigest(self): + for cons in self.hash_constructors: + h = cons() +- if (h.name in self.shakes +- and not cons.__name__.startswith('openssl_') +- ): ++ if self._has_shake_extras(h): + self.assertIsInstance(h.digest(16), bytes) + self.assertEqual(hexstr(h.digest(16)), h.hexdigest(16)) + else: +@@ -256,9 +280,7 @@ class HashLibTestCase(unittest.TestCase): + large_sizes = (2**29, 2**32-10, 2**32+10, 2**61, 2**64-10, 2**64+10) + for cons in self.hash_constructors: + h = cons() +- if h.name not in self.shakes: +- continue +- if cons.__name__.startswith('openssl_'): ++ if not self._has_shake_extras(h): + continue + for digest in h.digest, h.hexdigest: + self.assertRaises(ValueError, digest, -10) +@@ -288,9 +310,7 @@ class HashLibTestCase(unittest.TestCase): + m1.update(bees) + m1.update(cees) + m1.update(dees) +- if (m1.name in self.shakes +- and not cons.__name__.startswith('openssl_') +- ): ++ if self._has_shake_extras(m1): + args = (16,) + else: + args = () +@@ -359,7 +379,8 @@ class HashLibTestCase(unittest.TestCase): + self.assertRaises(TypeError, hash_object_constructor, 'spam') + + def test_no_unicode(self): +- self.check_no_unicode('md5') ++ if not hashlib.get_fips_mode(): ++ self.check_no_unicode('md5') + self.check_no_unicode('sha1') + self.check_no_unicode('sha224') + self.check_no_unicode('sha256') +@@ -402,7 +423,8 @@ class HashLibTestCase(unittest.TestCase): + self.assertIn(name.split("_")[0], repr(m)) + + def test_blocksize_name(self): +- self.check_blocksize_name('md5', 64, 16) ++ if not hashlib.get_fips_mode(): ++ self.check_blocksize_name('md5', 64, 16) + self.check_blocksize_name('sha1', 64, 20) + self.check_blocksize_name('sha224', 64, 28) + self.check_blocksize_name('sha256', 64, 32) +@@ -445,22 +467,27 @@ class HashLibTestCase(unittest.TestCase): + self.check_blocksize_name('blake2b', 128, 64) + self.check_blocksize_name('blake2s', 64, 32) + ++ @unittest.skipIf(hashlib.get_fips_mode(), "md5 unacceptable in FIPS mode") + def test_case_md5_0(self): + self.check('md5', b'', 'd41d8cd98f00b204e9800998ecf8427e') + ++ @unittest.skipIf(hashlib.get_fips_mode(), "md5 unacceptable in FIPS mode") + def test_case_md5_1(self): + self.check('md5', b'abc', '900150983cd24fb0d6963f7d28e17f72') + ++ @unittest.skipIf(hashlib.get_fips_mode(), "md5 unacceptable in FIPS mode") + def test_case_md5_2(self): + self.check('md5', + b'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789', + 'd174ab98d277d9f5a5611c2c9f419d9f') + ++ @unittest.skipIf(hashlib.get_fips_mode(), "md5 unacceptable in FIPS mode") + @unittest.skipIf(sys.maxsize < _4G + 5, 'test cannot run on 32-bit systems') + @bigmemtest(size=_4G + 5, memuse=1, dry_run=False) + def test_case_md5_huge(self, size): + self.check('md5', b'A'*size, 'c9af2dff37468ce5dfee8f2cfc0a9c6d') + ++ @unittest.skipIf(hashlib.get_fips_mode(), "md5 unacceptable in FIPS mode") + @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems') + @bigmemtest(size=_4G - 1, memuse=1, dry_run=False) + def test_case_md5_uintmax(self, size): +@@ -851,14 +878,16 @@ class HashLibTestCase(unittest.TestCase): + m = cons(b'x' * gil_minsize) + m.update(b'1') + +- m = hashlib.md5() ++ m = hashlib.sha1() + m.update(b'1') + m.update(b'#' * gil_minsize) + m.update(b'1') +- self.assertEqual(m.hexdigest(), 'cb1e1a2cbc80be75e19935d621fb9b21') ++ self.assertEqual(m.hexdigest(), ++ 'c45f7445ca0ea087d7a1758fbea07935f267c46a') + +- m = hashlib.md5(b'x' * gil_minsize) +- self.assertEqual(m.hexdigest(), 'cfb767f225d58469c5de3632a8803958') ++ m = hashlib.sha1(b'x' * gil_minsize) ++ self.assertEqual(m.hexdigest(), ++ '63fda1efde982ba1ffe9d53035bff5c9ce4758fb') + + @support.reap_threads + def test_threaded_hashing(self): +-- +2.38.1 + + +From 22b6dcc045d87d130852bc4f017cfb6305b329dd Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Wed, 14 Aug 2019 14:43:07 +0200 +Subject: [PATCH 22/36] distutils upload: only add md5 if available, but + *always* use sha256 + +--- + Lib/distutils/command/upload.py | 3 ++- + Lib/distutils/tests/test_upload.py | 14 ++++++++------ + 2 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/Lib/distutils/command/upload.py b/Lib/distutils/command/upload.py +index 79a6315..553617a 100644 +--- a/Lib/distutils/command/upload.py ++++ b/Lib/distutils/command/upload.py +@@ -102,6 +102,7 @@ class upload(PyPIRCCommand): + 'content': (os.path.basename(filename),content), + 'filetype': command, + 'pyversion': pyversion, ++ 'sha256_digest': hashlib.sha256(content).hexdigest(), + + # additional meta-data + 'metadata_version': '1.0', +@@ -125,7 +126,7 @@ class upload(PyPIRCCommand): + digest = hashlib.md5(content).hexdigest() + except ValueError as e: + msg = 'calculating md5 checksum failed: %s' % e +- self.announce(msg, log.ERROR) ++ self.announce(msg, log.INFO) + if not hashlib.get_fips_mode(): + # this really shouldn't fail + raise +diff --git a/Lib/distutils/tests/test_upload.py b/Lib/distutils/tests/test_upload.py +index b4b64e9..f720a79 100644 +--- a/Lib/distutils/tests/test_upload.py ++++ b/Lib/distutils/tests/test_upload.py +@@ -132,10 +132,11 @@ class uploadTestCase(BasePyPIRCCommandTestCase): + # what did we send ? + headers = dict(self.last_open.req.headers) + if hashlib.get_fips_mode(): +- # md5 hash is omitted +- self.assertEqual(headers['Content-length'], '2020') ++ # only sha256 hash is used ++ self.assertEqual(headers['Content-length'], '2197') + else: +- self.assertEqual(headers['Content-length'], '2162') ++ # both sha256 and md5 hashes are used ++ self.assertEqual(headers['Content-length'], '2339') + content_type = headers['Content-type'] + self.assertTrue(content_type.startswith('multipart/form-data')) + self.assertEqual(self.last_open.req.get_method(), 'POST') +@@ -172,10 +173,11 @@ class uploadTestCase(BasePyPIRCCommandTestCase): + + headers = dict(self.last_open.req.headers) + if hashlib.get_fips_mode(): +- # md5 hash is omitted +- self.assertEqual(headers['Content-length'], '2030') ++ # only sha256 hash is used ++ self.assertEqual(headers['Content-length'], '2207') + else: +- self.assertEqual(headers['Content-length'], '2172') ++ # both sha256 and md5 hashes are used ++ self.assertEqual(headers['Content-length'], '2349') + self.assertIn(b'long description\r', self.last_open.req.data) + + def test_upload_fails(self): +-- +2.38.1 + + +From b02daa9dbf4fcd2d1e067d63873d276bd7bf132f Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Fri, 13 Sep 2019 02:30:00 +0200 +Subject: [PATCH 23/36] bpo-9216: Add usedforsecurity to hashlib constructors + (GH-16044) + +The usedforsecurity keyword only argument added to the hash constructors is useful for FIPS builds and similar restrictive environment with non-technical requirements that legacy algorithms be forbidden by their implementations without being explicitly annotated as not being used for any security related purposes. Linux distros with FIPS support benefit from this being standard rather than making up their own way(s) to do it. + +Contributed and Signed-off-by: Christian Heimes christian@python.org +--- + Doc/library/hashlib.rst | 17 +- + Lib/test/test_hashlib.py | 9 + + Lib/uuid.py | 7 +- + .../2019-09-12-14-54-45.bpo-9216.W7QMpC.rst | 2 + + Modules/_blake2/blake2b_impl.c | 5 +- + Modules/_blake2/blake2s_impl.c | 5 +- + Modules/_blake2/clinic/blake2b_impl.c.h | 27 +- + Modules/_blake2/clinic/blake2s_impl.c.h | 27 +- + Modules/_hashopenssl.c | 151 ++++--- + Modules/_sha3/clinic/sha3module.c.h | 48 ++- + Modules/_sha3/sha3module.c | 41 +- + Modules/clinic/_hashopenssl.c.h | 407 ++++++++++++++---- + Modules/clinic/md5module.c.h | 28 +- + Modules/clinic/sha1module.c.h | 28 +- + Modules/clinic/sha256module.c.h | 54 ++- + Modules/clinic/sha512module.c.h | 54 ++- + Modules/md5module.c | 6 +- + Modules/sha1module.c | 6 +- + Modules/sha256module.c | 12 +- + Modules/sha512module.c | 12 +- + 20 files changed, 709 insertions(+), 237 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst + +diff --git a/Doc/library/hashlib.rst b/Doc/library/hashlib.rst +index f5da6ec..86b9f65 100644 +--- a/Doc/library/hashlib.rst ++++ b/Doc/library/hashlib.rst +@@ -67,7 +67,7 @@ Constructors for hash algorithms that are always present in this module are + :func:`sha1`, :func:`sha224`, :func:`sha256`, :func:`sha384`, + :func:`sha512`, :func:`blake2b`, and :func:`blake2s`. + :func:`md5` is normally available as well, though it +-may be missing if you are using a rare "FIPS compliant" build of Python. ++may be missing or blocked if you are using a rare "FIPS compliant" build of Python. + Additional algorithms may also be available depending upon the OpenSSL + library that Python uses on your platform. On most platforms the + :func:`sha3_224`, :func:`sha3_256`, :func:`sha3_384`, :func:`sha3_512`, +@@ -80,6 +80,13 @@ library that Python uses on your platform. On most platforms the + .. versionadded:: 3.6 + :func:`blake2b` and :func:`blake2s` were added. + ++.. versionchanged:: 3.9 ++ All hashlib constructors take a keyword-only argument *usedforsecurity* ++ with default value *True*. A false value allows the use of insecure and ++ blocked hashing algorithms in restricted environments. *False* indicates ++ that the hashing algorithm is not used in a security context, e.g. as a ++ non-cryptographic one-way compression function. ++ + For example, to obtain the digest of the byte string ``b'Nobody inspects the + spammish repetition'``:: + +@@ -99,7 +106,7 @@ More condensed: + >>> hashlib.sha224(b"Nobody inspects the spammish repetition").hexdigest() + 'a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2' + +-.. function:: new(name[, data]) ++.. function:: new(name[, data], *, usedforsecurity=True) + + Is a generic constructor that takes the string *name* of the desired + algorithm as its first parameter. It also exists to allow access to the +@@ -308,11 +315,13 @@ New hash objects are created by calling constructor functions: + + .. function:: blake2b(data=b'', *, digest_size=64, key=b'', salt=b'', \ + person=b'', fanout=1, depth=1, leaf_size=0, node_offset=0, \ +- node_depth=0, inner_size=0, last_node=False) ++ node_depth=0, inner_size=0, last_node=False, \ ++ usedforsecurity=True) + + .. function:: blake2s(data=b'', *, digest_size=32, key=b'', salt=b'', \ + person=b'', fanout=1, depth=1, leaf_size=0, node_offset=0, \ +- node_depth=0, inner_size=0, last_node=False) ++ node_depth=0, inner_size=0, last_node=False, \ ++ usedforsecurity=True) + + + These functions return the corresponding hash objects for calculating +diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py +index 19a9868..3ee9b14 100644 +--- a/Lib/test/test_hashlib.py ++++ b/Lib/test/test_hashlib.py +@@ -226,6 +226,15 @@ class HashLibTestCase(unittest.TestCase): + self.assertTrue(set(hashlib.algorithms_guaranteed). + issubset(hashlib.algorithms_available)) + ++ def test_usedforsecurity(self): ++ for cons in self.hash_constructors: ++ cons(usedforsecurity=True) ++ cons(usedforsecurity=False) ++ cons(b'', usedforsecurity=True) ++ cons(b'', usedforsecurity=False) ++ hashlib.new("sha256", usedforsecurity=True) ++ hashlib.new("sha256", usedforsecurity=False) ++ + def test_unknown_hash(self): + self.assertRaises(ValueError, hashlib.new, 'spam spam spam spam spam') + self.assertRaises(TypeError, hashlib.new, 1) +diff --git a/Lib/uuid.py b/Lib/uuid.py +index 9540c21..be724ba 100644 +--- a/Lib/uuid.py ++++ b/Lib/uuid.py +@@ -774,8 +774,11 @@ def uuid1(node=None, clock_seq=None): + def uuid3(namespace, name): + """Generate a UUID from the MD5 hash of a namespace UUID and a name.""" + from hashlib import md5 +- hash = md5(namespace.bytes + bytes(name, "utf-8")).digest() +- return UUID(bytes=hash[:16], version=3) ++ digest = md5( ++ namespace.bytes + bytes(name, "utf-8"), ++ usedforsecurity=False ++ ).digest() ++ return UUID(bytes=digest[:16], version=3) + + def uuid4(): + """Generate a random UUID.""" +diff --git a/Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst b/Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst +new file mode 100644 +index 0000000..a97ca4b +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst +@@ -0,0 +1,2 @@ ++hashlib constructors now support usedforsecurity flag to signal that a ++hashing algorithm is not used in a security context. +diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c +index 97ce89d..16df232 100644 +--- a/Modules/_blake2/blake2b_impl.c ++++ b/Modules/_blake2/blake2b_impl.c +@@ -82,6 +82,7 @@ _blake2.blake2b.__new__ as py_blake2b_new + node_depth: int = 0 + inner_size: int = 0 + last_node: bool = False ++ usedforsecurity: bool = True + + Return a new BLAKE2b hash object. + [clinic start generated code]*/ +@@ -91,8 +92,8 @@ py_blake2b_new_impl(PyTypeObject *type, PyObject *data, int digest_size, + Py_buffer *key, Py_buffer *salt, Py_buffer *person, + int fanout, int depth, unsigned long leaf_size, + unsigned long long node_offset, int node_depth, +- int inner_size, int last_node) +-/*[clinic end generated code: output=65e732c66c2297a0 input=82be35a4e6a9daa2]*/ ++ int inner_size, int last_node, int usedforsecurity) ++/*[clinic end generated code: output=32bfd8f043c6896f input=b947312abff46977]*/ + { + BLAKE2bObject *self = NULL; + Py_buffer buf; +diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c +index c4447b4..66a7ee5 100644 +--- a/Modules/_blake2/blake2s_impl.c ++++ b/Modules/_blake2/blake2s_impl.c +@@ -82,6 +82,7 @@ _blake2.blake2s.__new__ as py_blake2s_new + node_depth: int = 0 + inner_size: int = 0 + last_node: bool = False ++ usedforsecurity: bool = True + + Return a new BLAKE2s hash object. + [clinic start generated code]*/ +@@ -91,8 +92,8 @@ py_blake2s_new_impl(PyTypeObject *type, PyObject *data, int digest_size, + Py_buffer *key, Py_buffer *salt, Py_buffer *person, + int fanout, int depth, unsigned long leaf_size, + unsigned long long node_offset, int node_depth, +- int inner_size, int last_node) +-/*[clinic end generated code: output=b95806be0514dcf7 input=641c0509debf714d]*/ ++ int inner_size, int last_node, int usedforsecurity) ++/*[clinic end generated code: output=556181f73905c686 input=4dda87723f23abb0]*/ + { + BLAKE2sObject *self = NULL; + Py_buffer buf; +diff --git a/Modules/_blake2/clinic/blake2b_impl.c.h b/Modules/_blake2/clinic/blake2b_impl.c.h +index cd329c0..07258c3 100644 +--- a/Modules/_blake2/clinic/blake2b_impl.c.h ++++ b/Modules/_blake2/clinic/blake2b_impl.c.h +@@ -5,7 +5,8 @@ preserve + PyDoc_STRVAR(py_blake2b_new__doc__, + "blake2b(data=b\'\', /, *, digest_size=_blake2.blake2b.MAX_DIGEST_SIZE,\n" + " key=b\'\', salt=b\'\', person=b\'\', fanout=1, depth=1, leaf_size=0,\n" +-" node_offset=0, node_depth=0, inner_size=0, last_node=False)\n" ++" node_offset=0, node_depth=0, inner_size=0, last_node=False,\n" ++" usedforsecurity=True)\n" + "--\n" + "\n" + "Return a new BLAKE2b hash object."); +@@ -15,15 +16,15 @@ py_blake2b_new_impl(PyTypeObject *type, PyObject *data, int digest_size, + Py_buffer *key, Py_buffer *salt, Py_buffer *person, + int fanout, int depth, unsigned long leaf_size, + unsigned long long node_offset, int node_depth, +- int inner_size, int last_node); ++ int inner_size, int last_node, int usedforsecurity); + + static PyObject * + py_blake2b_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"", "digest_size", "key", "salt", "person", "fanout", "depth", "leaf_size", "node_offset", "node_depth", "inner_size", "last_node", NULL}; ++ static const char * const _keywords[] = {"", "digest_size", "key", "salt", "person", "fanout", "depth", "leaf_size", "node_offset", "node_depth", "inner_size", "last_node", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "blake2b", 0}; +- PyObject *argsbuf[12]; ++ PyObject *argsbuf[13]; + PyObject * const *fastargs; + Py_ssize_t nargs = PyTuple_GET_SIZE(args); + Py_ssize_t noptargs = nargs + (kwargs ? PyDict_GET_SIZE(kwargs) : 0) - 0; +@@ -39,6 +40,7 @@ py_blake2b_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) + int node_depth = 0; + int inner_size = 0; + int last_node = 0; ++ int usedforsecurity = 1; + + fastargs = _PyArg_UnpackKeywords(_PyTuple_CAST(args)->ob_item, nargs, kwargs, NULL, &_parser, 0, 1, 0, argsbuf); + if (!fastargs) { +@@ -175,12 +177,21 @@ skip_optional_posonly: + goto skip_optional_kwonly; + } + } +- last_node = PyObject_IsTrue(fastargs[11]); +- if (last_node < 0) { ++ if (fastargs[11]) { ++ last_node = PyObject_IsTrue(fastargs[11]); ++ if (last_node < 0) { ++ goto exit; ++ } ++ if (!--noptargs) { ++ goto skip_optional_kwonly; ++ } ++ } ++ usedforsecurity = PyObject_IsTrue(fastargs[12]); ++ if (usedforsecurity < 0) { + goto exit; + } + skip_optional_kwonly: +- return_value = py_blake2b_new_impl(type, data, digest_size, &key, &salt, &person, fanout, depth, leaf_size, node_offset, node_depth, inner_size, last_node); ++ return_value = py_blake2b_new_impl(type, data, digest_size, &key, &salt, &person, fanout, depth, leaf_size, node_offset, node_depth, inner_size, last_node, usedforsecurity); + + exit: + /* Cleanup for key */ +@@ -261,4 +272,4 @@ _blake2_blake2b_hexdigest(BLAKE2bObject *self, PyObject *Py_UNUSED(ignored)) + { + return _blake2_blake2b_hexdigest_impl(self); + } +-/*[clinic end generated code: output=cbb625d7f60c288c input=a9049054013a1b77]*/ ++/*[clinic end generated code: output=2d6d0fe9aa42a42a input=a9049054013a1b77]*/ +diff --git a/Modules/_blake2/clinic/blake2s_impl.c.h b/Modules/_blake2/clinic/blake2s_impl.c.h +index 560bd68..71c5706 100644 +--- a/Modules/_blake2/clinic/blake2s_impl.c.h ++++ b/Modules/_blake2/clinic/blake2s_impl.c.h +@@ -5,7 +5,8 @@ preserve + PyDoc_STRVAR(py_blake2s_new__doc__, + "blake2s(data=b\'\', /, *, digest_size=_blake2.blake2s.MAX_DIGEST_SIZE,\n" + " key=b\'\', salt=b\'\', person=b\'\', fanout=1, depth=1, leaf_size=0,\n" +-" node_offset=0, node_depth=0, inner_size=0, last_node=False)\n" ++" node_offset=0, node_depth=0, inner_size=0, last_node=False,\n" ++" usedforsecurity=True)\n" + "--\n" + "\n" + "Return a new BLAKE2s hash object."); +@@ -15,15 +16,15 @@ py_blake2s_new_impl(PyTypeObject *type, PyObject *data, int digest_size, + Py_buffer *key, Py_buffer *salt, Py_buffer *person, + int fanout, int depth, unsigned long leaf_size, + unsigned long long node_offset, int node_depth, +- int inner_size, int last_node); ++ int inner_size, int last_node, int usedforsecurity); + + static PyObject * + py_blake2s_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"", "digest_size", "key", "salt", "person", "fanout", "depth", "leaf_size", "node_offset", "node_depth", "inner_size", "last_node", NULL}; ++ static const char * const _keywords[] = {"", "digest_size", "key", "salt", "person", "fanout", "depth", "leaf_size", "node_offset", "node_depth", "inner_size", "last_node", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "blake2s", 0}; +- PyObject *argsbuf[12]; ++ PyObject *argsbuf[13]; + PyObject * const *fastargs; + Py_ssize_t nargs = PyTuple_GET_SIZE(args); + Py_ssize_t noptargs = nargs + (kwargs ? PyDict_GET_SIZE(kwargs) : 0) - 0; +@@ -39,6 +40,7 @@ py_blake2s_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) + int node_depth = 0; + int inner_size = 0; + int last_node = 0; ++ int usedforsecurity = 1; + + fastargs = _PyArg_UnpackKeywords(_PyTuple_CAST(args)->ob_item, nargs, kwargs, NULL, &_parser, 0, 1, 0, argsbuf); + if (!fastargs) { +@@ -175,12 +177,21 @@ skip_optional_posonly: + goto skip_optional_kwonly; + } + } +- last_node = PyObject_IsTrue(fastargs[11]); +- if (last_node < 0) { ++ if (fastargs[11]) { ++ last_node = PyObject_IsTrue(fastargs[11]); ++ if (last_node < 0) { ++ goto exit; ++ } ++ if (!--noptargs) { ++ goto skip_optional_kwonly; ++ } ++ } ++ usedforsecurity = PyObject_IsTrue(fastargs[12]); ++ if (usedforsecurity < 0) { + goto exit; + } + skip_optional_kwonly: +- return_value = py_blake2s_new_impl(type, data, digest_size, &key, &salt, &person, fanout, depth, leaf_size, node_offset, node_depth, inner_size, last_node); ++ return_value = py_blake2s_new_impl(type, data, digest_size, &key, &salt, &person, fanout, depth, leaf_size, node_offset, node_depth, inner_size, last_node, usedforsecurity); + + exit: + /* Cleanup for key */ +@@ -261,4 +272,4 @@ _blake2_blake2s_hexdigest(BLAKE2sObject *self, PyObject *Py_UNUSED(ignored)) + { + return _blake2_blake2s_hexdigest_impl(self); + } +-/*[clinic end generated code: output=39af5a74c8805b36 input=a9049054013a1b77]*/ ++/*[clinic end generated code: output=c80d8d06ce40a192 input=a9049054013a1b77]*/ +diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c +index 713e15a..b4d05ab 100644 +--- a/Modules/_hashopenssl.c ++++ b/Modules/_hashopenssl.c +@@ -528,7 +528,7 @@ static PyTypeObject EVPtype = { + \ + static PyObject * + EVPnew(const EVP_MD *digest, +- const unsigned char *cp, Py_ssize_t len) ++ const unsigned char *cp, Py_ssize_t len, int usedforsecurity) + { + int result = 0; + EVPobject *self; +@@ -541,6 +541,12 @@ EVPnew(const EVP_MD *digest, + if ((self = newEVPobject()) == NULL) + return NULL; + ++ if (!usedforsecurity) { ++#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW ++ EVP_MD_CTX_set_flags(self->ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); ++#endif ++ } ++ + if (!EVP_DigestInit_ex(self->ctx, digest, NULL)) { + _setException(PyExc_ValueError); + Py_DECREF(self); +@@ -572,6 +578,8 @@ _hashlib.new as EVP_new + + name as name_obj: object + string as data_obj: object(c_default="NULL") = b'' ++ * ++ usedforsecurity: bool = True + + Return a new hash object using the named algorithm. + +@@ -582,8 +590,9 @@ The MD5 and SHA1 algorithms are always supported. + [clinic start generated code]*/ + + static PyObject * +-EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj) +-/*[clinic end generated code: output=9e7cf664e04b0226 input=7eb79bf30058bd02]*/ ++EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=ddd5053f92dffe90 input=c24554d0337be1b0]*/ + { + Py_buffer view = { 0 }; + PyObject *ret_obj; +@@ -600,7 +609,9 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj) + + digest = py_digest_by_name(name); + +- ret_obj = EVPnew(digest, (unsigned char*)view.buf, view.len); ++ ret_obj = EVPnew(digest, ++ (unsigned char*)view.buf, view.len, ++ usedforsecurity); + + if (data_obj) + PyBuffer_Release(&view); +@@ -608,7 +619,8 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj) + } + + static PyObject* +-EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest) ++EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest, ++ int usedforsecurity) + { + Py_buffer view = { 0 }; + PyObject *ret_obj; +@@ -616,7 +628,8 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest) + if (data_obj) + GET_BUFFER_VIEW_OR_ERROUT(data_obj, &view); + +- ret_obj = EVPnew(digest, (unsigned char*)view.buf, view.len); ++ ret_obj = EVPnew(digest, (unsigned char*)view.buf, view.len, ++ usedforsecurity); + + if (data_obj) + PyBuffer_Release(&view); +@@ -628,16 +641,19 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest) + _hashlib.openssl_md5 + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a md5 hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_md5_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=6caae75b73e22c3f input=52010d3869e1b1a7]*/ ++_hashlib_openssl_md5_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=87b0186440a44f8c input=990e36d5e689b16e]*/ + { +- return EVP_fast_new(module, data_obj, EVP_md5()); ++ return EVP_fast_new(module, data_obj, EVP_md5(), usedforsecurity); + } + + +@@ -645,16 +661,19 @@ _hashlib_openssl_md5_impl(PyObject *module, PyObject *data_obj) + _hashlib.openssl_sha1 + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a sha1 hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_sha1_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=07606d8f75153e61 input=16807d30e4aa8ae9]*/ ++_hashlib_openssl_sha1_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=6813024cf690670d input=948f2f4b6deabc10]*/ + { +- return EVP_fast_new(module, data_obj, EVP_sha1()); ++ return EVP_fast_new(module, data_obj, EVP_sha1(), usedforsecurity); + } + + +@@ -662,16 +681,19 @@ _hashlib_openssl_sha1_impl(PyObject *module, PyObject *data_obj) + _hashlib.openssl_sha224 + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a sha224 hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_sha224_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=55e848761bcef0c9 input=5dbc2f1d84eb459b]*/ ++_hashlib_openssl_sha224_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=a2dfe7cc4eb14ebb input=f9272821fadca505]*/ + { +- return EVP_fast_new(module, data_obj, EVP_sha224()); ++ return EVP_fast_new(module, data_obj, EVP_sha224(), usedforsecurity); + } + + +@@ -679,16 +701,19 @@ _hashlib_openssl_sha224_impl(PyObject *module, PyObject *data_obj) + _hashlib.openssl_sha256 + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a sha256 hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_sha256_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=05851d7cce34ac65 input=a68a5d21cda5a80f]*/ ++_hashlib_openssl_sha256_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=1f874a34870f0a68 input=549fad9d2930d4c5]*/ + { +- return EVP_fast_new(module, data_obj, EVP_sha256()); ++ return EVP_fast_new(module, data_obj, EVP_sha256(), usedforsecurity); + } + + +@@ -696,16 +721,19 @@ _hashlib_openssl_sha256_impl(PyObject *module, PyObject *data_obj) + _hashlib.openssl_sha384 + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a sha384 hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_sha384_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=5101a4704a932c2f input=6bdfa006622b64ea]*/ ++_hashlib_openssl_sha384_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=58529eff9ca457b2 input=48601a6e3bf14ad7]*/ + { +- return EVP_fast_new(module, data_obj, EVP_sha384()); ++ return EVP_fast_new(module, data_obj, EVP_sha384(), usedforsecurity); + } + + +@@ -713,152 +741,179 @@ _hashlib_openssl_sha384_impl(PyObject *module, PyObject *data_obj) + _hashlib.openssl_sha512 + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a sha512 hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=20c8e63ee560a5cb input=ece50182ad4b76a6]*/ ++_hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=2c744c9e4a40d5f6 input=c5c46a2a817aa98f]*/ + { +- return EVP_fast_new(module, data_obj, EVP_sha512()); ++ return EVP_fast_new(module, data_obj, EVP_sha512(), usedforsecurity); + } + + /*[clinic input] + _hashlib.openssl_blake2b + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a blake2b hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_blake2b_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=0d65acd1d9bb5e3f input=d9e6f84fa97e630d]*/ ++_hashlib_openssl_blake2b_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=7a838b1643cde13e input=37247f187d9c4f4a]*/ + + { +- return EVP_fast_new(module, data_obj, EVP_blake2b512()); ++ return EVP_fast_new(module, data_obj, EVP_blake2b512(), usedforsecurity); + } + + /*[clinic input] + _hashlib.openssl_blake2s + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a blake2s hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_blake2s_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=0f1330138041ec22 input=f1aec29465fc49c6]*/ ++_hashlib_openssl_blake2s_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=4eda6b40757471da input=36e42912f87ff123]*/ + + { +- return EVP_fast_new(module, data_obj, EVP_blake2s256()); ++ return EVP_fast_new(module, data_obj, EVP_blake2s256(), usedforsecurity); + } + + /*[clinic input] + _hashlib.openssl_sha3_224 + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a sha3_224 hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_sha3_224_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=e3817bed6ecafc20 input=adc74bf14410af70]*/ ++_hashlib_openssl_sha3_224_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=144641c1d144b974 input=450128ca92633287]*/ + + { +- return EVP_fast_new(module, data_obj, EVP_sha3_224()); ++ return EVP_fast_new(module, data_obj, EVP_sha3_224(), usedforsecurity); + } + + /*[clinic input] + _hashlib.openssl_sha3_256 + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a sha3_256 hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_sha3_256_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=9c15fac1ce09cd62 input=2922c3e78ab8bd2d]*/ ++_hashlib_openssl_sha3_256_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=c61f1ab772d06668 input=dda801b8285bc25f]*/ + + { +- return EVP_fast_new(module, data_obj, EVP_sha3_256()); ++ return EVP_fast_new(module, data_obj, EVP_sha3_256(), usedforsecurity); + } + + /*[clinic input] + _hashlib.openssl_sha3_384 + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a sha3_384 hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_sha3_384_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=0923a782b9b81a40 input=742b499c372c8316]*/ ++_hashlib_openssl_sha3_384_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=f68e4846858cf0ee input=3e2c46d271c64ec8]*/ + + { +- return EVP_fast_new(module, data_obj, EVP_sha3_384()); ++ return EVP_fast_new(module, data_obj, EVP_sha3_384(), usedforsecurity); + } + + /*[clinic input] + _hashlib.openssl_sha3_512 + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a sha3-512 hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_sha3_512_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=34bbe194704dbce4 input=46383f88e59a0385]*/ ++_hashlib_openssl_sha3_512_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=2eede478c159354a input=64e2cc0c094d56f4]*/ + + { +- return EVP_fast_new(module, data_obj, EVP_sha3_512()); ++ return EVP_fast_new(module, data_obj, EVP_sha3_512(), usedforsecurity); + } + + /*[clinic input] + _hashlib.openssl_shake_128 + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a shake_128 hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_shake_128_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=a6ea5917ce65ef10 input=f256751eb810fdaa]*/ ++_hashlib_openssl_shake_128_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=bc49cdd8ada1fa97 input=395c17aac1eb4d2e]*/ + + { +- return EVP_fast_new(module, data_obj, EVP_shake128()); ++ return EVP_fast_new(module, data_obj, EVP_shake128(), usedforsecurity); + } + + /*[clinic input] + _hashlib.openssl_shake_256 + + string as data_obj: object(py_default="b''") = NULL ++ * ++ usedforsecurity: bool = True + + Returns a shake_256 hash object; optionally initialized with a string + + [clinic start generated code]*/ + + static PyObject * +-_hashlib_openssl_shake_256_impl(PyObject *module, PyObject *data_obj) +-/*[clinic end generated code: output=c91aaa96b000e186 input=d1331313db34116c]*/ ++_hashlib_openssl_shake_256_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity) ++/*[clinic end generated code: output=358d213be8852df7 input=4fcf0b80fb663690]*/ + + { +- return EVP_fast_new(module, data_obj, EVP_shake256()); ++ return EVP_fast_new(module, data_obj, EVP_shake256(), usedforsecurity); + } + + +diff --git a/Modules/_sha3/clinic/sha3module.c.h b/Modules/_sha3/clinic/sha3module.c.h +index 554442d..1c79c26 100644 +--- a/Modules/_sha3/clinic/sha3module.c.h ++++ b/Modules/_sha3/clinic/sha3module.c.h +@@ -2,6 +2,52 @@ + preserve + [clinic start generated code]*/ + ++PyDoc_STRVAR(py_sha3_new__doc__, ++"sha3_224(data=b\'\', /, *, usedforsecurity=True)\n" ++"--\n" ++"\n" ++"Return a new BLAKE2b hash object."); ++ ++static PyObject * ++py_sha3_new_impl(PyTypeObject *type, PyObject *data, int usedforsecurity); ++ ++static PyObject * ++py_sha3_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) ++{ ++ PyObject *return_value = NULL; ++ static const char * const _keywords[] = {"", "usedforsecurity", NULL}; ++ static _PyArg_Parser _parser = {NULL, _keywords, "sha3_224", 0}; ++ PyObject *argsbuf[2]; ++ PyObject * const *fastargs; ++ Py_ssize_t nargs = PyTuple_GET_SIZE(args); ++ Py_ssize_t noptargs = nargs + (kwargs ? PyDict_GET_SIZE(kwargs) : 0) - 0; ++ PyObject *data = NULL; ++ int usedforsecurity = 1; ++ ++ fastargs = _PyArg_UnpackKeywords(_PyTuple_CAST(args)->ob_item, nargs, kwargs, NULL, &_parser, 0, 1, 0, argsbuf); ++ if (!fastargs) { ++ goto exit; ++ } ++ if (nargs < 1) { ++ goto skip_optional_posonly; ++ } ++ noptargs--; ++ data = fastargs[0]; ++skip_optional_posonly: ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(fastargs[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = py_sha3_new_impl(type, data, usedforsecurity); ++ ++exit: ++ return return_value; ++} ++ + PyDoc_STRVAR(_sha3_sha3_224_copy__doc__, + "copy($self, /)\n" + "--\n" +@@ -118,4 +164,4 @@ _sha3_shake_128_hexdigest(SHA3object *self, PyObject *arg) + exit: + return return_value; + } +-/*[clinic end generated code: output=5b3e99b9a96471e8 input=a9049054013a1b77]*/ ++/*[clinic end generated code: output=c8a97b34e80def62 input=a9049054013a1b77]*/ +diff --git a/Modules/_sha3/sha3module.c b/Modules/_sha3/sha3module.c +index 3079e1e..fc8b1b2 100644 +--- a/Modules/_sha3/sha3module.c ++++ b/Modules/_sha3/sha3module.c +@@ -171,22 +171,25 @@ newSHA3object(PyTypeObject *type) + return newobj; + } + ++/*[clinic input] ++@classmethod ++_sha3.sha3_224.__new__ as py_sha3_new ++ data: object(c_default="NULL") = b'' ++ / ++ * ++ usedforsecurity: bool = True ++ ++Return a new BLAKE2b hash object. ++[clinic start generated code]*/ + + static PyObject * +-py_sha3_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) ++py_sha3_new_impl(PyTypeObject *type, PyObject *data, int usedforsecurity) ++/*[clinic end generated code: output=90409addc5d5e8b0 input=bcfcdf2e4368347a]*/ + { + FAIL_RETURN_IN_FIPS_MODE(PyExc_ValueError, "_sha3"); + SHA3object *self = NULL; + Py_buffer buf = {NULL, NULL}; + HashReturn res; +- PyObject *data = NULL; +- +- if (!_PyArg_NoKeywords(_PyType_Name(type), kwargs)) { +- return NULL; +- } +- if (!PyArg_UnpackTuple(args, _PyType_Name(type), 0, 1, &data)) { +- return NULL; +- } + + self = newSHA3object(type); + if (self == NULL) { +@@ -532,22 +535,22 @@ static PyGetSetDef SHA3_getseters[] = { + } + + PyDoc_STRVAR(sha3_224__doc__, +-"sha3_224([data]) -> SHA3 object\n\ ++"sha3_224([data], *, usedforsecurity=True) -> SHA3 object\n\ + \n\ + Return a new SHA3 hash object with a hashbit length of 28 bytes."); + + PyDoc_STRVAR(sha3_256__doc__, +-"sha3_256([data]) -> SHA3 object\n\ ++"sha3_256([data], *, usedforsecurity=True) -> SHA3 object\n\ + \n\ + Return a new SHA3 hash object with a hashbit length of 32 bytes."); + + PyDoc_STRVAR(sha3_384__doc__, +-"sha3_384([data]) -> SHA3 object\n\ ++"sha3_384([data], *, usedforsecurity=True) -> SHA3 object\n\ + \n\ + Return a new SHA3 hash object with a hashbit length of 48 bytes."); + + PyDoc_STRVAR(sha3_512__doc__, +-"sha3_512([data]) -> SHA3 object\n\ ++"sha3_512([data], *, usedforsecurity=True) -> SHA3 object\n\ + \n\ + Return a new SHA3 hash object with a hashbit length of 64 bytes."); + +@@ -558,22 +561,22 @@ SHA3_TYPE(SHA3_512type, "_sha3.sha3_512", sha3_512__doc__, SHA3_methods); + + #ifdef PY_WITH_KECCAK + PyDoc_STRVAR(keccak_224__doc__, +-"keccak_224([data]) -> Keccak object\n\ ++"keccak_224([data], *, usedforsecurity=True) -> Keccak object\n\ + \n\ + Return a new Keccak hash object with a hashbit length of 28 bytes."); + + PyDoc_STRVAR(keccak_256__doc__, +-"keccak_256([data]) -> Keccak object\n\ ++"keccak_256([data], *, usedforsecurity=True) -> Keccak object\n\ + \n\ + Return a new Keccak hash object with a hashbit length of 32 bytes."); + + PyDoc_STRVAR(keccak_384__doc__, +-"keccak_384([data]) -> Keccak object\n\ ++"keccak_384([data], *, usedforsecurity=True) -> Keccak object\n\ + \n\ + Return a new Keccak hash object with a hashbit length of 48 bytes."); + + PyDoc_STRVAR(keccak_512__doc__, +-"keccak_512([data]) -> Keccak object\n\ ++"keccak_512([data], *, usedforsecurity=True) -> Keccak object\n\ + \n\ + Return a new Keccak hash object with a hashbit length of 64 bytes."); + +@@ -675,12 +678,12 @@ static PyMethodDef SHAKE_methods[] = { + }; + + PyDoc_STRVAR(shake_128__doc__, +-"shake_128([data]) -> SHAKE object\n\ ++"shake_128([data], *, usedforsecurity=True) -> SHAKE object\n\ + \n\ + Return a new SHAKE hash object."); + + PyDoc_STRVAR(shake_256__doc__, +-"shake_256([data]) -> SHAKE object\n\ ++"shake_256([data], *, usedforsecurity=True) -> SHAKE object\n\ + \n\ + Return a new SHAKE hash object."); + +diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h +index e96a752..9678847 100644 +--- a/Modules/clinic/_hashopenssl.c.h ++++ b/Modules/clinic/_hashopenssl.c.h +@@ -66,7 +66,7 @@ PyDoc_STRVAR(EVP_update__doc__, + {"update", (PyCFunction)EVP_update, METH_O, EVP_update__doc__}, + + PyDoc_STRVAR(EVP_new__doc__, +-"new($module, /, name, string=b\'\')\n" ++"new($module, /, name, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Return a new hash object using the named algorithm.\n" +@@ -80,18 +80,20 @@ PyDoc_STRVAR(EVP_new__doc__, + {"new", (PyCFunction)(void(*)(void))EVP_new, METH_FASTCALL|METH_KEYWORDS, EVP_new__doc__}, + + static PyObject * +-EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj); ++EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + EVP_new(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"name", "string", NULL}; ++ static const char * const _keywords[] = {"name", "string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "new", 0}; +- PyObject *argsbuf[2]; ++ PyObject *argsbuf[3]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 1; + PyObject *name_obj; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 1, 2, 0, argsbuf); + if (!args) { +@@ -101,16 +103,29 @@ EVP_new(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwn + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[1]; ++ if (args[1]) { ++ data_obj = args[1]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = EVP_new_impl(module, name_obj, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[2]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = EVP_new_impl(module, name_obj, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_md5__doc__, +-"openssl_md5($module, /, string=b\'\')\n" ++"openssl_md5($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a md5 hash object; optionally initialized with a string"); +@@ -119,17 +134,19 @@ PyDoc_STRVAR(_hashlib_openssl_md5__doc__, + {"openssl_md5", (PyCFunction)(void(*)(void))_hashlib_openssl_md5, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_md5__doc__}, + + static PyObject * +-_hashlib_openssl_md5_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_md5_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_md5(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_md5", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -138,16 +155,29 @@ _hashlib_openssl_md5(PyObject *module, PyObject *const *args, Py_ssize_t nargs, + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_md5_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_md5_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_sha1__doc__, +-"openssl_sha1($module, /, string=b\'\')\n" ++"openssl_sha1($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a sha1 hash object; optionally initialized with a string"); +@@ -156,17 +186,19 @@ PyDoc_STRVAR(_hashlib_openssl_sha1__doc__, + {"openssl_sha1", (PyCFunction)(void(*)(void))_hashlib_openssl_sha1, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_sha1__doc__}, + + static PyObject * +-_hashlib_openssl_sha1_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_sha1_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_sha1(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_sha1", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -175,16 +207,29 @@ _hashlib_openssl_sha1(PyObject *module, PyObject *const *args, Py_ssize_t nargs, + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_sha1_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_sha1_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_sha224__doc__, +-"openssl_sha224($module, /, string=b\'\')\n" ++"openssl_sha224($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a sha224 hash object; optionally initialized with a string"); +@@ -193,17 +238,19 @@ PyDoc_STRVAR(_hashlib_openssl_sha224__doc__, + {"openssl_sha224", (PyCFunction)(void(*)(void))_hashlib_openssl_sha224, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_sha224__doc__}, + + static PyObject * +-_hashlib_openssl_sha224_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_sha224_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_sha224(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_sha224", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -212,16 +259,29 @@ _hashlib_openssl_sha224(PyObject *module, PyObject *const *args, Py_ssize_t narg + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_sha224_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_sha224_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_sha256__doc__, +-"openssl_sha256($module, /, string=b\'\')\n" ++"openssl_sha256($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a sha256 hash object; optionally initialized with a string"); +@@ -230,17 +290,19 @@ PyDoc_STRVAR(_hashlib_openssl_sha256__doc__, + {"openssl_sha256", (PyCFunction)(void(*)(void))_hashlib_openssl_sha256, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_sha256__doc__}, + + static PyObject * +-_hashlib_openssl_sha256_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_sha256_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_sha256(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_sha256", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -249,16 +311,29 @@ _hashlib_openssl_sha256(PyObject *module, PyObject *const *args, Py_ssize_t narg + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_sha256_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_sha256_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_sha384__doc__, +-"openssl_sha384($module, /, string=b\'\')\n" ++"openssl_sha384($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a sha384 hash object; optionally initialized with a string"); +@@ -267,17 +342,19 @@ PyDoc_STRVAR(_hashlib_openssl_sha384__doc__, + {"openssl_sha384", (PyCFunction)(void(*)(void))_hashlib_openssl_sha384, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_sha384__doc__}, + + static PyObject * +-_hashlib_openssl_sha384_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_sha384_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_sha384(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_sha384", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -286,16 +363,29 @@ _hashlib_openssl_sha384(PyObject *module, PyObject *const *args, Py_ssize_t narg + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_sha384_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_sha384_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_sha512__doc__, +-"openssl_sha512($module, /, string=b\'\')\n" ++"openssl_sha512($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a sha512 hash object; optionally initialized with a string"); +@@ -304,17 +394,19 @@ PyDoc_STRVAR(_hashlib_openssl_sha512__doc__, + {"openssl_sha512", (PyCFunction)(void(*)(void))_hashlib_openssl_sha512, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_sha512__doc__}, + + static PyObject * +-_hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_sha512(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_sha512", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -323,16 +415,29 @@ _hashlib_openssl_sha512(PyObject *module, PyObject *const *args, Py_ssize_t narg + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_sha512_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_sha512_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_blake2b__doc__, +-"openssl_blake2b($module, /, string=b\'\')\n" ++"openssl_blake2b($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a blake2b hash object; optionally initialized with a string"); +@@ -341,17 +446,19 @@ PyDoc_STRVAR(_hashlib_openssl_blake2b__doc__, + {"openssl_blake2b", (PyCFunction)(void(*)(void))_hashlib_openssl_blake2b, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_blake2b__doc__}, + + static PyObject * +-_hashlib_openssl_blake2b_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_blake2b_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_blake2b(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_blake2b", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -360,16 +467,29 @@ _hashlib_openssl_blake2b(PyObject *module, PyObject *const *args, Py_ssize_t nar + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_blake2b_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_blake2b_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_blake2s__doc__, +-"openssl_blake2s($module, /, string=b\'\')\n" ++"openssl_blake2s($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a blake2s hash object; optionally initialized with a string"); +@@ -378,17 +498,19 @@ PyDoc_STRVAR(_hashlib_openssl_blake2s__doc__, + {"openssl_blake2s", (PyCFunction)(void(*)(void))_hashlib_openssl_blake2s, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_blake2s__doc__}, + + static PyObject * +-_hashlib_openssl_blake2s_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_blake2s_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_blake2s(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_blake2s", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -397,16 +519,29 @@ _hashlib_openssl_blake2s(PyObject *module, PyObject *const *args, Py_ssize_t nar + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_blake2s_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_blake2s_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_sha3_224__doc__, +-"openssl_sha3_224($module, /, string=b\'\')\n" ++"openssl_sha3_224($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a sha3_224 hash object; optionally initialized with a string"); +@@ -415,17 +550,19 @@ PyDoc_STRVAR(_hashlib_openssl_sha3_224__doc__, + {"openssl_sha3_224", (PyCFunction)(void(*)(void))_hashlib_openssl_sha3_224, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_sha3_224__doc__}, + + static PyObject * +-_hashlib_openssl_sha3_224_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_sha3_224_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_sha3_224(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_sha3_224", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -434,16 +571,29 @@ _hashlib_openssl_sha3_224(PyObject *module, PyObject *const *args, Py_ssize_t na + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_sha3_224_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_sha3_224_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_sha3_256__doc__, +-"openssl_sha3_256($module, /, string=b\'\')\n" ++"openssl_sha3_256($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a sha3_256 hash object; optionally initialized with a string"); +@@ -452,17 +602,19 @@ PyDoc_STRVAR(_hashlib_openssl_sha3_256__doc__, + {"openssl_sha3_256", (PyCFunction)(void(*)(void))_hashlib_openssl_sha3_256, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_sha3_256__doc__}, + + static PyObject * +-_hashlib_openssl_sha3_256_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_sha3_256_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_sha3_256(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_sha3_256", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -471,16 +623,29 @@ _hashlib_openssl_sha3_256(PyObject *module, PyObject *const *args, Py_ssize_t na + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_sha3_256_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_sha3_256_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_sha3_384__doc__, +-"openssl_sha3_384($module, /, string=b\'\')\n" ++"openssl_sha3_384($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a sha3_384 hash object; optionally initialized with a string"); +@@ -489,17 +654,19 @@ PyDoc_STRVAR(_hashlib_openssl_sha3_384__doc__, + {"openssl_sha3_384", (PyCFunction)(void(*)(void))_hashlib_openssl_sha3_384, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_sha3_384__doc__}, + + static PyObject * +-_hashlib_openssl_sha3_384_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_sha3_384_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_sha3_384(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_sha3_384", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -508,16 +675,29 @@ _hashlib_openssl_sha3_384(PyObject *module, PyObject *const *args, Py_ssize_t na + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_sha3_384_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_sha3_384_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_sha3_512__doc__, +-"openssl_sha3_512($module, /, string=b\'\')\n" ++"openssl_sha3_512($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a sha3-512 hash object; optionally initialized with a string"); +@@ -526,17 +706,19 @@ PyDoc_STRVAR(_hashlib_openssl_sha3_512__doc__, + {"openssl_sha3_512", (PyCFunction)(void(*)(void))_hashlib_openssl_sha3_512, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_sha3_512__doc__}, + + static PyObject * +-_hashlib_openssl_sha3_512_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_sha3_512_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_sha3_512(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_sha3_512", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -545,16 +727,29 @@ _hashlib_openssl_sha3_512(PyObject *module, PyObject *const *args, Py_ssize_t na + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_sha3_512_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_sha3_512_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_shake_128__doc__, +-"openssl_shake_128($module, /, string=b\'\')\n" ++"openssl_shake_128($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a shake_128 hash object; optionally initialized with a string"); +@@ -563,17 +758,19 @@ PyDoc_STRVAR(_hashlib_openssl_shake_128__doc__, + {"openssl_shake_128", (PyCFunction)(void(*)(void))_hashlib_openssl_shake_128, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_shake_128__doc__}, + + static PyObject * +-_hashlib_openssl_shake_128_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_shake_128_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_shake_128(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_shake_128", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -582,16 +779,29 @@ _hashlib_openssl_shake_128(PyObject *module, PyObject *const *args, Py_ssize_t n + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_shake_128_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_shake_128_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_hashlib_openssl_shake_256__doc__, +-"openssl_shake_256($module, /, string=b\'\')\n" ++"openssl_shake_256($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Returns a shake_256 hash object; optionally initialized with a string"); +@@ -600,17 +810,19 @@ PyDoc_STRVAR(_hashlib_openssl_shake_256__doc__, + {"openssl_shake_256", (PyCFunction)(void(*)(void))_hashlib_openssl_shake_256, METH_FASTCALL|METH_KEYWORDS, _hashlib_openssl_shake_256__doc__}, + + static PyObject * +-_hashlib_openssl_shake_256_impl(PyObject *module, PyObject *data_obj); ++_hashlib_openssl_shake_256_impl(PyObject *module, PyObject *data_obj, ++ int usedforsecurity); + + static PyObject * + _hashlib_openssl_shake_256(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "openssl_shake_256", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *data_obj = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -619,9 +831,22 @@ _hashlib_openssl_shake_256(PyObject *module, PyObject *const *args, Py_ssize_t n + if (!noptargs) { + goto skip_optional_pos; + } +- data_obj = args[0]; ++ if (args[0]) { ++ data_obj = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _hashlib_openssl_shake_256_impl(module, data_obj); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _hashlib_openssl_shake_256_impl(module, data_obj, usedforsecurity); + + exit: + return return_value; +@@ -942,4 +1167,4 @@ _hashlib_get_fips_mode(PyObject *module, PyObject *Py_UNUSED(ignored)) + #ifndef _HASHLIB_SCRYPT_METHODDEF + #define _HASHLIB_SCRYPT_METHODDEF + #endif /* !defined(_HASHLIB_SCRYPT_METHODDEF) */ +-/*[clinic end generated code: output=be8e21a10dff71e7 input=a9049054013a1b77]*/ ++/*[clinic end generated code: output=3db4f18f12892fa4 input=a9049054013a1b77]*/ +diff --git a/Modules/clinic/md5module.c.h b/Modules/clinic/md5module.c.h +index 12484cc..c109f9e 100644 +--- a/Modules/clinic/md5module.c.h ++++ b/Modules/clinic/md5module.c.h +@@ -66,7 +66,7 @@ PyDoc_STRVAR(MD5Type_update__doc__, + {"update", (PyCFunction)MD5Type_update, METH_O, MD5Type_update__doc__}, + + PyDoc_STRVAR(_md5_md5__doc__, +-"md5($module, /, string=b\'\')\n" ++"md5($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Return a new MD5 hash object; optionally initialized with a string."); +@@ -75,17 +75,18 @@ PyDoc_STRVAR(_md5_md5__doc__, + {"md5", (PyCFunction)(void(*)(void))_md5_md5, METH_FASTCALL|METH_KEYWORDS, _md5_md5__doc__}, + + static PyObject * +-_md5_md5_impl(PyObject *module, PyObject *string); ++_md5_md5_impl(PyObject *module, PyObject *string, int usedforsecurity); + + static PyObject * + _md5_md5(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "md5", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *string = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -94,11 +95,24 @@ _md5_md5(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kw + if (!noptargs) { + goto skip_optional_pos; + } +- string = args[0]; ++ if (args[0]) { ++ string = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _md5_md5_impl(module, string); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _md5_md5_impl(module, string, usedforsecurity); + + exit: + return return_value; + } +-/*[clinic end generated code: output=53133f08cf9095fc input=a9049054013a1b77]*/ ++/*[clinic end generated code: output=dbe3abc60086f3ef input=a9049054013a1b77]*/ +diff --git a/Modules/clinic/sha1module.c.h b/Modules/clinic/sha1module.c.h +index 001c6af..fc37b1a 100644 +--- a/Modules/clinic/sha1module.c.h ++++ b/Modules/clinic/sha1module.c.h +@@ -66,7 +66,7 @@ PyDoc_STRVAR(SHA1Type_update__doc__, + {"update", (PyCFunction)SHA1Type_update, METH_O, SHA1Type_update__doc__}, + + PyDoc_STRVAR(_sha1_sha1__doc__, +-"sha1($module, /, string=b\'\')\n" ++"sha1($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Return a new SHA1 hash object; optionally initialized with a string."); +@@ -75,17 +75,18 @@ PyDoc_STRVAR(_sha1_sha1__doc__, + {"sha1", (PyCFunction)(void(*)(void))_sha1_sha1, METH_FASTCALL|METH_KEYWORDS, _sha1_sha1__doc__}, + + static PyObject * +-_sha1_sha1_impl(PyObject *module, PyObject *string); ++_sha1_sha1_impl(PyObject *module, PyObject *string, int usedforsecurity); + + static PyObject * + _sha1_sha1(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "sha1", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *string = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -94,11 +95,24 @@ _sha1_sha1(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject * + if (!noptargs) { + goto skip_optional_pos; + } +- string = args[0]; ++ if (args[0]) { ++ string = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _sha1_sha1_impl(module, string); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _sha1_sha1_impl(module, string, usedforsecurity); + + exit: + return return_value; + } +-/*[clinic end generated code: output=1ae7e73ec84a27d5 input=a9049054013a1b77]*/ ++/*[clinic end generated code: output=3ddd637ae17e14b3 input=a9049054013a1b77]*/ +diff --git a/Modules/clinic/sha256module.c.h b/Modules/clinic/sha256module.c.h +index 658abb1..2a788ea 100644 +--- a/Modules/clinic/sha256module.c.h ++++ b/Modules/clinic/sha256module.c.h +@@ -66,7 +66,7 @@ PyDoc_STRVAR(SHA256Type_update__doc__, + {"update", (PyCFunction)SHA256Type_update, METH_O, SHA256Type_update__doc__}, + + PyDoc_STRVAR(_sha256_sha256__doc__, +-"sha256($module, /, string=b\'\')\n" ++"sha256($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Return a new SHA-256 hash object; optionally initialized with a string."); +@@ -75,17 +75,18 @@ PyDoc_STRVAR(_sha256_sha256__doc__, + {"sha256", (PyCFunction)(void(*)(void))_sha256_sha256, METH_FASTCALL|METH_KEYWORDS, _sha256_sha256__doc__}, + + static PyObject * +-_sha256_sha256_impl(PyObject *module, PyObject *string); ++_sha256_sha256_impl(PyObject *module, PyObject *string, int usedforsecurity); + + static PyObject * + _sha256_sha256(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "sha256", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *string = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -94,16 +95,29 @@ _sha256_sha256(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObje + if (!noptargs) { + goto skip_optional_pos; + } +- string = args[0]; ++ if (args[0]) { ++ string = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _sha256_sha256_impl(module, string); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _sha256_sha256_impl(module, string, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_sha256_sha224__doc__, +-"sha224($module, /, string=b\'\')\n" ++"sha224($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Return a new SHA-224 hash object; optionally initialized with a string."); +@@ -112,17 +126,18 @@ PyDoc_STRVAR(_sha256_sha224__doc__, + {"sha224", (PyCFunction)(void(*)(void))_sha256_sha224, METH_FASTCALL|METH_KEYWORDS, _sha256_sha224__doc__}, + + static PyObject * +-_sha256_sha224_impl(PyObject *module, PyObject *string); ++_sha256_sha224_impl(PyObject *module, PyObject *string, int usedforsecurity); + + static PyObject * + _sha256_sha224(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "sha224", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *string = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -131,11 +146,24 @@ _sha256_sha224(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObje + if (!noptargs) { + goto skip_optional_pos; + } +- string = args[0]; ++ if (args[0]) { ++ string = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _sha256_sha224_impl(module, string); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _sha256_sha224_impl(module, string, usedforsecurity); + + exit: + return return_value; + } +-/*[clinic end generated code: output=c54d0956ec88409d input=a9049054013a1b77]*/ ++/*[clinic end generated code: output=c8cca8adbe72ec9a input=a9049054013a1b77]*/ +diff --git a/Modules/clinic/sha512module.c.h b/Modules/clinic/sha512module.c.h +index 459a934..b8185b6 100644 +--- a/Modules/clinic/sha512module.c.h ++++ b/Modules/clinic/sha512module.c.h +@@ -66,7 +66,7 @@ PyDoc_STRVAR(SHA512Type_update__doc__, + {"update", (PyCFunction)SHA512Type_update, METH_O, SHA512Type_update__doc__}, + + PyDoc_STRVAR(_sha512_sha512__doc__, +-"sha512($module, /, string=b\'\')\n" ++"sha512($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Return a new SHA-512 hash object; optionally initialized with a string."); +@@ -75,17 +75,18 @@ PyDoc_STRVAR(_sha512_sha512__doc__, + {"sha512", (PyCFunction)(void(*)(void))_sha512_sha512, METH_FASTCALL|METH_KEYWORDS, _sha512_sha512__doc__}, + + static PyObject * +-_sha512_sha512_impl(PyObject *module, PyObject *string); ++_sha512_sha512_impl(PyObject *module, PyObject *string, int usedforsecurity); + + static PyObject * + _sha512_sha512(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "sha512", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *string = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -94,16 +95,29 @@ _sha512_sha512(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObje + if (!noptargs) { + goto skip_optional_pos; + } +- string = args[0]; ++ if (args[0]) { ++ string = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _sha512_sha512_impl(module, string); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _sha512_sha512_impl(module, string, usedforsecurity); + + exit: + return return_value; + } + + PyDoc_STRVAR(_sha512_sha384__doc__, +-"sha384($module, /, string=b\'\')\n" ++"sha384($module, /, string=b\'\', *, usedforsecurity=True)\n" + "--\n" + "\n" + "Return a new SHA-384 hash object; optionally initialized with a string."); +@@ -112,17 +126,18 @@ PyDoc_STRVAR(_sha512_sha384__doc__, + {"sha384", (PyCFunction)(void(*)(void))_sha512_sha384, METH_FASTCALL|METH_KEYWORDS, _sha512_sha384__doc__}, + + static PyObject * +-_sha512_sha384_impl(PyObject *module, PyObject *string); ++_sha512_sha384_impl(PyObject *module, PyObject *string, int usedforsecurity); + + static PyObject * + _sha512_sha384(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; +- static const char * const _keywords[] = {"string", NULL}; ++ static const char * const _keywords[] = {"string", "usedforsecurity", NULL}; + static _PyArg_Parser _parser = {NULL, _keywords, "sha384", 0}; +- PyObject *argsbuf[1]; ++ PyObject *argsbuf[2]; + Py_ssize_t noptargs = nargs + (kwnames ? PyTuple_GET_SIZE(kwnames) : 0) - 0; + PyObject *string = NULL; ++ int usedforsecurity = 1; + + args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 0, 1, 0, argsbuf); + if (!args) { +@@ -131,11 +146,24 @@ _sha512_sha384(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObje + if (!noptargs) { + goto skip_optional_pos; + } +- string = args[0]; ++ if (args[0]) { ++ string = args[0]; ++ if (!--noptargs) { ++ goto skip_optional_pos; ++ } ++ } + skip_optional_pos: +- return_value = _sha512_sha384_impl(module, string); ++ if (!noptargs) { ++ goto skip_optional_kwonly; ++ } ++ usedforsecurity = PyObject_IsTrue(args[1]); ++ if (usedforsecurity < 0) { ++ goto exit; ++ } ++skip_optional_kwonly: ++ return_value = _sha512_sha384_impl(module, string, usedforsecurity); + + exit: + return return_value; + } +-/*[clinic end generated code: output=580df4b667084a7e input=a9049054013a1b77]*/ ++/*[clinic end generated code: output=bbfa72d8703c82b5 input=a9049054013a1b77]*/ +diff --git a/Modules/md5module.c b/Modules/md5module.c +index 64fab80..ee4efe4 100644 +--- a/Modules/md5module.c ++++ b/Modules/md5module.c +@@ -503,13 +503,15 @@ static PyTypeObject MD5type = { + _md5.md5 + + string: object(c_default="NULL") = b'' ++ * ++ usedforsecurity: bool = True + + Return a new MD5 hash object; optionally initialized with a string. + [clinic start generated code]*/ + + static PyObject * +-_md5_md5_impl(PyObject *module, PyObject *string) +-/*[clinic end generated code: output=2cfd0f8c091b97e6 input=d12ef8f72d684f7b]*/ ++_md5_md5_impl(PyObject *module, PyObject *string, int usedforsecurity) ++/*[clinic end generated code: output=587071f76254a4ac input=7a144a1905636985]*/ + { + MD5object *new; + Py_buffer buf; +diff --git a/Modules/sha1module.c b/Modules/sha1module.c +index 4a8dbd8..aec0bad 100644 +--- a/Modules/sha1module.c ++++ b/Modules/sha1module.c +@@ -480,13 +480,15 @@ static PyTypeObject SHA1type = { + _sha1.sha1 + + string: object(c_default="NULL") = b'' ++ * ++ usedforsecurity: bool = True + + Return a new SHA1 hash object; optionally initialized with a string. + [clinic start generated code]*/ + + static PyObject * +-_sha1_sha1_impl(PyObject *module, PyObject *string) +-/*[clinic end generated code: output=e5982830d1dece51 input=27ea54281d995ec2]*/ ++_sha1_sha1_impl(PyObject *module, PyObject *string, int usedforsecurity) ++/*[clinic end generated code: output=6f8b3af05126e18e input=bd54b68e2bf36a8a]*/ + { + SHA1object *new; + Py_buffer buf; +diff --git a/Modules/sha256module.c b/Modules/sha256module.c +index a1c8b1a..8777c59 100644 +--- a/Modules/sha256module.c ++++ b/Modules/sha256module.c +@@ -601,13 +601,15 @@ static PyTypeObject SHA256type = { + _sha256.sha256 + + string: object(c_default="NULL") = b'' ++ * ++ usedforsecurity: bool = True + + Return a new SHA-256 hash object; optionally initialized with a string. + [clinic start generated code]*/ + + static PyObject * +-_sha256_sha256_impl(PyObject *module, PyObject *string) +-/*[clinic end generated code: output=fa644436dcea5c31 input=09cce3fb855056b2]*/ ++_sha256_sha256_impl(PyObject *module, PyObject *string, int usedforsecurity) ++/*[clinic end generated code: output=a1de327e8e1185cf input=9be86301aeb14ea5]*/ + { + SHAobject *new; + Py_buffer buf; +@@ -641,13 +643,15 @@ _sha256_sha256_impl(PyObject *module, PyObject *string) + _sha256.sha224 + + string: object(c_default="NULL") = b'' ++ * ++ usedforsecurity: bool = True + + Return a new SHA-224 hash object; optionally initialized with a string. + [clinic start generated code]*/ + + static PyObject * +-_sha256_sha224_impl(PyObject *module, PyObject *string) +-/*[clinic end generated code: output=21e3ba22c3404f93 input=27a04ba24c353a73]*/ ++_sha256_sha224_impl(PyObject *module, PyObject *string, int usedforsecurity) ++/*[clinic end generated code: output=08be6b36569bc69c input=9fcfb46e460860ac]*/ + { + SHAobject *new; + Py_buffer buf; +diff --git a/Modules/sha512module.c b/Modules/sha512module.c +index 4167fd3..504d40a 100644 +--- a/Modules/sha512module.c ++++ b/Modules/sha512module.c +@@ -666,13 +666,15 @@ static PyTypeObject SHA512type = { + _sha512.sha512 + + string: object(c_default="NULL") = b'' ++ * ++ usedforsecurity: bool = True + + Return a new SHA-512 hash object; optionally initialized with a string. + [clinic start generated code]*/ + + static PyObject * +-_sha512_sha512_impl(PyObject *module, PyObject *string) +-/*[clinic end generated code: output=8b865a2df73bd387 input=e69bad9ae9b6a308]*/ ++_sha512_sha512_impl(PyObject *module, PyObject *string, int usedforsecurity) ++/*[clinic end generated code: output=a8d9e5f9e6a0831c input=23b4daebc2ebb9c9]*/ + { + SHAobject *new; + Py_buffer buf; +@@ -706,13 +708,15 @@ _sha512_sha512_impl(PyObject *module, PyObject *string) + _sha512.sha384 + + string: object(c_default="NULL") = b'' ++ * ++ usedforsecurity: bool = True + + Return a new SHA-384 hash object; optionally initialized with a string. + [clinic start generated code]*/ + + static PyObject * +-_sha512_sha384_impl(PyObject *module, PyObject *string) +-/*[clinic end generated code: output=ae4b2e26decf81e8 input=c9327788d4ea4545]*/ ++_sha512_sha384_impl(PyObject *module, PyObject *string, int usedforsecurity) ++/*[clinic end generated code: output=da7d594a08027ac3 input=59ef72f039a6b431]*/ + { + SHAobject *new; + Py_buffer buf; +-- +2.38.1 + + +From 0ee86826a425528d1f129788ad3e9e144e81da83 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Mon, 26 Aug 2019 19:09:39 +0200 +Subject: [PATCH 24/36] Test the usedforsecurity flag + +--- + Lib/test/test_hashlib.py | 88 ++++++++++++++++++++++++---------------- + 1 file changed, 54 insertions(+), 34 deletions(-) + +diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py +index 3ee9b14..a991f0a 100644 +--- a/Lib/test/test_hashlib.py ++++ b/Lib/test/test_hashlib.py +@@ -21,6 +21,7 @@ from test import support + from test.support import _4G, bigmemtest, import_fresh_module + from test.support import requires_hashdigest + from http.client import HTTPException ++from functools import partial + + # Were we compiled --with-pydebug or with #define Py_DEBUG? + COMPILED_WITH_PYDEBUG = hasattr(sys, 'gettotalrefcount') +@@ -29,8 +30,10 @@ c_hashlib = import_fresh_module('hashlib', fresh=['_hashlib']) + py_hashlib = import_fresh_module('hashlib', blocked=['_hashlib']) + + if hashlib.get_fips_mode(): +- FIPS_DISABLED = {'md5', 'MD5', 'blake2b', 'blake2s'} ++ FIPS_UNAVAILABLE = {'blake2b', 'blake2s'} ++ FIPS_DISABLED = {'md5', 'MD5', *FIPS_UNAVAILABLE} + else: ++ FIPS_UNAVAILABLE = set() + FIPS_DISABLED = set() + + try: +@@ -80,6 +83,15 @@ def read_vectors(hash_name): + yield parts + + ++def _is_openssl_constructor(constructor): ++ if getattr(constructor, '__name__', '').startswith('openssl_'): ++ return True ++ if isinstance(constructor, partial): ++ if constructor.func.__name__.startswith('openssl_'): ++ return True ++ return False ++ ++ + class HashLibTestCase(unittest.TestCase): + supported_hash_names = ( 'md5', 'MD5', 'sha1', 'SHA1', + 'sha224', 'SHA224', 'sha256', 'SHA256', +@@ -95,8 +107,6 @@ class HashLibTestCase(unittest.TestCase): + + if hashlib.get_fips_mode(): + shakes = set() +- supported_hash_names = tuple( +- n for n in supported_hash_names if n not in FIPS_DISABLED) + + def _conditional_import_module(self, module_name): + """Import a module and return a reference to it or None on failure.""" +@@ -122,7 +132,8 @@ class HashLibTestCase(unittest.TestCase): + def __init__(self, *args, **kwargs): + algorithms = set() + for algorithm in self.supported_hash_names: +- algorithms.add(algorithm.lower()) ++ if algorithm not in FIPS_UNAVAILABLE: ++ algorithms.add(algorithm.lower()) + + _blake2 = self._conditional_import_module('_blake2') + if _blake2: +@@ -132,15 +143,21 @@ class HashLibTestCase(unittest.TestCase): + for algorithm in algorithms: + self.constructors_to_test[algorithm] = set() + ++ def _add_constructor(algorithm, constructor): ++ constructors.add(partial(constructor, usedforsecurity=False)) ++ if algorithm not in FIPS_DISABLED: ++ constructors.add(constructor) ++ constructors.add(partial(constructor, usedforsecurity=True)) ++ + # For each algorithm, test the direct constructor and the use + # of hashlib.new given the algorithm name. + for algorithm, constructors in self.constructors_to_test.items(): +- constructors.add(getattr(hashlib, algorithm)) ++ _add_constructor(algorithm, getattr(hashlib, algorithm)) + def _test_algorithm_via_hashlib_new(data=None, _alg=algorithm, **kwargs): + if data is None: + return hashlib.new(_alg, **kwargs) + return hashlib.new(_alg, data, **kwargs) +- constructors.add(_test_algorithm_via_hashlib_new) ++ _add_constructor(algorithm, _test_algorithm_via_hashlib_new) + + _hashlib = self._conditional_import_module('_hashlib') + self._hashlib = _hashlib +@@ -152,13 +169,7 @@ class HashLibTestCase(unittest.TestCase): + for algorithm, constructors in self.constructors_to_test.items(): + constructor = getattr(_hashlib, 'openssl_'+algorithm, None) + if constructor: +- try: +- constructor() +- except ValueError: +- # default constructor blocked by crypto policy +- pass +- else: +- constructors.add(constructor) ++ _add_constructor(algorithm, constructor) + + def add_builtin_constructor(name): + constructor = getattr(hashlib, "__get_builtin_constructor")(name) +@@ -218,7 +229,7 @@ class HashLibTestCase(unittest.TestCase): + c.hexdigest() + + def test_algorithms_guaranteed(self): +- self.assertEqual(hashlib.algorithms_guaranteed - FIPS_DISABLED, ++ self.assertEqual(hashlib.algorithms_guaranteed, + set(_algo for _algo in self.supported_hash_names + if _algo.islower())) + +@@ -305,7 +316,9 @@ class HashLibTestCase(unittest.TestCase): + self.assertIn(h.name, self.supported_hash_names) + else: + self.assertNotIn(h.name, self.supported_hash_names) +- self.assertEqual(h.name, hashlib.new(h.name).name) ++ if h.name not in FIPS_DISABLED: ++ self.assertEqual(h.name, hashlib.new(h.name).name) ++ self.assertEqual(h.name, hashlib.new(h.name, usedforsecurity=False).name) + + def test_large_update(self): + aas = b'a' * 128 +@@ -347,13 +360,15 @@ class HashLibTestCase(unittest.TestCase): + self.assertGreaterEqual(len(constructors), 2) + for hash_object_constructor in constructors: + if ( +- kwargs +- and hash_object_constructor.__name__.startswith('openssl_') ++ (kwargs.keys() - {'usedforsecurity'}) ++ and _is_openssl_constructor(hash_object_constructor) + ): ++ # Don't check openssl constructors with ++ # any extra keys (except usedforsecurity) + return + m = hash_object_constructor(data, **kwargs) + if shake: +- if hash_object_constructor.__name__.startswith('openssl_'): ++ if _is_openssl_constructor(hash_object_constructor): + if length > m.digest_size: + # OpenSSL doesn't give long digests + return +@@ -370,7 +385,7 @@ class HashLibTestCase(unittest.TestCase): + % (name, hash_object_constructor, + computed, len(data), hexdigest)) + if shake: +- if hash_object_constructor.__name__.startswith('openssl_'): ++ if _is_openssl_constructor(hash_object_constructor): + computed = m.digest()[:length] + else: + computed = m.digest(length) +@@ -388,8 +403,7 @@ class HashLibTestCase(unittest.TestCase): + self.assertRaises(TypeError, hash_object_constructor, 'spam') + + def test_no_unicode(self): +- if not hashlib.get_fips_mode(): +- self.check_no_unicode('md5') ++ self.check_no_unicode('md5') + self.check_no_unicode('sha1') + self.check_no_unicode('sha224') + self.check_no_unicode('sha256') +@@ -416,10 +430,10 @@ class HashLibTestCase(unittest.TestCase): + for hash_object_constructor in constructors: + m = hash_object_constructor() + self.assertEqual(m.block_size, block_size) +- if not hash_object_constructor.__name__.startswith('openssl_'): ++ if not _is_openssl_constructor(hash_object_constructor): + self.assertEqual(m.digest_size, digest_size) + if digest_length: +- if not hash_object_constructor.__name__.startswith('openssl_'): ++ if not _is_openssl_constructor(hash_object_constructor): + self.assertEqual(len(m.digest(digest_length)), + digest_length) + self.assertEqual(len(m.hexdigest(digest_length)), +@@ -457,7 +471,7 @@ class HashLibTestCase(unittest.TestCase): + # _hashopenssl's variant does not have extra SHA3 attributes + continue + self.assertEqual(capacity + rate, 1600) +- if not hash_object_constructor.__name__.startswith('openssl_'): ++ if not _is_openssl_constructor(hash_object_constructor): + self.assertEqual(m._capacity_bits, capacity) + self.assertEqual(m._rate_bits, rate) + self.assertEqual(m._suffix, suffix) +@@ -476,31 +490,27 @@ class HashLibTestCase(unittest.TestCase): + self.check_blocksize_name('blake2b', 128, 64) + self.check_blocksize_name('blake2s', 64, 32) + +- @unittest.skipIf(hashlib.get_fips_mode(), "md5 unacceptable in FIPS mode") + def test_case_md5_0(self): +- self.check('md5', b'', 'd41d8cd98f00b204e9800998ecf8427e') ++ self.check('md5', b'', 'd41d8cd98f00b204e9800998ecf8427e', usedforsecurity=False) + +- @unittest.skipIf(hashlib.get_fips_mode(), "md5 unacceptable in FIPS mode") + def test_case_md5_1(self): +- self.check('md5', b'abc', '900150983cd24fb0d6963f7d28e17f72') ++ self.check('md5', b'abc', '900150983cd24fb0d6963f7d28e17f72', usedforsecurity=False) + +- @unittest.skipIf(hashlib.get_fips_mode(), "md5 unacceptable in FIPS mode") + def test_case_md5_2(self): + self.check('md5', + b'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789', +- 'd174ab98d277d9f5a5611c2c9f419d9f') ++ 'd174ab98d277d9f5a5611c2c9f419d9f', ++ usedforsecurity=False) + +- @unittest.skipIf(hashlib.get_fips_mode(), "md5 unacceptable in FIPS mode") + @unittest.skipIf(sys.maxsize < _4G + 5, 'test cannot run on 32-bit systems') + @bigmemtest(size=_4G + 5, memuse=1, dry_run=False) + def test_case_md5_huge(self, size): +- self.check('md5', b'A'*size, 'c9af2dff37468ce5dfee8f2cfc0a9c6d') ++ self.check('md5', b'A'*size, 'c9af2dff37468ce5dfee8f2cfc0a9c6d', usedforsecurity=False) + +- @unittest.skipIf(hashlib.get_fips_mode(), "md5 unacceptable in FIPS mode") + @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems') + @bigmemtest(size=_4G - 1, memuse=1, dry_run=False) + def test_case_md5_uintmax(self, size): +- self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3') ++ self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3', usedforsecurity=False) + + @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems') + @bigmemtest(size=_4G - 1, memuse=1, dry_run=False) +@@ -934,6 +944,16 @@ class HashLibTestCase(unittest.TestCase): + + self.assertEqual(expected_hash, hasher.hexdigest()) + ++ @unittest.skipUnless(hashlib.get_fips_mode(), 'Needs FIPS mode.') ++ def test_usedforsecurity_repeat(self): ++ """Make sure usedforsecurity flag isn't copied to other contexts""" ++ for i in range(3): ++ for cons in hashlib.md5, partial(hashlib.new, 'md5'): ++ self.assertRaises(ValueError, cons) ++ self.assertRaises(ValueError, partial(cons, usedforsecurity=True)) ++ self.assertEqual(cons(usedforsecurity=False).hexdigest(), ++ 'd41d8cd98f00b204e9800998ecf8427e') ++ + + class KDFTests(unittest.TestCase): + +-- +2.38.1 + + +From 7602d70630fa0e736ad518b243079b658893d653 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Thu, 29 Aug 2019 10:25:28 +0200 +Subject: [PATCH 25/36] Skip error checking in _hashlib.get_fips_mode + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1745499 +--- + Modules/_hashopenssl.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c +index b4d05ab..a48b607 100644 +--- a/Modules/_hashopenssl.c ++++ b/Modules/_hashopenssl.c +@@ -1260,20 +1260,22 @@ _hashlib_get_fips_mode_impl(PyObject *module) + /*[clinic end generated code: output=ad8a7793310d3f98 input=f42a2135df2a5e11]*/ + + { +- int result = FIPS_mode(); +- if (result == 0) { +- // "If the library was built without support of the FIPS Object Module, +- // then the function will return 0 with an error code of +- // CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0x0f06d065)." +- // But 0 is also a valid result value. +- +- unsigned long errcode = ERR_peek_last_error(); +- if (errcode) { +- _setException(PyExc_ValueError); +- return NULL; +- } +- } +- return PyLong_FromLong(result); ++ // XXX: This function skips error checking. ++ // This is only appropriate for RHEL. ++ ++ // From the OpenSSL docs: ++ // "If the library was built without support of the FIPS Object Module, ++ // then the function will return 0 with an error code of ++ // CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0x0f06d065)." ++ // In RHEL: ++ // * we do build with FIPS, so the function always succeeds ++ // * even if it didn't, people seem used to errors being left on the ++ // OpenSSL error stack. ++ ++ // For more info, see: ++ // https://bugzilla.redhat.com/show_bug.cgi?id=1745499 ++ ++ return PyLong_FromLong(FIPS_mode()); + } + + +-- +2.38.1 + + +From 07552e7758fdc9c9610d773b4100d4686b5353a3 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Thu, 10 Oct 2019 13:04:50 +0200 +Subject: [PATCH 26/36] Skip error checking in _Py_hashlib_fips_error + +https://bugzilla.redhat.com/show_bug.cgi?id=1760106 +--- + Include/_hashopenssl.h | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h +index 47ed003..d4cbdef 100644 +--- a/Include/_hashopenssl.h ++++ b/Include/_hashopenssl.h +@@ -42,16 +42,10 @@ static int + _Py_hashlib_fips_error(PyObject *exc, char *name) { + int result = FIPS_mode(); + if (result == 0) { +- // "If the library was built without support of the FIPS Object Module, +- // then the function will return 0 with an error code of +- // CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0x0f06d065)." +- // But 0 is also a valid result value. ++ // XXX: This function skips error checking. ++ // This is only appropriate for RHEL. ++ // See _hashlib.get_fips_mode for details. + +- unsigned long errcode = ERR_peek_last_error(); +- if (errcode) { +- _setException(exc); +- return 1; +- } + return 0; + } + PyErr_Format(exc, "%s is not available in FIPS mode", name); +-- +2.38.1 + + +From 8be15a9faf79a062be4b0f27605737bc34687e68 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Mon, 5 Aug 2019 19:12:38 +0200 +Subject: [PATCH 27/36] Fixups + +- Adjust error message of the original hmac.HMAC class +- Don't duplicate a test name +--- + Lib/hmac.py | 2 +- + Lib/test/test_hmac.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Lib/hmac.py b/Lib/hmac.py +index 394c810..b2bff7d 100644 +--- a/Lib/hmac.py ++++ b/Lib/hmac.py +@@ -47,7 +47,7 @@ class HMAC: + """ + if _hashlib.get_fips_mode(): + raise ValueError( +- 'hmac.HMAC is not available in FIPS mode. ' ++ 'This class is not available in FIPS mode. ' + + 'Use hmac.new().' + ) + +diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py +index 0a85981..0b481ec 100644 +--- a/Lib/test/test_hmac.py ++++ b/Lib/test/test_hmac.py +@@ -439,7 +439,7 @@ class CopyTestCase(unittest.TestCase): + self.assertTrue(id(h1.outer) != id(h2.outer), + "No real copy of the attribute 'outer'.") + +- def test_realcopy(self): ++ def test_realcopy_by_digest(self): + # Testing if the copy method created a real copy. + h1 = hmac.HMAC(b"key", digestmod="sha1") + h2 = h1.copy() +-- +2.38.1 + + +From 112646fbf2af81df1750140f7486b32296518099 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Mon, 26 Aug 2019 19:39:48 +0200 +Subject: [PATCH 28/36] Don't re-export get_fips_mode from hashlib + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1745685 +--- + Lib/distutils/command/upload.py | 3 ++- + Lib/distutils/tests/test_upload.py | 5 +++-- + Lib/hashlib.py | 21 +++++++++++---------- + Lib/hmac.py | 6 +++--- + Lib/test/test_fips.py | 6 +++--- + Lib/test/test_hashlib.py | 16 +++++++++------- + Lib/test/test_hmac.py | 7 ++++--- + Lib/test/test_smtplib.py | 4 +++- + Lib/test/test_tools/test_md5sum.py | 4 ++-- + Lib/test/test_urllib2_localnet.py | 1 + + 10 files changed, 41 insertions(+), 32 deletions(-) + +diff --git a/Lib/distutils/command/upload.py b/Lib/distutils/command/upload.py +index 553617a..8653cae 100644 +--- a/Lib/distutils/command/upload.py ++++ b/Lib/distutils/command/upload.py +@@ -127,7 +127,8 @@ class upload(PyPIRCCommand): + except ValueError as e: + msg = 'calculating md5 checksum failed: %s' % e + self.announce(msg, log.INFO) +- if not hashlib.get_fips_mode(): ++ from _hashlib import get_fips_mode ++ if not get_fips_mode(): + # this really shouldn't fail + raise + else: +diff --git a/Lib/distutils/tests/test_upload.py b/Lib/distutils/tests/test_upload.py +index f720a79..a198b21 100644 +--- a/Lib/distutils/tests/test_upload.py ++++ b/Lib/distutils/tests/test_upload.py +@@ -4,6 +4,7 @@ import unittest + import unittest.mock as mock + from urllib.request import HTTPError + import hashlib ++from _hashlib import get_fips_mode + + from test.support import run_unittest + +@@ -131,7 +132,7 @@ class uploadTestCase(BasePyPIRCCommandTestCase): + + # what did we send ? + headers = dict(self.last_open.req.headers) +- if hashlib.get_fips_mode(): ++ if get_fips_mode(): + # only sha256 hash is used + self.assertEqual(headers['Content-length'], '2197') + else: +@@ -172,7 +173,7 @@ class uploadTestCase(BasePyPIRCCommandTestCase): + cmd.run() + + headers = dict(self.last_open.req.headers) +- if hashlib.get_fips_mode(): ++ if get_fips_mode(): + # only sha256 hash is used + self.assertEqual(headers['Content-length'], '2207') + else: +diff --git a/Lib/hashlib.py b/Lib/hashlib.py +index 898e6dc..2fc214e 100644 +--- a/Lib/hashlib.py ++++ b/Lib/hashlib.py +@@ -76,12 +76,12 @@ __block_openssl_constructor = { + } + + try: +- from _hashlib import get_fips_mode ++ from _hashlib import get_fips_mode as _hashlib_get_fips_mode + except ImportError: +- def get_fips_mode(): ++ def _hashlib_get_fips_mode(): + return 0 + +-if not get_fips_mode(): ++if not _hashlib_get_fips_mode(): + __builtin_constructor_cache = {} + + def __get_builtin_constructor(name): +@@ -129,7 +129,7 @@ if not get_fips_mode(): + + + def __get_openssl_constructor(name): +- if not get_fips_mode(): ++ if not _hashlib_get_fips_mode(): + if name in __block_openssl_constructor: + # Prefer our blake2 and sha3 implementation. + return __get_builtin_constructor(name) +@@ -137,7 +137,7 @@ def __get_openssl_constructor(name): + f = getattr(_hashlib, 'openssl_' + name) + # Allow the C module to raise ValueError. The function will be + # defined but the hash not actually available thanks to OpenSSL. +- if not get_fips_mode(): ++ if not _hashlib.get_fips_mode(): + # N.B. In "FIPS mode", there is no fallback. + # If this test fails, we want to export the broken hash + # constructor anyway. +@@ -148,7 +148,7 @@ def __get_openssl_constructor(name): + return __get_builtin_constructor(name) + + +-if not get_fips_mode(): ++if not _hashlib_get_fips_mode(): + def __py_new(name, data=b'', **kwargs): + """new(name, data=b'', **kwargs) - Return a new hashing object using the + named algorithm; optionally initialized with data (which must be +@@ -161,7 +161,7 @@ def __hash_new(name, data=b'', **kwargs): + """new(name, data=b'') - Return a new hashing object using the named algorithm; + optionally initialized with data (which must be a bytes-like object). + """ +- if not get_fips_mode(): ++ if not _hashlib.get_fips_mode(): + if name in __block_openssl_constructor: + # Prefer our blake2 and sha3 implementation + # OpenSSL 1.1.0 comes with a limited implementation of blake2b/s. +@@ -175,7 +175,7 @@ def __hash_new(name, data=b'', **kwargs): + # hash, try using our builtin implementations. + # This allows for SHA224/256 and SHA384/512 support even though + # the OpenSSL library prior to 0.9.8 doesn't provide them. +- if get_fips_mode(): ++ if _hashlib.get_fips_mode(): + raise + return __get_builtin_constructor(name)(data) + +@@ -187,7 +187,7 @@ try: + algorithms_available = algorithms_available.union( + _hashlib.openssl_md_meth_names) + except ImportError: +- if get_fips_mode(): ++ if _hashlib_get_fips_mode(): + raise + new = __py_new + __get_hash = __get_builtin_constructor +@@ -215,5 +215,6 @@ for __func_name in __always_supported: + # Cleanup locals() + del __always_supported, __func_name, __get_hash + del __hash_new, __get_openssl_constructor +-if not get_fips_mode(): ++if not _hashlib.get_fips_mode(): + del __py_new ++del _hashlib_get_fips_mode +diff --git a/Lib/hmac.py b/Lib/hmac.py +index b2bff7d..5055027 100644 +--- a/Lib/hmac.py ++++ b/Lib/hmac.py +@@ -45,7 +45,7 @@ class HMAC: + msg argument. Passing it as a keyword argument is + recommended, though not required for legacy API reasons. + """ +- if _hashlib.get_fips_mode(): ++ if _hashlibopenssl.get_fips_mode(): + raise ValueError( + 'This class is not available in FIPS mode. ' + + 'Use hmac.new().' +@@ -100,7 +100,7 @@ class HMAC: + + def update(self, msg): + """Feed data from msg into this hashing object.""" +- if _hashlib.get_fips_mode(): ++ if _hashlibopenssl.get_fips_mode(): + raise ValueError('hmac.HMAC is not available in FIPS mode') + self.inner.update(msg) + +@@ -168,7 +168,7 @@ class HMAC_openssl(_hmacopenssl.HMAC): + return result + + +-if _hashlib.get_fips_mode(): ++if _hashlibopenssl.get_fips_mode(): + HMAC = HMAC_openssl + + +diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py +index 34812e6..86e61e2 100644 +--- a/Lib/test/test_fips.py ++++ b/Lib/test/test_fips.py +@@ -6,7 +6,7 @@ import hashlib, _hashlib + + class HashlibFipsTests(unittest.TestCase): + +- @unittest.skipUnless(hashlib.get_fips_mode(), "Test only when FIPS is enabled") ++ @unittest.skipUnless(_hashlib.get_fips_mode(), "Test only when FIPS is enabled") + def test_fips_imports(self): + """blake2s and blake2b should fail to import in FIPS mode + """ +@@ -30,7 +30,7 @@ class HashlibFipsTests(unittest.TestCase): + + self.assertEqual(m, h) + +- @unittest.skipIf(hashlib.get_fips_mode(), "blake2 hashes are not available under FIPS") ++ @unittest.skipIf(_hashlib.get_fips_mode(), "blake2 hashes are not available under FIPS") + def test_blake2_hashes(self): + self.compare_hashes(hashlib.blake2b(b'abc'), _hashlib.openssl_blake2b(b'abc')) + self.compare_hashes(hashlib.blake2s(b'abc'), _hashlib.openssl_blake2s(b'abc')) +@@ -41,7 +41,7 @@ class HashlibFipsTests(unittest.TestCase): + self.compare_hashes(hashlib.sha3_384(b'abc'), _hashlib.openssl_sha3_384(b'abc')) + self.compare_hashes(hashlib.sha3_512(b'abc'), _hashlib.openssl_sha3_512(b'abc')) + +- @unittest.skipIf(hashlib.get_fips_mode(), "shake hashes are not available under FIPS") ++ @unittest.skipIf(_hashlib.get_fips_mode(), "shake hashes are not available under FIPS") + def test_shake_hashes(self): + self.compare_hashes(hashlib.shake_128(b'abc'), _hashlib.openssl_shake_128(b'abc')) + self.compare_hashes(hashlib.shake_256(b'abc'), _hashlib.openssl_shake_256(b'abc')) +diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py +index a991f0a..b535059 100644 +--- a/Lib/test/test_hashlib.py ++++ b/Lib/test/test_hashlib.py +@@ -29,7 +29,9 @@ COMPILED_WITH_PYDEBUG = hasattr(sys, 'gettotalrefcount') + c_hashlib = import_fresh_module('hashlib', fresh=['_hashlib']) + py_hashlib = import_fresh_module('hashlib', blocked=['_hashlib']) + +-if hashlib.get_fips_mode(): ++from _hashlib import get_fips_mode as _get_fips_mode ++ ++if _get_fips_mode(): + FIPS_UNAVAILABLE = {'blake2b', 'blake2s'} + FIPS_DISABLED = {'md5', 'MD5', *FIPS_UNAVAILABLE} + else: +@@ -105,7 +107,7 @@ class HashLibTestCase(unittest.TestCase): + # Issue #14693: fallback modules are always compiled under POSIX + _warn_on_extension_import = os.name == 'posix' or COMPILED_WITH_PYDEBUG + +- if hashlib.get_fips_mode(): ++ if _get_fips_mode(): + shakes = set() + + def _conditional_import_module(self, module_name): +@@ -116,7 +118,7 @@ class HashLibTestCase(unittest.TestCase): + if self._warn_on_extension_import: + warnings.warn('Did a C extension fail to compile? %s' % error) + except ImportError as error: +- if not hashlib.get_fips_mode(): ++ if not _get_fips_mode(): + raise + return None + +@@ -253,12 +255,12 @@ class HashLibTestCase(unittest.TestCase): + def test_new_upper_to_lower(self): + self.assertEqual(hashlib.new("SHA256").name, "sha256") + +- @unittest.skipUnless(hashlib.get_fips_mode(), "Builtin constructor only unavailable in FIPS mode") ++ @unittest.skipUnless(_get_fips_mode(), "Builtin constructor only unavailable in FIPS mode") + def test_get_builtin_constructor_fips(self): + with self.assertRaises(AttributeError): + hashlib.__get_builtin_constructor + +- @unittest.skipIf(hashlib.get_fips_mode(), "No builtin constructors in FIPS mode") ++ @unittest.skipIf(_get_fips_mode(), "No builtin constructors in FIPS mode") + def test_get_builtin_constructor(self): + get_builtin_constructor = getattr(hashlib, + '__get_builtin_constructor') +@@ -446,7 +448,7 @@ class HashLibTestCase(unittest.TestCase): + self.assertIn(name.split("_")[0], repr(m)) + + def test_blocksize_name(self): +- if not hashlib.get_fips_mode(): ++ if not _get_fips_mode(): + self.check_blocksize_name('md5', 64, 16) + self.check_blocksize_name('sha1', 64, 20) + self.check_blocksize_name('sha224', 64, 28) +@@ -944,7 +946,7 @@ class HashLibTestCase(unittest.TestCase): + + self.assertEqual(expected_hash, hasher.hexdigest()) + +- @unittest.skipUnless(hashlib.get_fips_mode(), 'Needs FIPS mode.') ++ @unittest.skipUnless(_get_fips_mode(), 'Needs FIPS mode.') + def test_usedforsecurity_repeat(self): + """Make sure usedforsecurity flag isn't copied to other contexts""" + for i in range(3): +diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py +index 0b481ec..cc77928 100644 +--- a/Lib/test/test_hmac.py ++++ b/Lib/test/test_hmac.py +@@ -5,6 +5,7 @@ import hashlib + import unittest + import unittest.mock + import warnings ++from _hashlib import get_fips_mode + + from test.support import requires_hashdigest + +@@ -288,7 +289,7 @@ class TestVectorsTestCase(unittest.TestCase): + def test_sha512_rfc4231(self): + self._rfc4231_test_cases(hashlib.sha512, 'sha512', 64, 128) + +- @unittest.skipIf(hashlib.get_fips_mode(), 'MockCrazyHash unacceptable in FIPS mode.') ++ @unittest.skipIf(get_fips_mode(), 'MockCrazyHash unacceptable in FIPS mode.') + @requires_hashdigest('sha256') + def test_legacy_block_size_warnings(self): + class MockCrazyHash(object): +@@ -413,7 +414,7 @@ class SanityTestCase(unittest.TestCase): + + class CopyTestCase(unittest.TestCase): + +- @unittest.skipIf(hashlib.get_fips_mode(), "Internal attributes unavailable in FIPS mode") ++ @unittest.skipIf(get_fips_mode(), "Internal attributes unavailable in FIPS mode") + @requires_hashdigest('sha256') + def test_attributes(self): + # Testing if attributes are of same type. +@@ -426,7 +427,7 @@ class CopyTestCase(unittest.TestCase): + self.assertEqual(type(h1.outer), type(h2.outer), + "Types of outer don't match.") + +- @unittest.skipIf(hashlib.get_fips_mode(), "Internal attributes unavailable in FIPS mode") ++ @unittest.skipIf(get_fips_mode(), "Internal attributes unavailable in FIPS mode") + @requires_hashdigest('sha256') + def test_realcopy(self): + # Testing if the copy method created a real copy. +diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py +index d14eb45..af53ec9 100644 +--- a/Lib/test/test_smtplib.py ++++ b/Lib/test/test_smtplib.py +@@ -17,6 +17,8 @@ import select + import errno + import textwrap + import threading ++import hashlib ++from _hashlib import get_fips_mode + + import unittest + from test import support, mock_socket +@@ -1114,7 +1116,7 @@ class SMTPSimTests(unittest.TestCase): + + def testAUTH_multiple(self): + # Test that multiple authentication methods are tried. +- self.serv.add_feature("AUTH BOGUS PLAIN LOGIN CRAM-MD5") ++ self.serv.add_feature("AUTH BOGUS PLAIN LOGIN") + smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost', timeout=15) + resp = smtp.login(sim_auth[0], sim_auth[1]) + self.assertEqual(resp, (235, b'Authentication Succeeded')) +diff --git a/Lib/test/test_tools/test_md5sum.py b/Lib/test/test_tools/test_md5sum.py +index 7028a4d..3ba1ca0 100644 +--- a/Lib/test/test_tools/test_md5sum.py ++++ b/Lib/test/test_tools/test_md5sum.py +@@ -4,13 +4,13 @@ import os + import unittest + from test import support + from test.support.script_helper import assert_python_ok, assert_python_failure +-import hashlib ++import _hashlib + + from test.test_tools import scriptsdir, skip_if_missing + + skip_if_missing() + +-if hashlib.get_fips_mode(): ++if _hashlib.get_fips_mode(): + raise unittest.SkipTest("md5sum won't work at all in FIPS mode") + + class MD5SumTests(unittest.TestCase): +diff --git a/Lib/test/test_urllib2_localnet.py b/Lib/test/test_urllib2_localnet.py +index 1cb358f..6f5cb7f 100644 +--- a/Lib/test/test_urllib2_localnet.py ++++ b/Lib/test/test_urllib2_localnet.py +@@ -7,6 +7,7 @@ import http.server + import threading + import unittest + import hashlib ++from _hashlib import get_fips_mode + + from test import support + +-- +2.38.1 + + +From 69a0ddba408a9595aa0fc5b3fdfe7e59838acea2 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Wed, 20 Nov 2019 10:59:25 +0100 +Subject: [PATCH 29/36] Use FIPS compliant CSPRNG + +Kernel's getrandom() source is not yet FIPS compliant. Use OpenSSL's +DRBG in FIPS mode and disable os.getrandom() function. + +Signed-off-by: Christian Heimes +--- + Lib/test/test_os.py | 5 +++ + Makefile.pre.in | 2 +- + Modules/posixmodule.c | 8 +++++ + Python/bootstrap_hash.c | 75 +++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 89 insertions(+), 1 deletion(-) + +diff --git a/Lib/test/test_os.py b/Lib/test/test_os.py +index 5302b1c..ed335ad 100644 +--- a/Lib/test/test_os.py ++++ b/Lib/test/test_os.py +@@ -1546,6 +1546,11 @@ class GetRandomTests(unittest.TestCase): + raise unittest.SkipTest("getrandom() syscall fails with ENOSYS") + else: + raise ++ except ValueError as exc: ++ if exc.args[0] == "getrandom is not FIPS compliant": ++ raise unittest.SkipTest("Skip in FIPS mode") ++ else: ++ raise + + def test_getrandom_type(self): + data = os.getrandom(16) +diff --git a/Makefile.pre.in b/Makefile.pre.in +index 381a8ab..e7778f4 100644 +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -116,7 +116,7 @@ PY_STDMODULE_CFLAGS= $(PY_CFLAGS) $(PY_CFLAGS_NODIST) $(PY_CPPFLAGS) $(CFLAGSFOR + PY_BUILTIN_MODULE_CFLAGS= $(PY_STDMODULE_CFLAGS) -DPy_BUILD_CORE_BUILTIN + PY_CORE_CFLAGS= $(PY_STDMODULE_CFLAGS) -DPy_BUILD_CORE + # Linker flags used for building the interpreter object files +-PY_CORE_LDFLAGS=$(PY_LDFLAGS) $(PY_LDFLAGS_NODIST) ++PY_CORE_LDFLAGS=$(PY_LDFLAGS) $(PY_LDFLAGS_NODIST) -lcrypto + # Strict or non-strict aliasing flags used to compile dtoa.c, see above + CFLAGS_ALIASING=@CFLAGS_ALIASING@ + +diff --git a/Modules/posixmodule.c b/Modules/posixmodule.c +index d7edabe..f825d5a 100644 +--- a/Modules/posixmodule.c ++++ b/Modules/posixmodule.c +@@ -389,6 +389,9 @@ extern char *ctermid_r(char *); + #define MODNAME "posix" + #endif + ++/* for FIPS check in os.getrandom() */ ++#include ++ + #if defined(__sun) + /* Something to implement in autoconf, not present in autoconf 2.69 */ + #define HAVE_STRUCT_STAT_ST_FSTYPE 1 +@@ -13650,6 +13653,11 @@ os_getrandom_impl(PyObject *module, Py_ssize_t size, int flags) + return posix_error(); + } + ++ if (FIPS_mode()) { ++ PyErr_SetString(PyExc_ValueError, "getrandom is not FIPS compliant"); ++ return NULL; ++ } ++ + bytes = PyBytes_FromStringAndSize(NULL, size); + if (bytes == NULL) { + PyErr_NoMemory(); +diff --git a/Python/bootstrap_hash.c b/Python/bootstrap_hash.c +index eb2b6d0..cb38cfe 100644 +--- a/Python/bootstrap_hash.c ++++ b/Python/bootstrap_hash.c +@@ -409,6 +409,77 @@ dev_urandom_close(void) + } + #endif /* !MS_WINDOWS */ + ++#include ++#include ++#include ++ ++#if (OPENSSL_VERSION_NUMBER < 0x10101000L) || defined(LIBRESSL_VERSION_NUMBER) ++# error "py_openssl_drbg_urandom requires OpenSSL 1.1.1 for fork safety" ++#endif ++ ++static void ++py_openssl_set_exception(PyObject* exc) { ++ unsigned long errcode; ++ const char *lib, *func, *reason; ++ ++ errcode = ERR_peek_last_error(); ++ if (!errcode) { ++ PyErr_SetString(exc, "unknown reasons"); ++ } ++ ERR_clear_error(); ++ ++ lib = ERR_lib_error_string(errcode); ++ func = ERR_func_error_string(errcode); ++ reason = ERR_reason_error_string(errcode); ++ ++ if (lib && func) { ++ PyErr_Format(exc, "[%s: %s] %s", lib, func, reason); ++ } ++ else if (lib) { ++ PyErr_Format(exc, "[%s] %s", lib, reason); ++ } ++ else { ++ PyErr_SetString(exc, reason); ++ } ++} ++ ++static int ++py_openssl_drbg_urandom(char *buffer, Py_ssize_t size, int raise) ++{ ++ int res; ++ static int init = 0; ++ ++ if (!init) { ++ init = 1; ++ res = OPENSSL_init_crypto(OPENSSL_INIT_ATFORK, NULL); ++ if (res == 0) { ++ if (raise) { ++ py_openssl_set_exception(PyExc_RuntimeError); ++ } ++ return 0; ++ } ++ } ++ ++ if (size > INT_MAX) { ++ if (raise) { ++ PyErr_Format(PyExc_OverflowError, ++ "RAND_bytes() size is limited to 2GB."); ++ } ++ return -1; ++ } ++ ++ res = RAND_bytes((unsigned char*)buffer, (int)size); ++ ++ if (res == 1) { ++ return 1; ++ } else { ++ if (raise) { ++ py_openssl_set_exception(PyExc_RuntimeError); ++ } ++ return 0; ++ } ++} ++ + + /* Fill buffer with pseudo-random bytes generated by a linear congruent + generator (LCG): +@@ -493,6 +564,10 @@ pyurandom(void *buffer, Py_ssize_t size, int blocking, int raise) + return 0; + } + ++ if (FIPS_mode()) { ++ return py_openssl_drbg_urandom(buffer, size, raise); ++ } ++ + #ifdef MS_WINDOWS + return win32_urandom((unsigned char *)buffer, size, raise); + #else +-- +2.38.1 + + +From 72894033d2c1d29897204c5272d8f2878c17254c Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Thu, 28 Nov 2019 17:26:02 +0100 +Subject: [PATCH 30/36] Fixups for FIPS compliant CSPRNG + +--- + Lib/test/test_os.py | 3 ++- + Python/bootstrap_hash.c | 33 +++------------------------------ + 2 files changed, 5 insertions(+), 31 deletions(-) + +diff --git a/Lib/test/test_os.py b/Lib/test/test_os.py +index ed335ad..f306316 100644 +--- a/Lib/test/test_os.py ++++ b/Lib/test/test_os.py +@@ -28,6 +28,7 @@ import time + import unittest + import uuid + import warnings ++from _hashlib import get_fips_mode + from test import support + from platform import win32_is_iot + +@@ -1547,7 +1548,7 @@ class GetRandomTests(unittest.TestCase): + else: + raise + except ValueError as exc: +- if exc.args[0] == "getrandom is not FIPS compliant": ++ if get_fips_mode() and exc.args[0] == "getrandom is not FIPS compliant": + raise unittest.SkipTest("Skip in FIPS mode") + else: + raise +diff --git a/Python/bootstrap_hash.c b/Python/bootstrap_hash.c +index cb38cfe..08fa29a 100644 +--- a/Python/bootstrap_hash.c ++++ b/Python/bootstrap_hash.c +@@ -409,40 +409,13 @@ dev_urandom_close(void) + } + #endif /* !MS_WINDOWS */ + +-#include +-#include + #include ++#include <_hashopenssl.h> + + #if (OPENSSL_VERSION_NUMBER < 0x10101000L) || defined(LIBRESSL_VERSION_NUMBER) + # error "py_openssl_drbg_urandom requires OpenSSL 1.1.1 for fork safety" + #endif + +-static void +-py_openssl_set_exception(PyObject* exc) { +- unsigned long errcode; +- const char *lib, *func, *reason; +- +- errcode = ERR_peek_last_error(); +- if (!errcode) { +- PyErr_SetString(exc, "unknown reasons"); +- } +- ERR_clear_error(); +- +- lib = ERR_lib_error_string(errcode); +- func = ERR_func_error_string(errcode); +- reason = ERR_reason_error_string(errcode); +- +- if (lib && func) { +- PyErr_Format(exc, "[%s: %s] %s", lib, func, reason); +- } +- else if (lib) { +- PyErr_Format(exc, "[%s] %s", lib, reason); +- } +- else { +- PyErr_SetString(exc, reason); +- } +-} +- + static int + py_openssl_drbg_urandom(char *buffer, Py_ssize_t size, int raise) + { +@@ -454,7 +427,7 @@ py_openssl_drbg_urandom(char *buffer, Py_ssize_t size, int raise) + res = OPENSSL_init_crypto(OPENSSL_INIT_ATFORK, NULL); + if (res == 0) { + if (raise) { +- py_openssl_set_exception(PyExc_RuntimeError); ++ _setException(PyExc_RuntimeError); + } + return 0; + } +@@ -474,7 +447,7 @@ py_openssl_drbg_urandom(char *buffer, Py_ssize_t size, int raise) + return 1; + } else { + if (raise) { +- py_openssl_set_exception(PyExc_RuntimeError); ++ _setException(PyExc_RuntimeError); + } + return 0; + } +-- +2.38.1 + + +From d8bc6ab755acf0e2feffda802aeed032a2319df8 Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Thu, 2 Apr 2020 16:50:37 +0200 +Subject: [PATCH 31/36] Do not raise a ValueError if digestmod is missing in + FIPS + +Python 3.8 already requires the digestmod argument and raises +a TypeError if it's missing, so we remove our downstream check +for it. +--- + Lib/hmac.py | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/Lib/hmac.py b/Lib/hmac.py +index 5055027..ee1ad76 100644 +--- a/Lib/hmac.py ++++ b/Lib/hmac.py +@@ -143,8 +143,6 @@ class HMAC: + return h.hexdigest() + + def _get_openssl_name(digestmod): +- if digestmod is None: +- raise ValueError("'digestmod' argument is mandatory in FIPS mode") + if isinstance(digestmod, str): + return digestmod.lower() + elif callable(digestmod): +-- +2.38.1 + + +From 9dd6dc8c11b96ac74abf220ed76d1176041c3711 Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Thu, 2 Apr 2020 16:55:36 +0200 +Subject: [PATCH 32/36] Regenerate the clinic files + +--- + Modules/_hmacopenssl.c | 4 ++-- + Modules/clinic/_hmacopenssl.c.h | 22 +++++++++++++++------- + 2 files changed, 17 insertions(+), 9 deletions(-) + +diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c +index a24c8ba..9577cad 100644 +--- a/Modules/_hmacopenssl.c ++++ b/Modules/_hmacopenssl.c +@@ -132,12 +132,12 @@ error: + /*[clinic input] + _hmacopenssl.HMAC.copy + +-Return a copy (“clone”) of the HMAC object. ++Return a copy ("clone") of the HMAC object. + [clinic start generated code]*/ + + static PyObject * + _hmacopenssl_HMAC_copy_impl(HmacObject *self) +-/*[clinic end generated code: output=fe5ee41faf30dcf0 input=f5ed20feec42d8d0]*/ ++/*[clinic end generated code: output=fe5ee41faf30dcf0 input=06e7dbc1af7f4a13]*/ + { + HmacObject *retval; + +diff --git a/Modules/clinic/_hmacopenssl.c.h b/Modules/clinic/_hmacopenssl.c.h +index 861acc1..527be83 100644 +--- a/Modules/clinic/_hmacopenssl.c.h ++++ b/Modules/clinic/_hmacopenssl.c.h +@@ -6,7 +6,7 @@ PyDoc_STRVAR(_hmacopenssl_HMAC_copy__doc__, + "copy($self, /)\n" + "--\n" + "\n" +-"Return a copy (“clone”) of the HMAC object."); ++"Return a copy (\"clone\") of the HMAC object."); + + #define _HMACOPENSSL_HMAC_COPY_METHODDEF \ + {"copy", (PyCFunction)_hmacopenssl_HMAC_copy, METH_NOARGS, _hmacopenssl_HMAC_copy__doc__}, +@@ -27,21 +27,29 @@ PyDoc_STRVAR(_hmacopenssl_HMAC_update__doc__, + "Update the HMAC object with msg."); + + #define _HMACOPENSSL_HMAC_UPDATE_METHODDEF \ +- {"update", (PyCFunction)_hmacopenssl_HMAC_update, METH_FASTCALL, _hmacopenssl_HMAC_update__doc__}, ++ {"update", (PyCFunction)(void(*)(void))_hmacopenssl_HMAC_update, METH_FASTCALL|METH_KEYWORDS, _hmacopenssl_HMAC_update__doc__}, + + static PyObject * + _hmacopenssl_HMAC_update_impl(HmacObject *self, Py_buffer *msg); + + static PyObject * +-_hmacopenssl_HMAC_update(HmacObject *self, PyObject **args, Py_ssize_t nargs, PyObject *kwnames) ++_hmacopenssl_HMAC_update(HmacObject *self, PyObject *const *args, Py_ssize_t nargs, PyObject *kwnames) + { + PyObject *return_value = NULL; + static const char * const _keywords[] = {"msg", NULL}; +- static _PyArg_Parser _parser = {"y*:update", _keywords, 0}; ++ static _PyArg_Parser _parser = {NULL, _keywords, "update", 0}; ++ PyObject *argsbuf[1]; + Py_buffer msg = {NULL, NULL}; + +- if (!_PyArg_ParseStack(args, nargs, kwnames, &_parser, +- &msg)) { ++ args = _PyArg_UnpackKeywords(args, nargs, NULL, kwnames, &_parser, 1, 1, 0, argsbuf); ++ if (!args) { ++ goto exit; ++ } ++ if (PyObject_GetBuffer(args[0], &msg, PyBUF_SIMPLE) != 0) { ++ goto exit; ++ } ++ if (!PyBuffer_IsContiguous(&msg, 'C')) { ++ _PyArg_BadArgument("update", "argument 'msg'", "contiguous buffer", args[0]); + goto exit; + } + return_value = _hmacopenssl_HMAC_update_impl(self, &msg); +@@ -93,4 +101,4 @@ _hmacopenssl_HMAC_hexdigest(HmacObject *self, PyObject *Py_UNUSED(ignored)) + { + return _hmacopenssl_HMAC_hexdigest_impl(self); + } +-/*[clinic end generated code: output=d93ad460795d49b5 input=a9049054013a1b77]*/ ++/*[clinic end generated code: output=9b75c31e1116bf6f input=a9049054013a1b77]*/ +-- +2.38.1 + + +From f646402958e8d284519ef7f72d0225ace210ffa7 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Tue, 7 Apr 2020 15:16:45 +0200 +Subject: [PATCH 33/36] Pass kwargs (like usedforsecurity) through __hash_new + +--- + Lib/hashlib.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Lib/hashlib.py b/Lib/hashlib.py +index 2fc214e..785858f 100644 +--- a/Lib/hashlib.py ++++ b/Lib/hashlib.py +@@ -169,7 +169,7 @@ def __hash_new(name, data=b'', **kwargs): + # salt, personal, tree hashing or SSE. + return __get_builtin_constructor(name)(data, **kwargs) + try: +- return _hashlib.new(name, data) ++ return _hashlib.new(name, data, **kwargs) + except ValueError: + # If the _hashlib module (OpenSSL) doesn't support the named + # hash, try using our builtin implementations. +@@ -177,7 +177,7 @@ def __hash_new(name, data=b'', **kwargs): + # the OpenSSL library prior to 0.9.8 doesn't provide them. + if _hashlib.get_fips_mode(): + raise +- return __get_builtin_constructor(name)(data) ++ return __get_builtin_constructor(name)(data, **kwargs) + + + try: +-- +2.38.1 + + +From bd206ed69e7c19b62f0174a649b5c2d03f0d9f5b Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Tue, 7 Apr 2020 15:18:48 +0200 +Subject: [PATCH 34/36] Adjust new upstream test for failing hashes with + usedforsecurity + +--- + Lib/test/test_hashlib.py | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py +index b535059..6e846c4 100644 +--- a/Lib/test/test_hashlib.py ++++ b/Lib/test/test_hashlib.py +@@ -239,15 +239,23 @@ class HashLibTestCase(unittest.TestCase): + self.assertTrue(set(hashlib.algorithms_guaranteed). + issubset(hashlib.algorithms_available)) + +- def test_usedforsecurity(self): ++ def test_usedforsecurity_false(self): + for cons in self.hash_constructors: +- cons(usedforsecurity=True) + cons(usedforsecurity=False) +- cons(b'', usedforsecurity=True) + cons(b'', usedforsecurity=False) +- hashlib.new("sha256", usedforsecurity=True) + hashlib.new("sha256", usedforsecurity=False) + ++ def test_usedforsecurity_true(self): ++ if _get_fips_mode(): ++ with self.assertRaises(ValueError): ++ hashlib.new("md5", usedforsecurity=True) ++ else: ++ for cons in self.hash_constructors: ++ cons(usedforsecurity=True) ++ cons(b'', usedforsecurity=True) ++ ++ hashlib.new("sha256", usedforsecurity=True) ++ + def test_unknown_hash(self): + self.assertRaises(ValueError, hashlib.new, 'spam spam spam spam spam') + self.assertRaises(TypeError, hashlib.new, 1) +-- +2.38.1 + + +From d1ce20110573989382948a901896169eb637b265 Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Fri, 24 Apr 2020 19:57:16 +0200 +Subject: [PATCH 35/36] Skip the test_with_digestmod_no_default under FIPS + +Also add a new test for testing the error values of +the digestmod parameter misuse under FIPS mode. +--- + Lib/test/test_hmac.py | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py +index cc77928..fd068e0 100644 +--- a/Lib/test/test_hmac.py ++++ b/Lib/test/test_hmac.py +@@ -313,6 +313,7 @@ class TestVectorsTestCase(unittest.TestCase): + hmac.HMAC(b'a', b'b', digestmod=MockCrazyHash) + self.fail('Expected warning about small block_size') + ++ @unittest.skipIf(get_fips_mode(), "digestmod misuse raises different errors under FIPS mode") + def test_with_digestmod_no_default(self): + """The digestmod parameter is required as of Python 3.8.""" + with self.assertRaisesRegex(TypeError, r'required.*digestmod'): +@@ -324,6 +325,18 @@ class TestVectorsTestCase(unittest.TestCase): + with self.assertRaisesRegex(TypeError, r'required.*digestmod'): + hmac.HMAC(key, msg=data, digestmod='') + ++ @unittest.skipIf(not get_fips_mode(), "test is run only under FIPS mode") ++ def test_with_digestmod_no_default_under_fips(self): ++ """Test the error values of digestmod misuse under FIPS mode.""" ++ with self.assertRaises(TypeError): ++ key = b"\x0b" * 16 ++ data = b"Hi There" ++ hmac.HMAC(key, data, digestmod=None) ++ with self.assertRaises(ValueError): ++ hmac.new(key, data) ++ with self.assertRaises(ValueError): ++ hmac.HMAC(key, msg=data, digestmod='') ++ + + class ConstructorTestCase(unittest.TestCase): + +-- +2.38.1 + + +From bff06e176e60200582a42611d4fe3c240da314a3 Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Tue, 31 Mar 2020 18:00:42 +0200 +Subject: [PATCH 36/36] Add a sentinel value on the Hmac_members table of the + hmac module + +--- + Modules/_hmacopenssl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c +index 9577cad..4bd7c15 100644 +--- a/Modules/_hmacopenssl.c ++++ b/Modules/_hmacopenssl.c +@@ -337,6 +337,7 @@ static PyGetSetDef Hmac_getset[] = { + + static PyMemberDef Hmac_members[] = { + {"name", T_OBJECT, offsetof(HmacObject, name), READONLY, PyDoc_STR("HMAC name")}, ++ {NULL} /* Sentinel */ + }; + + PyDoc_STRVAR(hmactype_doc, +-- +2.38.1 + diff --git a/SOURCES/00353-architecture-names-upstream-downstream.patch b/SOURCES/00353-architecture-names-upstream-downstream.patch new file mode 100644 index 0000000..290433b --- /dev/null +++ b/SOURCES/00353-architecture-names-upstream-downstream.patch @@ -0,0 +1,97 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Tue, 4 Aug 2020 12:04:03 +0200 +Subject: [PATCH] 00353: Original names for architectures with different names + downstream +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +https://fedoraproject.org/wiki/Changes/Python_Upstream_Architecture_Names + +Pythons in RHEL/Fedora used different names for some architectures +than upstream and other distros (for example ppc64 vs. powerpc64). +This was patched in patch 274, now it is sedded if %with legacy_archnames. + +That meant that an extension built with the default upstream settings +(on other distro or as an manylinux wheel) could not been found by Python +on RHEL/Fedora because it had a different suffix. +This patch adds the legacy names to importlib so Python is able +to import extensions with a legacy architecture name in its +file name. +It work both ways, so it support both %with and %without legacy_archnames. + +WARNING: This patch has no effect on Python built with bootstrap +enabled because Python/importlib_external.h is not regenerated +and therefore Python during bootstrap contains importlib from +upstream without this feature. It's possible to include +Python/importlib_external.h to this patch but it'd make rebasing +a nightmare because it's basically a binary file. + +Co-authored-by: Miro Hrončok +--- + Lib/importlib/_bootstrap_external.py | 40 ++++++++++++++++++++++++++-- + 1 file changed, 38 insertions(+), 2 deletions(-) + +diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py +index b8ac482994..62e937b819 100644 +--- a/Lib/importlib/_bootstrap_external.py ++++ b/Lib/importlib/_bootstrap_external.py +@@ -1559,7 +1559,7 @@ def _get_supported_file_loaders(): + + Each item is a tuple (loader, suffixes). + """ +- extensions = ExtensionFileLoader, _imp.extension_suffixes() ++ extensions = ExtensionFileLoader, _alternative_architectures(_imp.extension_suffixes()) + source = SourceFileLoader, SOURCE_SUFFIXES + bytecode = SourcelessFileLoader, BYTECODE_SUFFIXES + return [extensions, source, bytecode] +@@ -1623,7 +1623,7 @@ def _setup(_bootstrap_module): + + # Constants + setattr(self_module, '_relax_case', _make_relax_case()) +- EXTENSION_SUFFIXES.extend(_imp.extension_suffixes()) ++ EXTENSION_SUFFIXES.extend(_alternative_architectures(_imp.extension_suffixes())) + if builtin_os == 'nt': + SOURCE_SUFFIXES.append('.pyw') + if '_d.pyd' in EXTENSION_SUFFIXES: +@@ -1636,3 +1636,39 @@ def _install(_bootstrap_module): + supported_loaders = _get_supported_file_loaders() + sys.path_hooks.extend([FileFinder.path_hook(*supported_loaders)]) + sys.meta_path.append(PathFinder) ++ ++ ++_ARCH_MAP = { ++ "-arm-linux-gnueabi.": "-arm-linux-gnueabihf.", ++ "-armeb-linux-gnueabi.": "-armeb-linux-gnueabihf.", ++ "-mips64-linux-gnu.": "-mips64-linux-gnuabi64.", ++ "-mips64el-linux-gnu.": "-mips64el-linux-gnuabi64.", ++ "-ppc-linux-gnu.": "-powerpc-linux-gnu.", ++ "-ppc-linux-gnuspe.": "-powerpc-linux-gnuspe.", ++ "-ppc64-linux-gnu.": "-powerpc64-linux-gnu.", ++ "-ppc64le-linux-gnu.": "-powerpc64le-linux-gnu.", ++ # The above, but the other way around: ++ "-arm-linux-gnueabihf.": "-arm-linux-gnueabi.", ++ "-armeb-linux-gnueabihf.": "-armeb-linux-gnueabi.", ++ "-mips64-linux-gnuabi64.": "-mips64-linux-gnu.", ++ "-mips64el-linux-gnuabi64.": "-mips64el-linux-gnu.", ++ "-powerpc-linux-gnu.": "-ppc-linux-gnu.", ++ "-powerpc-linux-gnuspe.": "-ppc-linux-gnuspe.", ++ "-powerpc64-linux-gnu.": "-ppc64-linux-gnu.", ++ "-powerpc64le-linux-gnu.": "-ppc64le-linux-gnu.", ++} ++ ++ ++def _alternative_architectures(suffixes): ++ """Add a suffix with an alternative architecture name ++ to the list of suffixes so an extension built with ++ the default (upstream) setting is loadable with our Pythons ++ """ ++ ++ for suffix in suffixes: ++ for original, alternative in _ARCH_MAP.items(): ++ if original in suffix: ++ suffixes.append(suffix.replace(original, alternative)) ++ return suffixes ++ ++ return suffixes diff --git a/SOURCES/00359-CVE-2021-23336.patch b/SOURCES/00359-CVE-2021-23336.patch new file mode 100644 index 0000000..33e91c2 --- /dev/null +++ b/SOURCES/00359-CVE-2021-23336.patch @@ -0,0 +1,567 @@ +From 78da9e020385fe78e36c20f99a0910bbc4a0c100 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Thu, 1 Apr 2021 08:18:07 +0200 +Subject: [PATCH] CVE-2021-23336: Add `separator` argument to parse_qs; warn + with default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Partially backports https://bugs.python.org/issue42967 : [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl(). +However, this solution is different than the upstream solution in Python 3.6.13. + +An optional argument seperator is added to specify the separator. +It is recommended to set it to '&' or ';' to match the application or proxy in use. +The default can be set with an env variable of a config file. +If neither the argument, env var or config file specifies a separator, "&" is used +but a warning is raised if parse_qs is used on input that contains ';'. + +Co-authors of the upstream change (who do not necessarily agree with this): +Co-authored-by: Adam Goldschmidt +Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> +Co-authored-by: Éric Araujo +--- + Doc/library/cgi.rst | 2 +- + Doc/library/urllib.parse.rst | 12 +- + Lib/cgi.py | 4 +- + Lib/test/test_cgi.py | 29 +++++ + Lib/test/test_urlparse.py | 232 ++++++++++++++++++++++++++++++++++- + Lib/urllib/parse.py | 78 +++++++++++- + 6 files changed, 339 insertions(+), 18 deletions(-) + +diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst +index 880074b..d8a6dc1 100644 +--- a/Doc/library/cgi.rst ++++ b/Doc/library/cgi.rst +@@ -277,7 +277,7 @@ These are useful if you want more control, or if you want to employ some of the + algorithms implemented in this module in other circumstances. + + +-.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False, separator="&") ++.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False, separator=None) + + Parse a query in the environment or from a file (the file defaults to + ``sys.stdin``). The *keep_blank_values*, *strict_parsing* and *separator* parameters are +diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst +index a6cfc5d..85b2448 100644 +--- a/Doc/library/urllib.parse.rst ++++ b/Doc/library/urllib.parse.rst +@@ -165,7 +165,7 @@ or on combining URL components into a URL string. + now raise :exc:`ValueError`. + + +-.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator='&') ++.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator=None) + + Parse a query string given as a string argument (data of type + :mimetype:`application/x-www-form-urlencoded`). Data are returned as a +@@ -191,7 +191,13 @@ or on combining URL components into a URL string. + *max_num_fields* fields read. + + The optional argument *separator* is the symbol to use for separating the +- query arguments. It defaults to ``&``. ++ query arguments. It is recommended to set it to ``'&'`` or ``';'``. ++ It defaults to ``'&'``; a warning is raised if this default is used. ++ This default may be changed with the following environment variable settings: ++ ++ - ``PYTHON_URLLIB_QS_SEPARATOR='&'``: use only ``&`` as separator, without warning (as in Python 3.6.13+ or 3.10) ++ - ``PYTHON_URLLIB_QS_SEPARATOR=';'``: use only ``;`` as separator ++ - ``PYTHON_URLLIB_QS_SEPARATOR=legacy``: use both ``&`` and ``;`` (as in previous versions of Python) + + Use the :func:`urllib.parse.urlencode` function (with the ``doseq`` + parameter set to ``True``) to convert such dictionaries into query +@@ -236,7 +242,7 @@ or on combining URL components into a URL string. + *max_num_fields* fields read. + + The optional argument *separator* is the symbol to use for separating the +- query arguments. It defaults to ``&``. ++ query arguments. It works as in :py:func:`parse_qs`. + + Use the :func:`urllib.parse.urlencode` function to convert such lists of pairs into + query strings. +diff --git a/Lib/cgi.py b/Lib/cgi.py +index 1e880e5..d7b994b 100755 +--- a/Lib/cgi.py ++++ b/Lib/cgi.py +@@ -116,7 +116,7 @@ log = initlog # The current logging function + maxlen = 0 + + def parse(fp=None, environ=os.environ, keep_blank_values=0, +- strict_parsing=0, separator='&'): ++ strict_parsing=0, separator=None): + """Parse a query in the environment or from a file (default stdin) + + Arguments, all optional: +@@ -319,7 +319,7 @@ class FieldStorage: + def __init__(self, fp=None, headers=None, outerboundary=b'', + environ=os.environ, keep_blank_values=0, strict_parsing=0, + limit=None, encoding='utf-8', errors='replace', +- max_num_fields=None, separator='&'): ++ max_num_fields=None, separator=None): + """Constructor. Read multipart/* until last part. + + Arguments, all optional: +diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py +index 4e1506a..49b6926 100644 +--- a/Lib/test/test_cgi.py ++++ b/Lib/test/test_cgi.py +@@ -180,6 +180,35 @@ Content-Length: 3 + + env = {'QUERY_STRING': orig} + fs = cgi.FieldStorage(environ=env) ++ if isinstance(expect, dict): ++ # test dict interface ++ self.assertEqual(len(expect), len(fs)) ++ self.assertCountEqual(expect.keys(), fs.keys()) ++ self.assertEqual(fs.getvalue("nonexistent field", "default"), "default") ++ # test individual fields ++ for key in expect.keys(): ++ expect_val = expect[key] ++ self.assertIn(key, fs) ++ if len(expect_val) > 1: ++ self.assertEqual(fs.getvalue(key), expect_val) ++ else: ++ self.assertEqual(fs.getvalue(key), expect_val[0]) ++ ++ def test_separator(self): ++ parse_semicolon = [ ++ ("x=1;y=2.0", {'x': ['1'], 'y': ['2.0']}), ++ ("x=1;y=2.0;z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}), ++ (";", ValueError("bad query field: ''")), ++ (";;", ValueError("bad query field: ''")), ++ ("=;a", ValueError("bad query field: 'a'")), ++ (";b=a", ValueError("bad query field: ''")), ++ ("b;=a", ValueError("bad query field: 'b'")), ++ ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}), ++ ("a=a+b;a=b+a", {'a': ['a b', 'b a']}), ++ ] ++ for orig, expect in parse_semicolon: ++ env = {'QUERY_STRING': orig} ++ fs = cgi.FieldStorage(separator=';', environ=env) + if isinstance(expect, dict): + # test dict interface + self.assertEqual(len(expect), len(fs)) +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index 0f99130..4e0d7e5 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -2,6 +2,11 @@ import sys + import unicodedata + import unittest + import urllib.parse ++from test.support import EnvironmentVarGuard ++from warnings import catch_warnings ++import tempfile ++import contextlib ++import os.path + + RFC1808_BASE = "http://a/b/c/d;p?q#f" + RFC2396_BASE = "http://a/b/c/d;p?q" +@@ -32,10 +37,34 @@ parse_qsl_test_cases = [ + (b"&a=b", [(b'a', b'b')]), + (b"a=a+b&b=b+c", [(b'a', b'a b'), (b'b', b'b c')]), + (b"a=1&a=2", [(b'a', b'1'), (b'a', b'2')]), ++] ++ ++parse_qsl_test_cases_semicolon = [ ++ (";", []), ++ (";;", []), ++ (";a=b", [('a', 'b')]), ++ ("a=a+b;b=b+c", [('a', 'a b'), ('b', 'b c')]), ++ ("a=1;a=2", [('a', '1'), ('a', '2')]), ++ (b";", []), ++ (b";;", []), ++ (b";a=b", [(b'a', b'b')]), ++ (b"a=a+b;b=b+c", [(b'a', b'a b'), (b'b', b'b c')]), ++ (b"a=1;a=2", [(b'a', b'1'), (b'a', b'2')]), ++] ++ ++parse_qsl_test_cases_legacy = [ ++ (b"a=1;a=2&a=3", [(b'a', b'1'), (b'a', b'2'), (b'a', b'3')]), ++ (b"a=1;b=2&c=3", [(b'a', b'1'), (b'b', b'2'), (b'c', b'3')]), ++ (b"a=1&b=2&c=3;", [(b'a', b'1'), (b'b', b'2'), (b'c', b'3')]), ++] ++ ++parse_qsl_test_cases_warn = [ + (";a=b", [(';a', 'b')]), + ("a=a+b;b=b+c", [('a', 'a b;b=b c')]), + (b";a=b", [(b';a', b'b')]), + (b"a=a+b;b=b+c", [(b'a', b'a b;b=b c')]), ++ ("a=1;a=2&a=3", [('a', '1;a=2'), ('a', '3')]), ++ (b"a=1;a=2&a=3", [(b'a', b'1;a=2'), (b'a', b'3')]), + ] + + # Each parse_qs testcase is a two-tuple that contains +@@ -62,10 +91,37 @@ parse_qs_test_cases = [ + (b"&a=b", {b'a': [b'b']}), + (b"a=a+b&b=b+c", {b'a': [b'a b'], b'b': [b'b c']}), + (b"a=1&a=2", {b'a': [b'1', b'2']}), ++] ++ ++parse_qs_test_cases_semicolon = [ ++ (";", {}), ++ (";;", {}), ++ (";a=b", {'a': ['b']}), ++ ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}), ++ ("a=1;a=2", {'a': ['1', '2']}), ++ (b";", {}), ++ (b";;", {}), ++ (b";a=b", {b'a': [b'b']}), ++ (b"a=a+b;b=b+c", {b'a': [b'a b'], b'b': [b'b c']}), ++ (b"a=1;a=2", {b'a': [b'1', b'2']}), ++] ++ ++parse_qs_test_cases_legacy = [ ++ ("a=1;a=2&a=3", {'a': ['1', '2', '3']}), ++ ("a=1;b=2&c=3", {'a': ['1'], 'b': ['2'], 'c': ['3']}), ++ ("a=1&b=2&c=3;", {'a': ['1'], 'b': ['2'], 'c': ['3']}), ++ (b"a=1;a=2&a=3", {b'a': [b'1', b'2', b'3']}), ++ (b"a=1;b=2&c=3", {b'a': [b'1'], b'b': [b'2'], b'c': [b'3']}), ++ (b"a=1&b=2&c=3;", {b'a': [b'1'], b'b': [b'2'], b'c': [b'3']}), ++] ++ ++parse_qs_test_cases_warn = [ + (";a=b", {';a': ['b']}), + ("a=a+b;b=b+c", {'a': ['a b;b=b c']}), + (b";a=b", {b';a': [b'b']}), + (b"a=a+b;b=b+c", {b'a':[ b'a b;b=b c']}), ++ ("a=1;a=2&a=3", {'a': ['1;a=2', '3']}), ++ (b"a=1;a=2&a=3", {b'a': [b'1;a=2', b'3']}), + ] + + class UrlParseTestCase(unittest.TestCase): +@@ -123,23 +179,57 @@ class UrlParseTestCase(unittest.TestCase): + + def test_qsl(self): + for orig, expect in parse_qsl_test_cases: +- result = urllib.parse.parse_qsl(orig, keep_blank_values=True) ++ result = urllib.parse.parse_qsl(orig, keep_blank_values=True, separator="&") + self.assertEqual(result, expect, "Error parsing %r" % orig) + expect_without_blanks = [v for v in expect if len(v[1])] +- result = urllib.parse.parse_qsl(orig, keep_blank_values=False) ++ result = urllib.parse.parse_qsl(orig, keep_blank_values=False, separator="&") + self.assertEqual(result, expect_without_blanks, + "Error parsing %r" % orig) + + def test_qs(self): + for orig, expect in parse_qs_test_cases: +- result = urllib.parse.parse_qs(orig, keep_blank_values=True) ++ result = urllib.parse.parse_qs(orig, keep_blank_values=True, separator="&") + self.assertEqual(result, expect, "Error parsing %r" % orig) + expect_without_blanks = {v: expect[v] + for v in expect if len(expect[v][0])} +- result = urllib.parse.parse_qs(orig, keep_blank_values=False) ++ result = urllib.parse.parse_qs(orig, keep_blank_values=False, separator="&") + self.assertEqual(result, expect_without_blanks, + "Error parsing %r" % orig) + ++ def test_qs_default_warn(self): ++ for orig, expect in parse_qs_test_cases_warn: ++ with self.subTest(orig=orig, expect=expect): ++ with catch_warnings(record=True) as w: ++ result = urllib.parse.parse_qs(orig, keep_blank_values=True) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 1) ++ self.assertEqual(w[0].category, urllib.parse._QueryStringSeparatorWarning) ++ ++ def test_qsl_default_warn(self): ++ for orig, expect in parse_qsl_test_cases_warn: ++ with self.subTest(orig=orig, expect=expect): ++ with catch_warnings(record=True) as w: ++ result = urllib.parse.parse_qsl(orig, keep_blank_values=True) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 1) ++ self.assertEqual(w[0].category, urllib.parse._QueryStringSeparatorWarning) ++ ++ def test_default_qs_no_warnings(self): ++ for orig, expect in parse_qs_test_cases: ++ with self.subTest(orig=orig, expect=expect): ++ with catch_warnings(record=True) as w: ++ result = urllib.parse.parse_qs(orig, keep_blank_values=True) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 0) ++ ++ def test_default_qsl_no_warnings(self): ++ for orig, expect in parse_qsl_test_cases: ++ with self.subTest(orig=orig, expect=expect): ++ with catch_warnings(record=True) as w: ++ result = urllib.parse.parse_qsl(orig, keep_blank_values=True) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 0) ++ + def test_roundtrips(self): + str_cases = [ + ('file:///tmp/junk.txt', +@@ -919,8 +1009,8 @@ class UrlParseTestCase(unittest.TestCase): + + def test_parse_qsl_max_num_fields(self): + with self.assertRaises(ValueError): +- urllib.parse.parse_qs('&'.join(['a=a']*11), max_num_fields=10) +- urllib.parse.parse_qs('&'.join(['a=a']*10), max_num_fields=10) ++ urllib.parse.parse_qs('&'.join(['a=a']*11), max_num_fields=10, separator='&') ++ urllib.parse.parse_qs('&'.join(['a=a']*10), max_num_fields=10, separator='&') + + def test_parse_qs_separator(self): + parse_qs_semicolon_cases = [ +@@ -964,6 +1054,136 @@ class UrlParseTestCase(unittest.TestCase): + self.assertEqual(result_bytes, expect, "Error parsing %r" % orig) + + ++ @contextlib.contextmanager ++ def _qsl_sep_config(self, sep): ++ """Context for the given parse_qsl default separator configured in config file""" ++ old_filename = urllib.parse._QS_SEPARATOR_CONFIG_FILENAME ++ urllib.parse._default_qs_separator = None ++ try: ++ with tempfile.TemporaryDirectory() as tmpdirname: ++ filename = os.path.join(tmpdirname, 'conf.cfg') ++ with open(filename, 'w') as file: ++ file.write(f'[parse_qs]\n') ++ file.write(f'PYTHON_URLLIB_QS_SEPARATOR = {sep}') ++ urllib.parse._QS_SEPARATOR_CONFIG_FILENAME = filename ++ yield ++ finally: ++ urllib.parse._QS_SEPARATOR_CONFIG_FILENAME = old_filename ++ urllib.parse._default_qs_separator = None ++ ++ def test_parse_qs_separator_semicolon(self): ++ for orig, expect in parse_qs_test_cases_semicolon: ++ with self.subTest(orig=orig, expect=expect, method='arg'): ++ result = urllib.parse.parse_qs(orig, separator=';') ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ with self.subTest(orig=orig, expect=expect, method='env'): ++ with EnvironmentVarGuard() as environ, catch_warnings(record=True) as w: ++ environ['PYTHON_URLLIB_QS_SEPARATOR'] = ';' ++ result = urllib.parse.parse_qs(orig) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 0) ++ with self.subTest(orig=orig, expect=expect, method='conf'): ++ with self._qsl_sep_config(';'), catch_warnings(record=True) as w: ++ result = urllib.parse.parse_qs(orig) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 0) ++ ++ def test_parse_qsl_separator_semicolon(self): ++ for orig, expect in parse_qsl_test_cases_semicolon: ++ with self.subTest(orig=orig, expect=expect, method='arg'): ++ result = urllib.parse.parse_qsl(orig, separator=';') ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ with self.subTest(orig=orig, expect=expect, method='env'): ++ with EnvironmentVarGuard() as environ, catch_warnings(record=True) as w: ++ environ['PYTHON_URLLIB_QS_SEPARATOR'] = ';' ++ result = urllib.parse.parse_qsl(orig) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 0) ++ with self.subTest(orig=orig, expect=expect, method='conf'): ++ with self._qsl_sep_config(';'), catch_warnings(record=True) as w: ++ result = urllib.parse.parse_qsl(orig) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 0) ++ ++ def test_parse_qs_separator_legacy(self): ++ for orig, expect in parse_qs_test_cases_legacy: ++ with self.subTest(orig=orig, expect=expect, method='env'): ++ with EnvironmentVarGuard() as environ, catch_warnings(record=True) as w: ++ environ['PYTHON_URLLIB_QS_SEPARATOR'] = 'legacy' ++ result = urllib.parse.parse_qs(orig) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 0) ++ with self.subTest(orig=orig, expect=expect, method='conf'): ++ with self._qsl_sep_config('legacy'), catch_warnings(record=True) as w: ++ result = urllib.parse.parse_qs(orig) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 0) ++ ++ def test_parse_qsl_separator_legacy(self): ++ for orig, expect in parse_qsl_test_cases_legacy: ++ with self.subTest(orig=orig, expect=expect, method='env'): ++ with EnvironmentVarGuard() as environ, catch_warnings(record=True) as w: ++ environ['PYTHON_URLLIB_QS_SEPARATOR'] = 'legacy' ++ result = urllib.parse.parse_qsl(orig) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 0) ++ with self.subTest(orig=orig, expect=expect, method='conf'): ++ with self._qsl_sep_config('legacy'), catch_warnings(record=True) as w: ++ result = urllib.parse.parse_qsl(orig) ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ self.assertEqual(len(w), 0) ++ ++ def test_parse_qs_separator_bad_value_env_or_config(self): ++ for bad_sep in '', 'abc', 'safe', '&;', 'SEP': ++ with self.subTest(bad_sep, method='env'): ++ with EnvironmentVarGuard() as environ, catch_warnings(record=True) as w: ++ environ['PYTHON_URLLIB_QS_SEPARATOR'] = bad_sep ++ with self.assertRaises(ValueError): ++ urllib.parse.parse_qsl('a=1;b=2') ++ with self.subTest(bad_sep, method='conf'): ++ with self._qsl_sep_config('bad_sep'), catch_warnings(record=True) as w: ++ with self.assertRaises(ValueError): ++ urllib.parse.parse_qsl('a=1;b=2') ++ ++ def test_parse_qs_separator_bad_value_arg(self): ++ for bad_sep in True, {}, '': ++ with self.subTest(bad_sep): ++ with self.assertRaises(ValueError): ++ urllib.parse.parse_qsl('a=1;b=2', separator=bad_sep) ++ ++ def test_parse_qs_separator_num_fields(self): ++ for qs, sep in ( ++ ('a&b&c', '&'), ++ ('a;b;c', ';'), ++ ('a&b;c', 'legacy'), ++ ): ++ with self.subTest(qs=qs, sep=sep): ++ with EnvironmentVarGuard() as environ, catch_warnings(record=True) as w: ++ if sep != 'legacy': ++ with self.assertRaises(ValueError): ++ urllib.parse.parse_qsl(qs, separator=sep, max_num_fields=2) ++ if sep: ++ environ['PYTHON_URLLIB_QS_SEPARATOR'] = sep ++ with self.assertRaises(ValueError): ++ urllib.parse.parse_qsl(qs, max_num_fields=2) ++ ++ def test_parse_qs_separator_priority(self): ++ # env variable trumps config file ++ with self._qsl_sep_config('~'), EnvironmentVarGuard() as environ: ++ environ['PYTHON_URLLIB_QS_SEPARATOR'] = '!' ++ result = urllib.parse.parse_qs('a=1!b=2~c=3') ++ self.assertEqual(result, {'a': ['1'], 'b': ['2~c=3']}) ++ # argument trumps config file ++ with self._qsl_sep_config('~'): ++ result = urllib.parse.parse_qs('a=1$b=2~c=3', separator='$') ++ self.assertEqual(result, {'a': ['1'], 'b': ['2~c=3']}) ++ # argument trumps env variable ++ with EnvironmentVarGuard() as environ: ++ environ['PYTHON_URLLIB_QS_SEPARATOR'] = '~' ++ result = urllib.parse.parse_qs('a=1$b=2~c=3', separator='$') ++ self.assertEqual(result, {'a': ['1'], 'b': ['2~c=3']}) ++ ++ + def test_urlencode_sequences(self): + # Other tests incidentally urlencode things; test non-covered cases: + # Sequence and object values. +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index f0d9d4d..70fc268 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -28,6 +28,7 @@ test_urlparse.py provides a good indicator of parsing behavior. + """ + + import re ++import os + import sys + import collections + import warnings +@@ -660,7 +661,7 @@ def unquote(string, encoding='utf-8', errors='replace'): + + + def parse_qs(qs, keep_blank_values=False, strict_parsing=False, +- encoding='utf-8', errors='replace', max_num_fields=None, separator='&'): ++ encoding='utf-8', errors='replace', max_num_fields=None, separator=None): + """Parse a query given as a string argument. + + Arguments: +@@ -700,9 +701,16 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False, + parsed_result[name] = [value] + return parsed_result + ++class _QueryStringSeparatorWarning(RuntimeWarning): ++ """Warning for using default `separator` in parse_qs or parse_qsl""" ++ ++# The default "separator" for parse_qsl can be specified in a config file. ++# It's cached after first read. ++_QS_SEPARATOR_CONFIG_FILENAME = '/etc/python/urllib.cfg' ++_default_qs_separator = None + + def parse_qsl(qs, keep_blank_values=False, strict_parsing=False, +- encoding='utf-8', errors='replace', max_num_fields=None, separator='&'): ++ encoding='utf-8', errors='replace', max_num_fields=None, separator=None): + """Parse a query given as a string argument. + + Arguments: +@@ -731,20 +739,78 @@ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False, + Returns a list, as G-d intended. + """ + qs, _coerce_result = _coerce_args(qs) +- separator, _ = _coerce_args(separator) + +- if not separator or (not isinstance(separator, (str, bytes))): ++ if isinstance(separator, bytes): ++ separator = separator.decode('ascii') ++ ++ if (not separator or (not isinstance(separator, (str, bytes)))) and separator is not None: + raise ValueError("Separator must be of type string or bytes.") + ++ # Used when both "&" and ";" act as separators. (Need a non-string value.) ++ _legacy = object() ++ ++ if separator is None: ++ global _default_qs_separator ++ separator = _default_qs_separator ++ envvar_name = 'PYTHON_URLLIB_QS_SEPARATOR' ++ if separator is None: ++ # Set default separator from environment variable ++ separator = os.environ.get(envvar_name) ++ config_source = 'environment variable' ++ if separator is None: ++ # Set default separator from the configuration file ++ try: ++ file = open(_QS_SEPARATOR_CONFIG_FILENAME) ++ except FileNotFoundError: ++ pass ++ else: ++ with file: ++ import configparser ++ config = configparser.ConfigParser( ++ interpolation=None, ++ comment_prefixes=('#', ), ++ ) ++ config.read_file(file) ++ separator = config.get('parse_qs', envvar_name, fallback=None) ++ _default_qs_separator = separator ++ config_source = _QS_SEPARATOR_CONFIG_FILENAME ++ if separator is None: ++ # The default is '&', but warn if not specified explicitly ++ if ';' in qs: ++ from warnings import warn ++ warn("The default separator of urllib.parse.parse_qsl and " ++ + "parse_qs was changed to '&' to avoid a web cache " ++ + "poisoning issue (CVE-2021-23336). " ++ + "By default, semicolons no longer act as query field " ++ + "separators. " ++ + "See https://access.redhat.com/articles/5860431 for " ++ + "more details.", ++ _QueryStringSeparatorWarning, stacklevel=2) ++ separator = '&' ++ elif separator == 'legacy': ++ separator = _legacy ++ elif len(separator) != 1: ++ raise ValueError( ++ f'{envvar_name} (from {config_source}) must contain ' ++ + '1 character, or "legacy". See ' ++ + 'https://access.redhat.com/articles/5860431 for more details.' ++ ) ++ + # If max_num_fields is defined then check that the number of fields + # is less than max_num_fields. This prevents a memory exhaustion DOS + # attack via post bodies with many fields. + if max_num_fields is not None: +- num_fields = 1 + qs.count(separator) ++ if separator is _legacy: ++ num_fields = 1 + qs.count('&') + qs.count(';') ++ else: ++ num_fields = 1 + qs.count(separator) + if max_num_fields < num_fields: + raise ValueError('Max number of fields exceeded') + +- pairs = [s1 for s1 in qs.split(separator)] ++ if separator is _legacy: ++ pairs = [s2 for s1 in qs.split('&') for s2 in s1.split(';')] ++ else: ++ pairs = [s1 for s1 in qs.split(separator)] + r = [] + for name_value in pairs: + if not name_value and not strict_parsing: +-- +2.31.1 + diff --git a/SOURCES/00378-support-expat-2-4-5.patch b/SOURCES/00378-support-expat-2-4-5.patch new file mode 100644 index 0000000..2a06bfb --- /dev/null +++ b/SOURCES/00378-support-expat-2-4-5.patch @@ -0,0 +1,36 @@ +diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py +index 06c9107..6c3f5a8 100644 +--- a/Lib/test/test_minidom.py ++++ b/Lib/test/test_minidom.py +@@ -1149,14 +1149,11 @@ class MinidomTest(unittest.TestCase): + + # Verify that character decoding errors raise exceptions instead + # of crashing +- if pyexpat.version_info >= (2, 4, 5): +- self.assertRaises(ExpatError, parseString, +- b'') +- self.assertRaises(ExpatError, parseString, +- b'Comment \xe7a va ? Tr\xe8s bien ?') +- else: +- self.assertRaises(UnicodeDecodeError, parseString, +- b'Comment \xe7a va ? Tr\xe8s bien ?') ++ ++ self.assertRaises(ExpatError, parseString, ++ b'') ++ self.assertRaises(ExpatError, parseString, ++ b'Comment \xe7a va ? Tr\xe8s bien ?') + + doc.unlink() + +@@ -1601,10 +1598,7 @@ class MinidomTest(unittest.TestCase): + self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) + + def testExceptionOnSpacesInXMLNSValue(self): +- if pyexpat.version_info >= (2, 4, 5): +- context = self.assertRaisesRegex(ExpatError, 'syntax error') +- else: +- context = self.assertRaisesRegex(ValueError, 'Unsupported syntax') ++ context = self.assertRaisesRegex(ExpatError, 'syntax error') + + with context: + parseString('') diff --git a/SOURCES/check-pyc-timestamps.py b/SOURCES/check-pyc-timestamps.py new file mode 100644 index 0000000..91af4fd --- /dev/null +++ b/SOURCES/check-pyc-timestamps.py @@ -0,0 +1,55 @@ +"""Checks if all *.pyc files have later mtime than their *.py files.""" + +import os +import sys +from importlib.util import cache_from_source +from pathlib import Path + + +RPM_BUILD_ROOT = os.environ.get('RPM_BUILD_ROOT', '') + +# ...cpython-3X.pyc +# ...cpython-3X.opt-1.pyc +# ...cpython-3X.opt-2.pyc +LEVELS = (None, 1, 2) + +# list of globs of test and other files that we expect not to have bytecode +not_compiled = [ + '/usr/bin/*', + '*/test/bad_coding.py', + '*/test/bad_coding2.py', + '*/test/badsyntax_*.py', + '*/lib2to3/tests/data/bom.py', + '*/lib2to3/tests/data/crlf.py', + '*/lib2to3/tests/data/different_encoding.py', + '*/lib2to3/tests/data/false_encoding.py', + '*/lib2to3/tests/data/py2_test_grammar.py', + '*.debug-gdb.py', +] + + +def bytecode_expected(path): + path = Path(path[len(RPM_BUILD_ROOT):]) + for glob in not_compiled: + if path.match(glob): + return False + return True + + +failed = 0 +compiled = (path for path in sys.argv[1:] if bytecode_expected(path)) +for path in compiled: + to_check = (cache_from_source(path, optimization=opt) for opt in LEVELS) + f_mtime = os.path.getmtime(path) + for pyc in to_check: + c_mtime = os.path.getmtime(pyc) + if c_mtime < f_mtime: + print('Failed bytecompilation timestamps check: ' + f'Bytecode file {pyc} is older than source file {path}', + file=sys.stderr) + failed += 1 + +if failed: + print(f'\n{failed} files failed bytecompilation timestamps check.', + file=sys.stderr) + sys.exit(1) diff --git a/SOURCES/get-source.sh b/SOURCES/get-source.sh new file mode 100755 index 0000000..32c3d23 --- /dev/null +++ b/SOURCES/get-source.sh @@ -0,0 +1,28 @@ +#! /bin/bash -ex + +# Download a release of Python (if missing) and remove .exe files from it + +version=$1 + +if [ -z "${version}" ]; then + echo "Usage: $0 VERSION" >& 2 + echo "" >& 2 + echo "example: $0 3.6.6" >& 2 + exit 1 +fi + +versionedname=Python-${version} +orig_archive=${versionedname}.tar.xz +new_archive=${versionedname}-noexe.tar.xz + +if [ ! -e ${orig_archive} ]; then + wget -N https://www.python.org/ftp/python/${version}/${orig_archive} +fi + +deleted_names=$(tar --list -Jf ${orig_archive} | grep '\.exe$') + +# tar --delete does not operate on compressed archives, so do +# xz compression/decompression explicitly +xz --decompress --stdout ${orig_archive} | \ + tar --delete -v ${deleted_names} | \ + xz --compress --stdout -3 -T0 > ${new_archive} diff --git a/SOURCES/idle3.appdata.xml b/SOURCES/idle3.appdata.xml new file mode 100644 index 0000000..94f87a2 --- /dev/null +++ b/SOURCES/idle3.appdata.xml @@ -0,0 +1,35 @@ + + + + + idle3.desktop + IDLE3 + CC0 + Python-2.0 + Python 3 Integrated Development and Learning Environment + +

+ IDLE is Python’s Integrated Development and Learning Environment. + The GUI is uniform between Windows, Unix, and Mac OS X. + IDLE provides an easy way to start writing, running, and debugging + Python code. +

+

+ IDLE is written in pure Python, and uses the tkinter GUI toolkit. + It provides: +

+
    +
  • a Python shell window (interactive interpreter) with colorizing of code input, output, and error messages,
  • +
  • a multi-window text editor with multiple undo, Python colorizing, smart indent, call tips, auto completion, and other features,
  • +
  • search within any window, replace within editor windows, and search through multiple files (grep),
  • +
  • a debugger with persistent breakpoints, stepping, and viewing of global and local namespaces.
  • +
+
+ https://docs.python.org/3/library/idle.html + + http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-main-window.png + http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-class-browser.png + http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-code-viewer.png + + zbyszek@in.waw.pl +
diff --git a/SOURCES/idle3.desktop b/SOURCES/idle3.desktop new file mode 100644 index 0000000..dc1d3c3 --- /dev/null +++ b/SOURCES/idle3.desktop @@ -0,0 +1,11 @@ +[Desktop Entry] +Version=1.0 +Name=IDLE 3 +Comment=Python 3 Integrated Development and Learning Environment +Exec=idle3 %F +TryExec=idle3 +Terminal=false +Type=Application +Icon=idle3 +Categories=Development;IDE; +MimeType=text/x-python; \ No newline at end of file diff --git a/SOURCES/macros.python38 b/SOURCES/macros.python38 new file mode 100644 index 0000000..0086d90 --- /dev/null +++ b/SOURCES/macros.python38 @@ -0,0 +1,6 @@ +%__python3 /usr/bin/python3.8 +%python3_pkgversion 38 + +%py3_install_wheel() %{expand:\\\ + CFLAGS="%{optflags}" %{__python3} -m pip install -I dist/%{1} --root %{buildroot} --no-deps +} diff --git a/SPECS/python38.spec b/SPECS/python38.spec new file mode 100644 index 0000000..4a885d2 --- /dev/null +++ b/SPECS/python38.spec @@ -0,0 +1,3202 @@ +# ================== +# Top-level metadata +# ================== + +%global pybasever 3.8 + +# pybasever without the dot: +%global pyshortver 38 + +Name: python38 +Summary: Interpreter of the Python programming language +URL: https://www.python.org/ + +# WARNING When rebasing to a new Python version, +# remember to update the python3-docs package as well +%global general_version %{pybasever}.16 +#global prerel ... +%global upstream_version %{general_version}%{?prerel} +Version: %{general_version}%{?prerel:~%{prerel}} +Release: 1%{?dist} +License: Python + +# Exclude i686 arch. Due to a modularity issue it's being added to the +# x86_64 compose of CRB, but we don't want to ship it at all. +# See: https://projects.engineering.redhat.com/browse/RCM-72605 +ExcludeArch: i686 + +# ================================== +# Conditionals controlling the build +# ================================== + +# Note that the bcond macros are named for the CLI option they create. +# "%%bcond_without" means "ENABLE by default and create a --without option" + + +# Flat package, i.e. python36, python37, python38 for tox etc. +# WARNING: This also influences the main_python bcond below. +# in Fedora, never turn this on for the python3 package +# and always keep it on for python37 etc. +# WARNING: This does not change the package name and summary above. +%bcond_with flatpackage + +# Main Python, i.e. whether this is the main Python version in the distribution +# that owns /usr/bin/python3 and other unique paths +%bcond_with main_python + +# When bootstrapping python3, we need to build setuptools. +# but setuptools BR python3-devel and that brings in python3-rpm-generators; +# python3-rpm-generators needs python3-setuptools, so we cannot have it yet. +# +# Procedure: https://fedoraproject.org/wiki/SIGs/Python/UpgradingPython +# +# IMPORTANT: When bootstrapping, it's very likely the wheels for pip and +# setuptools are not available. Turn off the rpmwheels bcond until +# the two packages are built with wheels to get around the issue. +%bcond_with bootstrap + +# Whether to use RPM build wheels from the python-{pip,setuptools}-wheel package +# Uses upstream bundled prebuilt wheels otherwise +%bcond_without rpmwheels + +# Expensive optimizations (mainly, profile-guided optimizations) +%bcond_without optimizations + +# https://fedoraproject.org/wiki/Changes/PythonNoSemanticInterpositionSpeedup +%bcond_without no_semantic_interposition + +# Run the test suite in %%check +%bcond_without tests + +# Extra build for debugging the interpreter or C-API extensions +# (the -debug subpackages) +%if %{with flatpackage} +%bcond_with debug_build +%else +%bcond_without debug_build +%endif + +# Support for the GDB debugger +%bcond_without gdb_hooks + +# The dbm.gnu module (key-value database) +%bcond_without gdbm + +# Main interpreter loop optimization +%bcond_without computed_gotos + +# Support for the Valgrind debugger/profiler +%ifarch %{valgrind_arches} +%bcond_without valgrind +%else +%bcond_with valgrind +%endif + +# https://fedoraproject.org/wiki/Changes/Python_Upstream_Architecture_Names +# For a very long time we have converted "upstream architecture names" to "Fedora names". +# This made sense at the time, see https://github.com/pypa/manylinux/issues/687#issuecomment-666362947 +# However, with manylinux wheels popularity growth, this is now a problem. +# Wheels built on a Linux that doesn't do this were not compatible with ours and vice versa. +# We now have a compatibility layer to workaround a problem, +# but we also no longer use the legacy arch names in Fedora 34+. +# This bcond controls the behavior. The defaults should be good for anybody. +%bcond_without legacy_archnames + +# ===================== +# General global macros +# ===================== + +# Set python3_pkgversion so that python_provide macro works for python38- +# prefixes in this spec file +# This is also set in the python38-rpm-macros package so that it works in other +# packages of this module. +%global python3_pkgversion 38 + +%global pylibdir %{_libdir}/python%{pybasever} +%global dynload_dir %{pylibdir}/lib-dynload + +# ABIFLAGS, LDVERSION and SOABI are in the upstream configure.ac +# See PEP 3149 for some background: http://www.python.org/dev/peps/pep-3149/ +%global ABIFLAGS_optimized %{nil} +%global ABIFLAGS_debug d + +%global LDVERSION_optimized %{pybasever}%{ABIFLAGS_optimized} +%global LDVERSION_debug %{pybasever}%{ABIFLAGS_debug} + +# When we use the upstream arch triplets, we convert them from the legacy ones +# This is reversed in prep when %%with legacy_archnames, so we keep both macros +%global platform_triplet_legacy %{_arch}-linux%{_gnu} +%global platform_triplet_upstream %{expand:%(echo %{platform_triplet_legacy} | sed -E \\ + -e 's/^arm(eb)?-linux-gnueabi$/arm\\1-linux-gnueabihf/' \\ + -e 's/^mips64(el)?-linux-gnu$/mips64\\1-linux-gnuabi64/' \\ + -e 's/^ppc(64)?(le)?-linux-gnu$/powerpc\\1\\2-linux-gnu/')} +%if %{with legacy_archnames} +%global platform_triplet %{platform_triplet_legacy} +%else +%global platform_triplet %{platform_triplet_upstream} +%endif + +%global SOABI_optimized cpython-%{pyshortver}%{ABIFLAGS_optimized}-%{platform_triplet} +%global SOABI_debug cpython-%{pyshortver}%{ABIFLAGS_debug}-%{platform_triplet} + +# All bytecode files are in a __pycache__ subdirectory, with a name +# reflecting the version of the bytecode. +# See PEP 3147: http://www.python.org/dev/peps/pep-3147/ +# For example, +# foo/bar.py +# has bytecode at: +# foo/__pycache__/bar.cpython-%%{pyshortver}.pyc +# foo/__pycache__/bar.cpython-%%{pyshortver}.opt-1.pyc +# foo/__pycache__/bar.cpython-%%{pyshortver}.opt-2.pyc +%global bytecode_suffixes .cpython-%{pyshortver}*.pyc + +# Python's configure script defines SOVERSION, and this is used in the Makefile +# to determine INSTSONAME, the name of the libpython DSO: +# LDLIBRARY='libpython$(VERSION).so' +# INSTSONAME="$LDLIBRARY".$SOVERSION +# We mirror this here in order to make it easier to add the -gdb.py hooks. +# (if these get out of sync, the payload of the libs subpackage will fail +# and halt the build) +%global py_SOVERSION 1.0 +%global py_INSTSONAME_optimized libpython%{LDVERSION_optimized}.so.%{py_SOVERSION} +%global py_INSTSONAME_debug libpython%{LDVERSION_debug}.so.%{py_SOVERSION} + +# Disable automatic bytecompilation. The python3 binary is not yet be +# available in /usr/bin when Python is built. Also, the bytecompilation fails +# on files that test invalid syntax. +%undefine py_auto_byte_compile + + +# ======================= +# Build-time requirements +# ======================= + +# (keep this list alphabetized) + +BuildRequires: autoconf +BuildRequires: bluez-libs-devel +BuildRequires: bzip2 +BuildRequires: bzip2-devel +BuildRequires: desktop-file-utils +BuildRequires: expat-devel + +BuildRequires: findutils +BuildRequires: gcc-c++ +%if %{with gdbm} +BuildRequires: gdbm-devel +%endif +BuildRequires: glibc-all-langpacks +BuildRequires: glibc-devel +BuildRequires: gmp-devel +BuildRequires: libappstream-glib +BuildRequires: libffi-devel +BuildRequires: libnsl2-devel +BuildRequires: libtirpc-devel +BuildRequires: libGL-devel +BuildRequires: libuuid-devel +BuildRequires: libX11-devel +BuildRequires: ncurses-devel + +BuildRequires: openssl-devel +BuildRequires: pkgconfig +BuildRequires: readline-devel +BuildRequires: redhat-rpm-config +BuildRequires: sqlite-devel +BuildRequires: gdb + +BuildRequires: tar +BuildRequires: tcl-devel +BuildRequires: tix-devel +BuildRequires: tk-devel + +%if %{with valgrind} +BuildRequires: valgrind-devel +%endif + +BuildRequires: xz-devel +BuildRequires: zlib-devel + +BuildRequires: /usr/bin/dtrace + +# workaround http://bugs.python.org/issue19804 (test_uuid requires ifconfig) +BuildRequires: /usr/sbin/ifconfig + +# For %%python_provide +BuildRequires: python-rpm-macros + +%if %{with rpmwheels} +BuildRequires: python38-setuptools-wheel +BuildRequires: python38-pip-wheel +%endif + +%if %{without bootstrap} +# for make regen-all and distutils.tests.test_bdist_rpm +BuildRequires: python%{pyshortver} +%endif + +# ======================= +# Source code and patches +# ======================= + +# The upstream tarball includes questionable executable files for Windows, +# which we should not ship even in the SRPM. +# Run the "get-source.sh" with the version as argument to download the upstream +# tarball and generate a version with the .exe files removed. For example: +# $ ./get-source.sh 3.7.0 + +Source: Python-%{version}-noexe.tar.xz + +# A script to remove .exe files from the source distribution +Source1: get-source.sh + +Source3: macros.python38 + +# A simple script to check timestamps of bytecode files +# Run in check section with Python that is currently being built +# Originally written by bkabrda +Source8: check-pyc-timestamps.py + +# Desktop menu entry for idle3 +Source10: idle3.desktop + +# AppData file for idle3 +Source11: idle3.appdata.xml + +# 00001 # +# Fixup distutils/unixccompiler.py to remove standard library path from rpath: +# Was Patch0 in ivazquez' python3000 specfile: +Patch1: 00001-rpath.patch + +# 00102 # +# Change the various install paths to use /usr/lib64/ instead or /usr/lib +# Only used when "%%{_lib}" == "lib64" +# Not yet sent upstream. +Patch102: 00102-lib64.patch + +# 00111 # +# Patch the Makefile.pre.in so that the generated Makefile doesn't try to build +# a libpythonMAJOR.MINOR.a +# See https://bugzilla.redhat.com/show_bug.cgi?id=556092 +# Downstream only: not appropriate for upstream +Patch111: 00111-no-static-lib.patch + +# 00189 # +# Instead of bundled wheels, use our RPM packaged wheels from +# /usr/share/python38-wheels +# Downstream only: upstream bundles +# We might eventually pursuit upstream support, but it's low prio +Patch189: 00189-use-rpm-wheels.patch + +# 00251 +# Set values of prefix and exec_prefix in distutils install command +# to /usr/local if executable is /usr/bin/python* and RPM build +# is not detected to make pip and distutils install into separate location +# Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe +# Downstream only: Awaiting resources to work on upstream PEP +Patch251: 00251-change-user-install-location.patch + +# 00328 # +# Restore pyc to TIMESTAMP invalidation mode as default in rpmbubild +# See https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/57#comment-27426 +# Downstream only: only used when building RPM packages +# Ideally, we should talk to upstream and explain why we don't want this +Patch328: 00328-pyc-timestamp-invalidation-mode.patch + +# 00329 # +# Support OpenSSL FIPS mode +# - Fallback implementations md5, sha1, sha256, sha512 are removed in favor of OpenSSL wrappers +# - In FIPS mode, OpenSSL wrappers are always used in hashlib +# - add a new "usedforsecurity" keyword argument to the various digest +# algorithms in hashlib so that you can whitelist a callsite with +# "usedforsecurity=False" +# The change has been implemented upstream since Python 3.9: +# https://bugs.python.org/issue9216 +# - OpenSSL wrappers for the hashes blake2{b512,s256}, +# sha3_{224,256,384,512}, shake_{128,256} are now exported from _hashlib +# - In FIPS mode, the blake2, sha3 and shake hashes use OpenSSL wrappers +# and do not offer extended functionality (keys, tree hashing, custom digest size) +# - In FIPS mode, hmac.HMAC can only be instantiated with an OpenSSL wrapper +# or an string with OpenSSL hash name as the "digestmod" argument. +# The argument must be specified (instead of defaulting to ‘md5’). +# +# - Also while in FIPS mode, we utilize OpenSSL's DRBG and disable the +# os.getrandom() function. +# +# Resolves: rhbz#1731424 +Patch329: 00329-fips.patch + +# 00353 # +# Original names for architectures with different names downstream +# +# https://fedoraproject.org/wiki/Changes/Python_Upstream_Architecture_Names +# +# Pythons in RHEL/Fedora used different names for some architectures +# than upstream and other distros (for example ppc64 vs. powerpc64). +# This was patched in patch 274, now it is sedded if %%with legacy_archnames. +# +# That meant that an extension built with the default upstream settings +# (on other distro or as an manylinux wheel) could not been found by Python +# on RHEL/Fedora because it had a different suffix. +# This patch adds the legacy names to importlib so Python is able +# to import extensions with a legacy architecture name in its +# file name. +# It work both ways, so it support both %%with and %%without legacy_archnames. +# +# WARNING: This patch has no effect on Python built with bootstrap +# enabled because Python/importlib_external.h is not regenerated +# and therefore Python during bootstrap contains importlib from +# upstream without this feature. It's possible to include +# Python/importlib_external.h to this patch but it'd make rebasing +# a nightmare because it's basically a binary file. +Patch353: 00353-architecture-names-upstream-downstream.patch + +# 00359 # +# CVE-2021-23336 python: Web Cache Poisoning via urllib.parse.parse_qsl and +# urllib.parse.parse_qs by using a semicolon in query parameters +# Upstream: https://bugs.python.org/issue42967 +# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904 +Patch359: 00359-CVE-2021-23336.patch + +# 00378 # +# Support expat 2.4.5 +# +# Curly brackets were never allowed in namespace URIs +# according to RFC 3986, and so-called namespace-validating +# XML parsers have the right to reject them a invalid URIs. +# +# libexpat >=2.4.5 has become strcter in that regard due to +# related security issues; with ET.XML instantiating a +# namespace-aware parser under the hood, this test has no +# future in CPython. +# +# References: +# - https://datatracker.ietf.org/doc/html/rfc3968 +# - https://www.w3.org/TR/xml-names/ +# +# Also, test_minidom.py: Support Expat >=2.4.5 +# +# The patch has diverged from upstream as the python test +# suite was relying on checking the expat version, whereas +# in RHEL fixes get backported instead of rebasing packages. +# +# Upstream: https://bugs.python.org/issue46811 +Patch378: 00378-support-expat-2-4-5.patch + +# (New patches go here ^^^) +# +# When adding new patches to "python" and "python3" in Fedora, EL, etc., +# please try to keep the patch numbers in-sync between all specfiles. +# +# More information, and a patch number catalog, is at: +# +# https://fedoraproject.org/wiki/SIGs/Python/PythonPatches +# +# The patches are stored and rebased at: +# +# https://github.com/fedora-python/cpython + + +# ========================================== +# Descriptions, and metadata for subpackages +# ========================================== + +# People might want to dnf install pythonX.Y instead of pythonXY; +# we enable this in both flat and nonflat package. +Provides: python%{pybasever} = %{version}-%{release} + +# When the user tries to `yum install python`, yum will list this package among +# the possible alternatives +Provides: alternative-for(python) + +# Require alternatives version that implements the --keep-foreign flag +Requires: alternatives >= 1.19.1-1 +Requires(post): alternatives >= 1.19.1-1 +Requires(postun): alternatives >= 1.19.1-1 + +%if %{without flatpackage} + +# Packages with Python modules in standard locations automatically +# depend on python(abi). Provide that here. +Provides: python(abi) = %{pybasever} + +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +# In order to support multiple Python interpreters for development purposes, +# packages with the naming scheme flatpackage (e.g. python35) exist for +# non-default versions of Python 3. +# For consistency, and to keep the upgrade path clean, we Provide/Obsolete +# these names here. +Provides: python%{pyshortver} = %{version}-%{release} + +%if %{with main_python} +# https://fedoraproject.org/wiki/Changes/Move_usr_bin_python_into_separate_package +# https://fedoraproject.org/wiki/Changes/Python_means_Python3 +# We recommend /usr/bin/python so users get it by default +# Versioned recommends are problematic, and we know that the package requires +# python3 back with fixed version, so we just use the path here: +Recommends: %{_bindir}/python +%endif + +# In Fedora 31, /usr/bin/pydoc was moved here from Python 2. +# Ideally we'd have an explicit conflict with "/usr/bin/pydoc < 3", +# but file provides aren't versioned and the file moved across packages. +# Instead, we rely on the conflict in python3-libs. + +# Previously, this was required for our rewheel patch to work. +# This is technically no longer needed, but we keep it recommended +# for the developer experience. +Recommends: python38-setuptools +Recommends: python38-pip + +# This prevents ALL subpackages built from this spec to require +# /usr/bin/python3*. Granularity per subpackage is impossible. +# It's intended for the libs package not to drag in the interpreter, see +# https://bugzilla.redhat.com/show_bug.cgi?id=1547131 +# All others require %%{name} anyway. +%global __requires_exclude ^/usr/bin/python3 + + +# The description used both for the SRPM and the main `python3` subpackage: +%description +Python is an accessible, high-level, dynamically typed, interpreted programming +language, designed with an emphasis on code readability. +It includes an extensive standard library, and has a vast ecosystem of +third-party libraries. + +The %{name} package provides the "python3" executable: the reference +interpreter for the Python language, version 3. +The majority of its standard library is provided in the %{name}-libs package, +which should be installed automatically along with %{name}. +The remaining parts of the Python standard library are broken out into the +%{name}-tkinter and %{name}-test packages, which may need to be installed +separately. + +Documentation for Python is provided in the %{name}-docs package. + +Packages containing additional libraries for Python are generally named with +the "%{name}-" prefix. + +For the unversioned "python" executable, see manual page "unversioned-python". + + +%if %{with main_python} +# https://fedoraproject.org/wiki/Changes/Move_usr_bin_python_into_separate_package +# https://fedoraproject.org/wiki/Changes/Python_means_Python3 +%package -n python-unversioned-command +Summary: The "python" command that runs Python 3 +BuildArch: noarch + +# In theory this could require any python3 version +Requires: python3 == %{version}-%{release} +# But since we want to provide versioned python, we require exact version +Provides: python = %{version}-%{release} +# This also save us an explicit conflict for older python3 builds + +%description -n python-unversioned-command +This package contains /usr/bin/python - the "python" command that runs Python 3. + +%endif # with main_python + + +%package libs +Summary: Python runtime libraries + +%if %{with rpmwheels} +Requires: python38-setuptools-wheel +Requires: python38-pip-wheel +%else +Provides: bundled(python38-pip) = 19.2.3 +Provides: bundled(python38-setuptools) = 41.2.0 +%endif + +%{?python_provide:%python_provide python38-libs} + +# There are files in the standard library that have python shebang. +# We've filtered the automatic requirement out so libs are installable without +# the main package. This however makes it pulled in by default. +# See https://bugzilla.redhat.com/show_bug.cgi?id=1547131 +Recommends: %{name}%{?_isa} = %{version}-%{release} + +# tkinter is part of the standard library, +# but it is torn out to save an unwanted dependency on tk and X11. +# we recommend it when tk is already installed (for better UX) +Recommends: (%{name}-tkinter%{?_isa} = %{version}-%{release} if tk%{?_isa}) + +%description libs +This package contains runtime libraries for use by Python: +- the majority of the Python standard library +- a dynamically linked library for use by applications that embed Python as + a scripting language, and by the main "python3" executable + + +%package devel +Summary: Libraries and header files needed for Python development +Requires: %{name} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +BuildRequires: python-rpm-macros +# The RPM related dependencies bring nothing to a non-RPM Python developer +# But we want them when packages BuildRequire python3-devel +Requires: (python-rpm-macros if rpm-build) +Requires: (python3-rpm-macros if rpm-build) + +# Require alternatives version that implements the --keep-foreign flag +Requires(postun): alternatives >= 1.19.1-1 +# python38 installs the alternatives master symlink to which we attach a slave +Requires(post): python38 +Requires(postun): python38 + +%if %{without bootstrap} +# This is not "API" (packages that need setuptools should still BuildRequire it) +# However some packages apparently can build both with and without setuptools +# producing egg-info as file or directory (depending on setuptools presence). +# Directory-to-file updates are problematic in RPM, so we ensure setuptools is +# installed when -devel is required. +# See https://bugzilla.redhat.com/show_bug.cgi?id=1623914 +# See https://fedoraproject.org/wiki/Packaging:Directory_Replacement +Requires: (python38-setuptools if rpm-build) +%endif + +Requires: (python3-rpm-generators if rpm-build) + +%{?python_provide:%python_provide python38-devel} + +%description devel +This package contains the header files and configuration needed to compile +Python extension modules (typically written in C or C++), to embed Python +into other programs, and to make binary distributions for Python libraries. + +It also contains the necessary macros to build RPM packages with Python modules +and 2to3 tool, an automatic source converter from Python 2.X. + +If you want to build an RPM against the python38 module, you also need to +install the python38-rpm-macros package. + + +%package idle +Summary: A basic graphical development environment for Python +Requires: %{name} = %{version}-%{release} +Requires: %{name}-tkinter = %{version}-%{release} + +%{?python_provide:%python_provide python38-idle} + +# Require alternatives version that implements the --keep-foreign flag +Requires(postun): alternatives >= 1.19.1-1 +# python38 installs the alternatives master symlink to which we attach a slave +Requires(post): python38 +Requires(postun): python38 + +%description idle +IDLE is Python’s Integrated Development and Learning Environment. + +IDLE has the following features: Python shell window (interactive +interpreter) with colorizing of code input, output, and error messages; +multi-window text editor with multiple undo, Python colorizing, +smart indent, call tips, auto completion, and other features; +search within any window, replace within editor windows, and +search through multiple files (grep); debugger with persistent +breakpoints, stepping, and viewing of global and local namespaces; +configuration, browsers, and other dialogs. + + +%package tkinter +Summary: A GUI toolkit for Python +Requires: %{name} = %{version}-%{release} + +%{?python_provide:%python_provide python38-tkinter} + +%description tkinter +The Tkinter (Tk interface) library is a graphical user interface toolkit for +the Python programming language. + + +%package test +Summary: The self-test suite for the main python3 package +Requires: %{name} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%{?python_provide:%python_provide python38-test} + +%description test +The self-test suite for the Python interpreter. + +This is only useful to test Python itself. For testing general Python code, +you should use the unittest module from %{name}-libs, or a library such as +%{name}-pytest or %{name}-nose. + + +%if %{with debug_build} +%package debug +Summary: Debug version of the Python runtime + +# The debug build is an all-in-one package version of the regular build, and +# shares the same .py/.pyc files and directories as the regular build. Hence +# we depend on all of the subpackages of the regular build: +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-devel%{?_isa} = %{version}-%{release} +Requires: %{name}-test%{?_isa} = %{version}-%{release} +Requires: %{name}-tkinter%{?_isa} = %{version}-%{release} +Requires: %{name}-idle%{?_isa} = %{version}-%{release} + +# Require alternatives version that implements the --keep-foreign flag +Requires(postun): alternatives >= 1.19.1-1 +# python38 installs the alternatives master symlink to which we attach a slave +Requires(post): python38 +Requires(postun): python38 + +%{?python_provide:%python_provide python38-debug} + +%description debug +python38-debug provides a version of the Python runtime with numerous debugging +features enabled, aimed at advanced Python users such as developers of Python +extension modules. + +This version uses more memory and will be slower than the regular Python build, +but is useful for tracking down reference-counting issues and other bugs. + +The debug build shares installation directories with the standard Python +runtime. Python modules -- source (.py), bytecode (.pyc), and C-API extensions +(.cpython*.so) -- are compatible between this and the standard version +of Python. + +The debug runtime additionally supports debug builds of C-API extensions +(with the "d" ABI flag) for debugging issues in those extensions. +%endif # with debug_build + +%else # with flatpackage + +# We'll not provide this, on purpose +# No package in Fedora shall ever depend on flatpackage via this +%global __requires_exclude ^python\\(abi\\) = 3\\..$ +%global __provides_exclude ^python\\(abi\\) = 3\\..$ + +%if %{with rpmwheels} +Requires: python38-setuptools-wheel +Requires: python38-pip-wheel +%else +Provides: bundled(python38-pip) = 21.1.1 +Provides: bundled(python38-setuptools) = 56.0.0 +%endif + +# The description for the flat package +%description +Python %{pybasever} package for developers. + +This package exists to allow developers to test their code against a newer +version of Python. This is not a full Python stack and if you wish to run +your applications with Python %{pybasever}, update your Fedora to a newer +version once Python %{pybasever} is stable. + +%endif # with flatpackage + + +%package -n python38-rpm-macros +Summary: RPM macros for building RPMs with Python 3.8 +Provides: python38-modular-devel = %{version}-%{release} +Provides: python-modular-rpm-macros == 3.8 +Conflicts: python-modular-rpm-macros > 3.8 +Requires: python3-rpm-macros +BuildArch: noarch + +%description -n python38-rpm-macros +RPM macros for building RPMs with Python 3.8 from the python38 module. +If you want to build an RPM against the python38 module, you need to +BuildRequire: python38-rpm-macros. + + +# ====================================================== +# The prep phase of the build: +# ====================================================== + +%prep +%setup -q -n Python-%{upstream_version} +# Remove all exe files to ensure we are not shipping prebuilt binaries +# note that those are only used to create Microsoft Windows installers +# and that functionality is broken on Linux anyway +find -name '*.exe' -print -delete + +# Remove bundled libraries to ensure that we're using the system copy. +rm -r Modules/expat + +# +# Apply patches: +# +%patch1 -p1 + +%if "%{_lib}" == "lib64" +%patch102 -p1 +%endif +%patch111 -p1 + +%if %{with rpmwheels} +%patch189 -p1 +rm Lib/ensurepip/_bundled/*.whl +%endif + +%patch251 -p1 +%patch328 -p1 +%patch329 -p1 +%patch353 -p1 +%patch359 -p1 +%patch378 -p1 + +# Remove files that should be generated by the build +# (This is after patching, so that we can use patches directly from upstream) +rm configure pyconfig.h.in + +# When we use the legacy arch names, we need to change them in configure.ac +%if %{with legacy_archnames} +sed -i configure.ac \ + -e 's/\b%{platform_triplet_upstream}\b/%{platform_triplet_legacy}/' +%endif + + +# ====================================================== +# Configuring and building the code: +# ====================================================== + +%build + +# Regenerate the configure script and pyconfig.h.in +autoconf +autoheader + +# Remember the current directory (which has sources and the configure script), +# so we can refer to it after we "cd" elsewhere. +topdir=$(pwd) + +# Get proper option names from bconds +%if %{with computed_gotos} +%global computed_gotos_flag yes +%else +%global computed_gotos_flag no +%endif + +%if %{with optimizations} +%global optimizations_flag "--enable-optimizations" +%else +%global optimizations_flag "--disable-optimizations" +%endif + +# Set common compiler/linker flags +# We utilize the %%extension_...flags macros here so users building C/C++ +# extensions with our python won't get all the compiler/linker flags used +# in Fedora RPMs. +# Standard library built here will still use the %%build_...flags, +# Fedora packages utilizing %%py3_build will use them as well +# https://fedoraproject.org/wiki/Changes/Python_Extension_Flags +export CFLAGS="%{extension_cflags} -D_GNU_SOURCE -fPIC -fwrapv" +export CFLAGS_NODIST="%{build_cflags} -D_GNU_SOURCE -fPIC -fwrapv%{?with_no_semantic_interposition: -fno-semantic-interposition}" +export CXXFLAGS="%{extension_cxxflags} -D_GNU_SOURCE -fPIC -fwrapv" +export CPPFLAGS="$(pkg-config --cflags-only-I libffi)" +export OPT="%{extension_cflags} -D_GNU_SOURCE -fPIC -fwrapv" +export LINKCC="gcc" +export CFLAGS="$CFLAGS $(pkg-config --cflags openssl)" +export LDFLAGS="%{extension_ldflags} -g $(pkg-config --libs-only-L openssl)" +export LDFLAGS_NODIST="%{build_ldflags}%{?with_no_semantic_interposition: -fno-semantic-interposition} -g $(pkg-config --libs-only-L openssl)" + +# We can build several different configurations of Python: regular and debug. +# Define a common function that does one build: +BuildPython() { + ConfName=$1 + ExtraConfigArgs=$2 + MoreCFlags=$3 + + # Each build is done in its own directory + ConfDir=build/$ConfName + echo STARTING: BUILD OF PYTHON FOR CONFIGURATION: $ConfName + mkdir -p $ConfDir + pushd $ConfDir + + # Normally, %%configure looks for the "configure" script in the current + # directory. + # Since we changed directories, we need to tell %%configure where to look. + %global _configure $topdir/configure + +%configure \ + --enable-ipv6 \ + --enable-shared \ + --with-computed-gotos=%{computed_gotos_flag} \ + --with-dbmliborder=gdbm:ndbm:bdb \ + --with-system-expat \ + --with-system-ffi \ + --enable-loadable-sqlite-extensions \ + --with-dtrace \ + --with-lto \ + --with-ssl-default-suites=openssl \ +%if %{with valgrind} + --with-valgrind \ +%endif + $ExtraConfigArgs \ + %{nil} + +%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags" + +%if %{without bootstrap} + # Regenerate generated files (needs python3) + %make_build %{flags_override} regen-all PYTHON_FOR_REGEN="python%{pybasever}" +%endif + + # Invoke the build + %make_build %{flags_override} + + popd + echo FINISHED: BUILD OF PYTHON FOR CONFIGURATION: $ConfName +} + +# Call the above to build each configuration. + +%if %{with debug_build} +BuildPython debug \ + "--without-ensurepip --with-pydebug" \ + "-Og" +%endif # with debug_build + +BuildPython optimized \ + "--without-ensurepip %{optimizations_flag}" \ + "" + +# ====================================================== +# Installing the built code: +# ====================================================== + +%install + +# As in %%build, remember the current directory +topdir=$(pwd) + +# We install a collection of hooks for gdb that make it easier to debug +# executables linked against libpython3* (such as /usr/bin/python3 itself) +# +# These hooks are implemented in Python itself (though they are for the version +# of python that gdb is linked with) +# +# gdb-archer looks for them in the same path as the ELF file or its .debug +# file, with a -gdb.py suffix. +# We put them next to the debug file, because ldconfig would complain if +# it found non-library files directly in /usr/lib/ +# (see https://bugzilla.redhat.com/show_bug.cgi?id=562980) +# +# We'll put these files in the debuginfo package by installing them to e.g.: +# /usr/lib/debug/usr/lib/libpython3.2.so.1.0.debug-gdb.py +# (note that the debug path is /usr/lib/debug for both 32/64 bit) +# +# See https://fedoraproject.org/wiki/Features/EasierPythonDebugging for more +# information + +%if %{with gdb_hooks} +DirHoldingGdbPy=%{_usr}/lib/debug/%{_libdir} +mkdir -p %{buildroot}$DirHoldingGdbPy +%endif # with gdb_hooks + +# Multilib support for pyconfig.h +# 32- and 64-bit versions of pyconfig.h are different. For multilib support +# (making it possible to install 32- and 64-bit versions simultaneously), +# we need to install them under different filenames, and to make the common +# "pyconfig.h" include the right file based on architecture. +# See https://bugzilla.redhat.com/show_bug.cgi?id=192747 +# Filanames are defined here: +%global _pyconfig32_h pyconfig-32.h +%global _pyconfig64_h pyconfig-64.h +%global _pyconfig_h pyconfig-%{__isa_bits}.h + +# Use a common function to do an install for all our configurations: +InstallPython() { + + ConfName=$1 + PyInstSoName=$2 + MoreCFlags=$3 + LDVersion=$4 + + # Switch to the directory with this configuration's built files + ConfDir=build/$ConfName + echo STARTING: INSTALL OF PYTHON FOR CONFIGURATION: $ConfName + mkdir -p $ConfDir + pushd $ConfDir + + make \ + DESTDIR=%{buildroot} \ + INSTALL="install -p" \ + EXTRA_CFLAGS="$MoreCFlags" \ + install + + popd + +%if %{with gdb_hooks} + # See comment on $DirHoldingGdbPy above + PathOfGdbPy=$DirHoldingGdbPy/$PyInstSoName-%{version}-%{release}.%{_arch}.debug-gdb.py + cp Tools/gdb/libpython.py %{buildroot}$PathOfGdbPy +%endif # with gdb_hooks + + # Rename the -devel script that differs on different arches to arch specific name + mv %{buildroot}%{_bindir}/python${LDVersion}-{,`uname -m`-}config + echo -e '#!/bin/sh\nexec `dirname $0`/python'${LDVersion}'-`uname -m`-config "$@"' > \ + %{buildroot}%{_bindir}/python${LDVersion}-config + echo '[ $? -eq 127 ] && echo "Could not find python'${LDVersion}'-`uname -m`-config. Look around to see available arches." >&2' >> \ + %{buildroot}%{_bindir}/python${LDVersion}-config + chmod +x %{buildroot}%{_bindir}/python${LDVersion}-config + + # Make python3-devel multilib-ready + mv %{buildroot}%{_includedir}/python${LDVersion}/pyconfig.h \ + %{buildroot}%{_includedir}/python${LDVersion}/%{_pyconfig_h} + cat > %{buildroot}%{_includedir}/python${LDVersion}/pyconfig.h << EOF +#include + +#if __WORDSIZE == 32 +#include "%{_pyconfig32_h}" +#elif __WORDSIZE == 64 +#include "%{_pyconfig64_h}" +#else +#error "Unknown word size" +#endif +EOF + + echo FINISHED: INSTALL OF PYTHON FOR CONFIGURATION: $ConfName +} + +# Install the "debug" build first; any common files will be overridden with +# later builds +%if %{with debug_build} +InstallPython debug \ + %{py_INSTSONAME_debug} \ + -O0 \ + %{LDVERSION_debug} +%endif # with debug_build + +# Now the optimized build: +InstallPython optimized \ + %{py_INSTSONAME_optimized} \ + "" \ + %{LDVERSION_optimized} + +# Install directories for additional packages +install -d -m 0755 %{buildroot}%{pylibdir}/site-packages/__pycache__ +%if "%{_lib}" == "lib64" +# The 64-bit version needs to create "site-packages" in /usr/lib/ (for +# pure-Python modules) as well as in /usr/lib64/ (for packages with extension +# modules). +# Note that rpmlint will complain about hardcoded library path; +# this is intentional. +install -d -m 0755 %{buildroot}%{_prefix}/lib/python%{pybasever}/site-packages/__pycache__ +%endif + +%if %{with main_python} +# add idle3 to menu +install -D -m 0644 Lib/idlelib/Icons/idle_16.png %{buildroot}%{_datadir}/icons/hicolor/16x16/apps/idle3.png +install -D -m 0644 Lib/idlelib/Icons/idle_32.png %{buildroot}%{_datadir}/icons/hicolor/32x32/apps/idle3.png +install -D -m 0644 Lib/idlelib/Icons/idle_48.png %{buildroot}%{_datadir}/icons/hicolor/48x48/apps/idle3.png +desktop-file-install --dir=%{buildroot}%{_datadir}/applications %{SOURCE10} + +# Install and validate appdata file +mkdir -p %{buildroot}%{_metainfodir} +cp -a %{SOURCE11} %{buildroot}%{_metainfodir} +appstream-util validate-relax --nonet %{buildroot}%{_metainfodir}/idle3.appdata.xml +%endif + +# Make sure distutils looks at the right pyconfig.h file +# See https://bugzilla.redhat.com/show_bug.cgi?id=201434 +# Similar for sysconfig: sysconfig.get_config_h_filename tries to locate +# pyconfig.h so it can be parsed, and needs to do this at runtime in site.py +# when python starts up (see https://bugzilla.redhat.com/show_bug.cgi?id=653058) +# +# Split this out so it goes directly to the pyconfig-32.h/pyconfig-64.h +# variants: +sed -i -e "s/'pyconfig.h'/'%{_pyconfig_h}'/" \ + %{buildroot}%{pylibdir}/distutils/sysconfig.py \ + %{buildroot}%{pylibdir}/sysconfig.py + +# Install pathfix.py to bindir +# See https://github.com/fedora-python/python-rpm-porting/issues/24 +cp -p Tools/scripts/pathfix.py %{buildroot}%{_bindir}/pathfix%{pybasever}.py +ln -s pathfix%{pybasever}.py %{buildroot}%{_bindir}/pathfix.py + +# Install i18n tools to bindir +# They are also in python2, so we version them +# https://bugzilla.redhat.com/show_bug.cgi?id=1571474 +for tool in pygettext msgfmt; do + cp -p Tools/i18n/${tool}.py %{buildroot}%{_bindir}/${tool}%{pybasever}.py + ln -s ${tool}%{pybasever}.py %{buildroot}%{_bindir}/${tool}3.py +done + +# Switch all shebangs to refer to the specific Python version. +# This currently only covers files matching ^[a-zA-Z0-9_]+\.py$, +# so handle files named using other naming scheme separately. +LD_LIBRARY_PATH=./build/optimized ./build/optimized/python \ + Tools/scripts/pathfix.py \ + -i "%{_bindir}/python%{pybasever}" -pn \ + %{buildroot} \ + %{buildroot}%{_bindir}/*%{pybasever}.py \ + %{?with_gdb_hooks:%{buildroot}$DirHoldingGdbPy/*.py} + +# Remove tests for python3-tools which was removed in +# https://bugzilla.redhat.com/show_bug.cgi?id=1312030 +rm -rf %{buildroot}%{pylibdir}/test/test_tools + +# Remove shebang lines from .py files that aren't executable, and +# remove executability from .py files that don't have a shebang line: +find %{buildroot} -name \*.py \ + \( \( \! -perm /u+x,g+x,o+x -exec sed -e '/^#!/Q 0' -e 'Q 1' {} \; \ + -print -exec sed -i '1d' {} \; \) -o \( \ + -perm /u+x,g+x,o+x ! -exec grep -m 1 -q '^#!' {} \; \ + -exec chmod a-x {} \; \) \) + +# Get rid of DOS batch files: +find %{buildroot} -name \*.bat -exec rm {} \; + +# Get rid of backup files: +find %{buildroot}/ -name "*~" -exec rm -f {} \; +find . -name "*~" -exec rm -f {} \; + +# Do bytecompilation with the newly installed interpreter. +# This is similar to the script in macros.pybytecompile +# compile *.pyc +find %{buildroot} -type f -a -name "*.py" -print0 | \ + LD_LIBRARY_PATH="%{buildroot}%{dynload_dir}/:%{buildroot}%{_libdir}" \ + PYTHONPATH="%{buildroot}%{_libdir}/python%{pybasever} %{buildroot}%{_libdir}/python%{pybasever}/site-packages" \ + xargs -0 %{buildroot}%{_bindir}/python%{pybasever} -O -c 'import py_compile, sys; [py_compile.compile(f, dfile=f.partition("%{buildroot}")[2], optimize=opt) for opt in range(3) for f in sys.argv[1:]]' || : + +# Since we have pathfix.py in bindir, this is created, but we don't want it +rm -rf %{buildroot}%{_bindir}/__pycache__ + +# Fixup permissions for shared libraries from non-standard 555 to standard 755: +find %{buildroot} -perm 555 -exec chmod 755 {} \; + +# Create "/usr/bin/python3-debug", a symlink to the python3 debug binary, to +# avoid the user having to know the precise version and ABI flags. +# See e.g. https://bugzilla.redhat.com/show_bug.cgi?id=676748 +%if %{with debug_build} && %{with main_python} +ln -s \ + %{_bindir}/python%{LDVERSION_debug} \ + %{buildroot}%{_bindir}/python3-debug +%endif + +%if %{without main_python} +# Remove stuff that would conflict with python3 package +rm %{buildroot}%{_bindir}/python3 +rm %{buildroot}%{_bindir}/pydoc3 +rm %{buildroot}%{_bindir}/pathfix.py +rm %{buildroot}%{_bindir}/pygettext3.py +rm %{buildroot}%{_bindir}/msgfmt3.py +rm %{buildroot}%{_bindir}/idle3 +rm %{buildroot}%{_bindir}/python3-* +rm %{buildroot}%{_bindir}/2to3 +rm %{buildroot}%{_libdir}/libpython3.so +rm %{buildroot}%{_mandir}/man1/python3.1* +rm %{buildroot}%{_libdir}/pkgconfig/python3.pc +rm %{buildroot}%{_libdir}/pkgconfig/python3-embed.pc +%else # main_python +# Link the unversioned stuff +# https://fedoraproject.org/wiki/Changes/Python_means_Python3 +ln -s ./python3 %{buildroot}%{_bindir}/python +ln -s ./pydoc3 %{buildroot}%{_bindir}/pydoc +ln -s ./pygettext3.py %{buildroot}%{_bindir}/pygettext.py +ln -s ./msgfmt3.py %{buildroot}%{_bindir}/msgfmt.py +ln -s ./idle3 %{buildroot}%{_bindir}/idle +ln -s ./python3-config %{buildroot}%{_bindir}/python-config +ln -s ./python3.1 %{buildroot}%{_mandir}/man1/python.1 +ln -s ./python3.pc %{buildroot}%{_libdir}/pkgconfig/python.pc +%if %{with debug_build} +ln -s ./python3-debug %{buildroot}%{_bindir}/python-debug +%endif +%endif # main_python + + +# Python RPM macros +mkdir -p %{buildroot}/%{rpmmacrodir}/ +install -m 644 %{SOURCE3} \ + %{buildroot}/%{rpmmacrodir}/ + +# All ghost files controlled by alternatives need to exist for the files +# section check to succeed +# - Don't list /usr/bin/python as a ghost file so `yum install /usr/bin/python` +# doesn't install this package +touch %{buildroot}%{_bindir}/unversioned-python +touch %{buildroot}%{_mandir}/man1/python.1.gz +touch %{buildroot}%{_bindir}/python3 +touch %{buildroot}%{_mandir}/man1/python3.1.gz +touch %{buildroot}%{_bindir}/pydoc3 +touch %{buildroot}%{_bindir}/pydoc-3 +touch %{buildroot}%{_bindir}/idle3 +touch %{buildroot}%{_bindir}/python3-config +touch %{buildroot}%{_bindir}/python3-debug +touch %{buildroot}%{_bindir}/python3-debug-config + + +# ====================================================== +# Checks for packaging issues +# ====================================================== + +%check + +# first of all, check timestamps of bytecode files +find %{buildroot} -type f -a -name "*.py" -print0 | \ + LD_LIBRARY_PATH="%{buildroot}%{dynload_dir}/:%{buildroot}%{_libdir}" \ + PYTHONPATH="%{buildroot}%{_libdir}/python%{pybasever} %{buildroot}%{_libdir}/python%{pybasever}/site-packages" \ + xargs -0 %{buildroot}%{_bindir}/python%{pybasever} %{SOURCE8} + +# Ensure that the curses module was linked against libncursesw.so, rather than +# libncurses.so +# See https://bugzilla.redhat.com/show_bug.cgi?id=539917 +ldd %{buildroot}/%{dynload_dir}/_curses*.so \ + | grep curses \ + | grep libncurses.so && (echo "_curses.so linked against libncurses.so" ; exit 1) + +# Ensure that the debug modules are linked against the debug libpython, and +# likewise for the optimized modules and libpython: +for Module in %{buildroot}/%{dynload_dir}/*.so ; do + case $Module in + *.%{SOABI_debug}) + ldd $Module | grep %{py_INSTSONAME_optimized} && + (echo Debug module $Module linked against optimized %{py_INSTSONAME_optimized} ; exit 1) + + ;; + *.%{SOABI_optimized}) + ldd $Module | grep %{py_INSTSONAME_debug} && + (echo Optimized module $Module linked against debug %{py_INSTSONAME_debug} ; exit 1) + ;; + esac +done + + +# ====================================================== +# Running the upstream test suite +# ====================================================== + +topdir=$(pwd) +CheckPython() { + ConfName=$1 + ConfDir=$(pwd)/build/$ConfName + + echo STARTING: CHECKING OF PYTHON FOR CONFIGURATION: $ConfName + + # Note that we're running the tests using the version of the code in the + # builddir, not in the buildroot. + + # Show some info, helpful for debugging test failures + LD_LIBRARY_PATH=$ConfDir $ConfDir/python -m test.pythoninfo + + # Run the upstream test suite + # --timeout=1800: kill test running for longer than 30 minutes + # test_gdb skipped on s390x: + # https://bugzilla.redhat.com/show_bug.cgi?id=1678277 + # test_gdb skipped everywhere: + # https://bugzilla.redhat.com/show_bug.cgi?id=1734327 + # test_distutils + # distutils.tests.test_bdist_rpm tests fail when bootstraping the Python + # package: rpmbuild requires /usr/bin/pythonX.Y to be installed + LD_LIBRARY_PATH=$ConfDir $ConfDir/python -m test.regrtest \ + -wW --slowest -j0 --timeout=1800 \ + %if %{with bootstrap} + -x test_distutils \ + %endif + -x test_gdb \ + %ifarch %{mips64} + -x test_ctypes \ + %endif + + echo FINISHED: CHECKING OF PYTHON FOR CONFIGURATION: $ConfName + +} + +%if %{with tests} + +# Check each of the configurations: +%if %{with debug_build} +CheckPython debug +%endif # with debug_build +CheckPython optimized + +%endif # with tests + + +%post +# Alternative for /usr/bin/python -> /usr/bin/python3 + man page +alternatives --install %{_bindir}/unversioned-python \ + python \ + %{_bindir}/python3 \ + 300 \ + --slave %{_bindir}/python \ + unversioned-python \ + %{_bindir}/python3 \ + --slave %{_mandir}/man1/python.1.gz \ + unversioned-python-man \ + %{_mandir}/man1/python3.1.gz + +# Alternative for /usr/bin/python -> /usr/bin/python3.8 + man page +alternatives --install %{_bindir}/unversioned-python \ + python \ + %{_bindir}/python3.8 \ + 208 \ + --slave %{_bindir}/python \ + unversioned-python \ + %{_bindir}/python3.8 \ + --slave %{_mandir}/man1/python.1.gz \ + unversioned-python-man \ + %{_mandir}/man1/python3.8.1.gz + +# Alternative for /usr/bin/python3 -> /usr/bin/python3.8 + related files +# Create only if it doesn't exist already +EXISTS=`alternatives --display python3 | \ + grep -c "^/usr/bin/python3.8 - priority [0-9]*"` + +if [ $EXISTS -eq 0 ]; then + alternatives --install %{_bindir}/python3 \ + python3 \ + %{_bindir}/python3.8 \ + 3800 \ + --slave %{_mandir}/man1/python3.1.gz \ + python3-man \ + %{_mandir}/man1/python3.8.1.gz \ + --slave %{_bindir}/pydoc3 \ + pydoc3 \ + %{_bindir}/pydoc3.8 \ + --slave %{_bindir}/pydoc-3 \ + pydoc-3 \ + %{_bindir}/pydoc3.8 +fi + +%postun +# Do this only during uninstall process (not during update) +if [ $1 -eq 0 ]; then + alternatives --keep-foreign --remove python \ + %{_bindir}/python3.8 + + alternatives --keep-foreign --remove python3 \ + %{_bindir}/python3.8 + + # Remove link python → python3 if no other python3.* exists + if ! alternatives --display python3 > /dev/null; then + alternatives --keep-foreign --remove python \ + %{_bindir}/python3 + fi +fi + + +%post devel +alternatives --add-slave python3 %{_bindir}/python3.8 \ + %{_bindir}/python3-config \ + python3-config \ + %{_bindir}/python3.8-config + +%postun devel +# Do this only during uninstall process (not during update) +if [ $1 -eq 0 ]; then + alternatives --keep-foreign --remove-slave python3 %{_bindir}/python3.8 \ + python3-config +fi + + +%post debug +alternatives --add-slave python3 %{_bindir}/python3.8 \ + %{_bindir}/python3-debug \ + python3-debug \ + %{_bindir}/python3.8d +alternatives --add-slave python3 %{_bindir}/python3.8 \ + %{_bindir}/python3-debug-config \ + python3-debug-config \ + %{_bindir}/python3.8d-config + +%postun debug +# Do this only during uninstall process (not during update) +if [ $1 -eq 0 ]; then + alternatives --keep-foreign --remove-slave python3 %{_bindir}/python3.8 \ + python3-debug + alternatives --keep-foreign --remove-slave python3 %{_bindir}/python3.8 \ + python3-debug-config +fi + + +%post idle +alternatives --add-slave python3 %{_bindir}/python3.8 \ + %{_bindir}/idle3 \ + idle3 \ + %{_bindir}/idle3.8 + +%postun idle +# Do this only during uninstall process (not during update) +if [ $1 -eq 0 ]; then + alternatives --keep-foreign --remove-slave python3 %{_bindir}/python3.8 \ + idle3 +fi + + +%files -n python38-rpm-macros +%license LICENSE +%doc README.rst +%{rpmmacrodir}/macros.python38 + +%files +%doc README.rst + +# Alternatives +%ghost %{_bindir}/unversioned-python +%ghost %{_mandir}/man1/python.1.gz +%ghost %{_bindir}/python3 +%ghost %{_mandir}/man1/python3.1.gz +%ghost %{_bindir}/pydoc3 +%ghost %{_bindir}/pydoc-3 + + +%if %{with main_python} +%{_bindir}/pydoc* +%{_bindir}/python3 +%else +%{_bindir}/pydoc%{pybasever} +%endif + +%{_bindir}/python%{pybasever} +%{_bindir}/python%{LDVERSION_optimized} +%{_mandir}/*/*3* + + +%if %{with main_python} +%if %{without flatpackage} +%files -n python-unversioned-command +%endif +%{_bindir}/python +%{_mandir}/*/python.1* +%endif + +%if %{without flatpackage} +%files libs +%doc README.rst +%endif + +%dir %{pylibdir} +%dir %{dynload_dir} + +%license %{pylibdir}/LICENSE.txt + +%{pylibdir}/lib2to3 +%if %{without flatpackage} +%exclude %{pylibdir}/lib2to3/tests +%endif + +%dir %{pylibdir}/unittest/ +%dir %{pylibdir}/unittest/__pycache__/ +%{pylibdir}/unittest/*.py +%{pylibdir}/unittest/__pycache__/*%{bytecode_suffixes} + +%dir %{pylibdir}/asyncio/ +%dir %{pylibdir}/asyncio/__pycache__/ +%{pylibdir}/asyncio/*.py +%{pylibdir}/asyncio/__pycache__/*%{bytecode_suffixes} + +%dir %{pylibdir}/venv/ +%dir %{pylibdir}/venv/__pycache__/ +%{pylibdir}/venv/*.py +%{pylibdir}/venv/__pycache__/*%{bytecode_suffixes} +%{pylibdir}/venv/scripts + +%{pylibdir}/wsgiref +%{pylibdir}/xmlrpc + +%dir %{pylibdir}/ensurepip/ +%dir %{pylibdir}/ensurepip/__pycache__/ +%{pylibdir}/ensurepip/*.py +%{pylibdir}/ensurepip/__pycache__/*%{bytecode_suffixes} + +%if %{with rpmwheels} +%exclude %{pylibdir}/ensurepip/_bundled +%else +%dir %{pylibdir}/ensurepip/_bundled +%{pylibdir}/ensurepip/_bundled/*.whl +%endif + +%dir %{pylibdir}/concurrent/ +%dir %{pylibdir}/concurrent/__pycache__/ +%{pylibdir}/concurrent/*.py +%{pylibdir}/concurrent/__pycache__/*%{bytecode_suffixes} + +%dir %{pylibdir}/concurrent/futures/ +%dir %{pylibdir}/concurrent/futures/__pycache__/ +%{pylibdir}/concurrent/futures/*.py +%{pylibdir}/concurrent/futures/__pycache__/*%{bytecode_suffixes} + +%{pylibdir}/pydoc_data + +%{dynload_dir}/_blake2.%{SOABI_optimized}.so +%{dynload_dir}/_sha3.%{SOABI_optimized}.so +%{dynload_dir}/_hmacopenssl.%{SOABI_optimized}.so + +%{dynload_dir}/_asyncio.%{SOABI_optimized}.so +%{dynload_dir}/_bisect.%{SOABI_optimized}.so +%{dynload_dir}/_bz2.%{SOABI_optimized}.so +%{dynload_dir}/_codecs_cn.%{SOABI_optimized}.so +%{dynload_dir}/_codecs_hk.%{SOABI_optimized}.so +%{dynload_dir}/_codecs_iso2022.%{SOABI_optimized}.so +%{dynload_dir}/_codecs_jp.%{SOABI_optimized}.so +%{dynload_dir}/_codecs_kr.%{SOABI_optimized}.so +%{dynload_dir}/_codecs_tw.%{SOABI_optimized}.so +%{dynload_dir}/_contextvars.%{SOABI_optimized}.so +%{dynload_dir}/_crypt.%{SOABI_optimized}.so +%{dynload_dir}/_csv.%{SOABI_optimized}.so +%{dynload_dir}/_ctypes.%{SOABI_optimized}.so +%{dynload_dir}/_curses.%{SOABI_optimized}.so +%{dynload_dir}/_curses_panel.%{SOABI_optimized}.so +%{dynload_dir}/_dbm.%{SOABI_optimized}.so +%{dynload_dir}/_decimal.%{SOABI_optimized}.so +%{dynload_dir}/_elementtree.%{SOABI_optimized}.so +%if %{with gdbm} +%{dynload_dir}/_gdbm.%{SOABI_optimized}.so +%endif +%{dynload_dir}/_hashlib.%{SOABI_optimized}.so +%{dynload_dir}/_heapq.%{SOABI_optimized}.so +%{dynload_dir}/_json.%{SOABI_optimized}.so +%{dynload_dir}/_lsprof.%{SOABI_optimized}.so +%{dynload_dir}/_lzma.%{SOABI_optimized}.so +%{dynload_dir}/_multibytecodec.%{SOABI_optimized}.so +%{dynload_dir}/_multiprocessing.%{SOABI_optimized}.so +%{dynload_dir}/_opcode.%{SOABI_optimized}.so +%{dynload_dir}/_pickle.%{SOABI_optimized}.so +%{dynload_dir}/_posixsubprocess.%{SOABI_optimized}.so +%{dynload_dir}/_queue.%{SOABI_optimized}.so +%{dynload_dir}/_random.%{SOABI_optimized}.so +%{dynload_dir}/_socket.%{SOABI_optimized}.so +%{dynload_dir}/_sqlite3.%{SOABI_optimized}.so +%{dynload_dir}/_ssl.%{SOABI_optimized}.so +%{dynload_dir}/_statistics.%{SOABI_optimized}.so +%{dynload_dir}/_struct.%{SOABI_optimized}.so +%{dynload_dir}/array.%{SOABI_optimized}.so +%{dynload_dir}/audioop.%{SOABI_optimized}.so +%{dynload_dir}/binascii.%{SOABI_optimized}.so +%{dynload_dir}/cmath.%{SOABI_optimized}.so +%{dynload_dir}/_datetime.%{SOABI_optimized}.so +%{dynload_dir}/fcntl.%{SOABI_optimized}.so +%{dynload_dir}/grp.%{SOABI_optimized}.so +%{dynload_dir}/math.%{SOABI_optimized}.so +%{dynload_dir}/mmap.%{SOABI_optimized}.so +%{dynload_dir}/nis.%{SOABI_optimized}.so +%{dynload_dir}/ossaudiodev.%{SOABI_optimized}.so +%{dynload_dir}/parser.%{SOABI_optimized}.so +%{dynload_dir}/_posixshmem.%{SOABI_optimized}.so +%{dynload_dir}/pyexpat.%{SOABI_optimized}.so +%{dynload_dir}/readline.%{SOABI_optimized}.so +%{dynload_dir}/resource.%{SOABI_optimized}.so +%{dynload_dir}/select.%{SOABI_optimized}.so +%{dynload_dir}/spwd.%{SOABI_optimized}.so +%{dynload_dir}/syslog.%{SOABI_optimized}.so +%{dynload_dir}/termios.%{SOABI_optimized}.so +%{dynload_dir}/unicodedata.%{SOABI_optimized}.so +%{dynload_dir}/_uuid.%{SOABI_optimized}.so +%{dynload_dir}/xxlimited.%{SOABI_optimized}.so +%{dynload_dir}/_xxsubinterpreters.%{SOABI_optimized}.so +%{dynload_dir}/zlib.%{SOABI_optimized}.so + +%dir %{pylibdir}/site-packages/ +%dir %{pylibdir}/site-packages/__pycache__/ +%{pylibdir}/site-packages/README.txt +%{pylibdir}/*.py +%dir %{pylibdir}/__pycache__/ +%{pylibdir}/__pycache__/*%{bytecode_suffixes} + +%dir %{pylibdir}/collections/ +%dir %{pylibdir}/collections/__pycache__/ +%{pylibdir}/collections/*.py +%{pylibdir}/collections/__pycache__/*%{bytecode_suffixes} + +%dir %{pylibdir}/ctypes/ +%dir %{pylibdir}/ctypes/__pycache__/ +%{pylibdir}/ctypes/*.py +%{pylibdir}/ctypes/__pycache__/*%{bytecode_suffixes} +%{pylibdir}/ctypes/macholib + +%{pylibdir}/curses + +%dir %{pylibdir}/dbm/ +%dir %{pylibdir}/dbm/__pycache__/ +%{pylibdir}/dbm/*.py +%{pylibdir}/dbm/__pycache__/*%{bytecode_suffixes} + +%dir %{pylibdir}/distutils/ +%dir %{pylibdir}/distutils/__pycache__/ +%{pylibdir}/distutils/*.py +%{pylibdir}/distutils/__pycache__/*%{bytecode_suffixes} +%{pylibdir}/distutils/README +%{pylibdir}/distutils/command + +%dir %{pylibdir}/email/ +%dir %{pylibdir}/email/__pycache__/ +%{pylibdir}/email/*.py +%{pylibdir}/email/__pycache__/*%{bytecode_suffixes} +%{pylibdir}/email/mime +%doc %{pylibdir}/email/architecture.rst + +%{pylibdir}/encodings + +%{pylibdir}/html +%{pylibdir}/http + +%dir %{pylibdir}/importlib/ +%dir %{pylibdir}/importlib/__pycache__/ +%{pylibdir}/importlib/*.py +%{pylibdir}/importlib/__pycache__/*%{bytecode_suffixes} + +%dir %{pylibdir}/json/ +%dir %{pylibdir}/json/__pycache__/ +%{pylibdir}/json/*.py +%{pylibdir}/json/__pycache__/*%{bytecode_suffixes} + +%{pylibdir}/logging +%{pylibdir}/multiprocessing + +%dir %{pylibdir}/sqlite3/ +%dir %{pylibdir}/sqlite3/__pycache__/ +%{pylibdir}/sqlite3/*.py +%{pylibdir}/sqlite3/__pycache__/*%{bytecode_suffixes} + +%if %{without flatpackage} +%exclude %{pylibdir}/turtle.py +%exclude %{pylibdir}/__pycache__/turtle*%{bytecode_suffixes} +%endif + +%{pylibdir}/urllib +%{pylibdir}/xml + +%if "%{_lib}" == "lib64" +%attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever} +%attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever}/site-packages +%attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever}/site-packages/__pycache__/ +%endif + +# "Makefile" and the config-32/64.h file are needed by +# distutils/sysconfig.py:_init_posix(), so we include them in the core +# package, along with their parent directories (bug 531901): +%dir %{pylibdir}/config-%{LDVERSION_optimized}-%{platform_triplet}/ +%{pylibdir}/config-%{LDVERSION_optimized}-%{platform_triplet}/Makefile +%dir %{_includedir}/python%{LDVERSION_optimized}/ +%{_includedir}/python%{LDVERSION_optimized}/%{_pyconfig_h} + +%{_libdir}/%{py_INSTSONAME_optimized} +%if %{with main_python} +%{_libdir}/libpython3.so +%endif + + +%if %{without flatpackage} +%files devel +%endif + +%if %{with main_python} +%{_bindir}/2to3 +%endif + +%{pylibdir}/config-%{LDVERSION_optimized}-%{platform_triplet}/* +%if %{without flatpackage} +%exclude %{pylibdir}/config-%{LDVERSION_optimized}-%{platform_triplet}/Makefile +%exclude %{_includedir}/python%{LDVERSION_optimized}/%{_pyconfig_h} +%endif +%{_includedir}/python%{LDVERSION_optimized}/*.h +%{_includedir}/python%{LDVERSION_optimized}/internal/ +%{_includedir}/python%{LDVERSION_optimized}/cpython/ +%doc Misc/README.valgrind Misc/valgrind-python.supp Misc/gdbinit + +%if %{with main_python} +%{_bindir}/python3-config +%{_bindir}/python-config +%{_libdir}/pkgconfig/python3.pc +%{_libdir}/pkgconfig/python.pc +%{_libdir}/pkgconfig/python3-embed.pc +%{_bindir}/pathfix.py +%{_bindir}/pygettext3.py +%{_bindir}/pygettext.py +%{_bindir}/msgfmt3.py +%{_bindir}/msgfmt.py +%endif + +%{_bindir}/2to3-%{pybasever} +%{_bindir}/pathfix%{pybasever}.py +%{_bindir}/pygettext%{pybasever}.py +%{_bindir}/msgfmt%{pybasever}.py + +%{_bindir}/python%{pybasever}-config +%{_bindir}/python%{LDVERSION_optimized}-config +%{_bindir}/python%{LDVERSION_optimized}-*-config +# Alternatives +%ghost %{_bindir}/python3-config + +%{_libdir}/libpython%{LDVERSION_optimized}.so +%{_libdir}/pkgconfig/python-%{LDVERSION_optimized}.pc +%{_libdir}/pkgconfig/python-%{LDVERSION_optimized}-embed.pc +%{_libdir}/pkgconfig/python-%{pybasever}.pc +%{_libdir}/pkgconfig/python-%{pybasever}-embed.pc + + +%if %{without flatpackage} +%files idle +%endif + +%if %{with main_python} +%{_bindir}/idle* +%else +%{_bindir}/idle%{pybasever} +# Alternatives +%ghost %{_bindir}/idle3 +%endif + +%{pylibdir}/idlelib + +%if %{with main_python} +%{_metainfodir}/idle3.appdata.xml +%{_datadir}/applications/idle3.desktop +%{_datadir}/icons/hicolor/*/apps/idle3.* +%endif + +%if %{without flatpackage} +%files tkinter +%endif + +%{pylibdir}/tkinter +%if %{without flatpackage} +%exclude %{pylibdir}/tkinter/test +%endif +%{dynload_dir}/_tkinter.%{SOABI_optimized}.so +%{pylibdir}/turtle.py +%{pylibdir}/__pycache__/turtle*%{bytecode_suffixes} +%dir %{pylibdir}/turtledemo +%{pylibdir}/turtledemo/*.py +%{pylibdir}/turtledemo/*.cfg +%dir %{pylibdir}/turtledemo/__pycache__/ +%{pylibdir}/turtledemo/__pycache__/*%{bytecode_suffixes} + + +%if %{without flatpackage} +%files test +%endif + +%{pylibdir}/ctypes/test +%{pylibdir}/distutils/tests +%{pylibdir}/sqlite3/test +%{pylibdir}/test +%{dynload_dir}/_ctypes_test.%{SOABI_optimized}.so +%{dynload_dir}/_testbuffer.%{SOABI_optimized}.so +%{dynload_dir}/_testcapi.%{SOABI_optimized}.so +%{dynload_dir}/_testimportmultiple.%{SOABI_optimized}.so +%{dynload_dir}/_testinternalcapi.%{SOABI_optimized}.so +%{dynload_dir}/_testmultiphase.%{SOABI_optimized}.so +%{dynload_dir}/_xxtestfuzz.%{SOABI_optimized}.so +%{pylibdir}/lib2to3/tests +%{pylibdir}/tkinter/test +%{pylibdir}/unittest/test + +# We don't bother splitting the debug build out into further subpackages: +# if you need it, you're probably a developer. + +# Hence the manifest is the combination of analogous files in the manifests of +# all of the other subpackages + +%if %{with debug_build} +%if %{without flatpackage} +%files debug +%endif + +%if %{with main_python} +%{_bindir}/python3-debug +%{_bindir}/python-debug +%endif + +# Analog of the core subpackage's files: +%{_bindir}/python%{LDVERSION_debug} +# Alternatives +%ghost %{_bindir}/python3-debug + +# Analog of the -libs subpackage's files: +# ...with debug builds of the built-in "extension" modules: + +%{dynload_dir}/_blake2.%{SOABI_debug}.so +%{dynload_dir}/_sha3.%{SOABI_debug}.so +%{dynload_dir}/_hmacopenssl.%{SOABI_debug}.so + +%{dynload_dir}/_asyncio.%{SOABI_debug}.so +%{dynload_dir}/_bisect.%{SOABI_debug}.so +%{dynload_dir}/_bz2.%{SOABI_debug}.so +%{dynload_dir}/_codecs_cn.%{SOABI_debug}.so +%{dynload_dir}/_codecs_hk.%{SOABI_debug}.so +%{dynload_dir}/_codecs_iso2022.%{SOABI_debug}.so +%{dynload_dir}/_codecs_jp.%{SOABI_debug}.so +%{dynload_dir}/_codecs_kr.%{SOABI_debug}.so +%{dynload_dir}/_codecs_tw.%{SOABI_debug}.so +%{dynload_dir}/_contextvars.%{SOABI_debug}.so +%{dynload_dir}/_crypt.%{SOABI_debug}.so +%{dynload_dir}/_csv.%{SOABI_debug}.so +%{dynload_dir}/_ctypes.%{SOABI_debug}.so +%{dynload_dir}/_curses.%{SOABI_debug}.so +%{dynload_dir}/_curses_panel.%{SOABI_debug}.so +%{dynload_dir}/_dbm.%{SOABI_debug}.so +%{dynload_dir}/_decimal.%{SOABI_debug}.so +%{dynload_dir}/_elementtree.%{SOABI_debug}.so +%if %{with gdbm} +%{dynload_dir}/_gdbm.%{SOABI_debug}.so +%endif +%{dynload_dir}/_hashlib.%{SOABI_debug}.so +%{dynload_dir}/_heapq.%{SOABI_debug}.so +%{dynload_dir}/_json.%{SOABI_debug}.so +%{dynload_dir}/_lsprof.%{SOABI_debug}.so +%{dynload_dir}/_lzma.%{SOABI_debug}.so +%{dynload_dir}/_multibytecodec.%{SOABI_debug}.so +%{dynload_dir}/_multiprocessing.%{SOABI_debug}.so +%{dynload_dir}/_opcode.%{SOABI_debug}.so +%{dynload_dir}/_pickle.%{SOABI_debug}.so +%{dynload_dir}/_posixsubprocess.%{SOABI_debug}.so +%{dynload_dir}/_queue.%{SOABI_debug}.so +%{dynload_dir}/_random.%{SOABI_debug}.so +%{dynload_dir}/_socket.%{SOABI_debug}.so +%{dynload_dir}/_sqlite3.%{SOABI_debug}.so +%{dynload_dir}/_ssl.%{SOABI_debug}.so +%{dynload_dir}/_statistics.%{SOABI_debug}.so +%{dynload_dir}/_struct.%{SOABI_debug}.so +%{dynload_dir}/array.%{SOABI_debug}.so +%{dynload_dir}/audioop.%{SOABI_debug}.so +%{dynload_dir}/binascii.%{SOABI_debug}.so +%{dynload_dir}/cmath.%{SOABI_debug}.so +%{dynload_dir}/_datetime.%{SOABI_debug}.so +%{dynload_dir}/fcntl.%{SOABI_debug}.so +%{dynload_dir}/grp.%{SOABI_debug}.so +%{dynload_dir}/math.%{SOABI_debug}.so +%{dynload_dir}/mmap.%{SOABI_debug}.so +%{dynload_dir}/nis.%{SOABI_debug}.so +%{dynload_dir}/ossaudiodev.%{SOABI_debug}.so +%{dynload_dir}/parser.%{SOABI_debug}.so +%{dynload_dir}/_posixshmem.%{SOABI_debug}.so +%{dynload_dir}/pyexpat.%{SOABI_debug}.so +%{dynload_dir}/readline.%{SOABI_debug}.so +%{dynload_dir}/resource.%{SOABI_debug}.so +%{dynload_dir}/select.%{SOABI_debug}.so +%{dynload_dir}/spwd.%{SOABI_debug}.so +%{dynload_dir}/syslog.%{SOABI_debug}.so +%{dynload_dir}/termios.%{SOABI_debug}.so +%{dynload_dir}/unicodedata.%{SOABI_debug}.so +%{dynload_dir}/_uuid.%{SOABI_debug}.so +%{dynload_dir}/_xxsubinterpreters.%{SOABI_debug}.so +%{dynload_dir}/_xxtestfuzz.%{SOABI_debug}.so +%{dynload_dir}/zlib.%{SOABI_debug}.so + +# No need to split things out the "Makefile" and the config-32/64.h file as we +# do for the regular build above (bug 531901), since they're all in one package +# now; they're listed below, under "-devel": + +%{_libdir}/%{py_INSTSONAME_debug} + +# Analog of the -devel subpackage's files: +%{pylibdir}/config-%{LDVERSION_debug}-%{platform_triplet} +%{_includedir}/python%{LDVERSION_debug} +%{_bindir}/python%{LDVERSION_debug}-config +%{_bindir}/python%{LDVERSION_debug}-*-config +%ghost %{_bindir}/python3-debug-config + +%{_libdir}/libpython%{LDVERSION_debug}.so +%{_libdir}/libpython%{LDVERSION_debug}.so.%{py_SOVERSION} +%{_libdir}/pkgconfig/python-%{LDVERSION_debug}.pc +%{_libdir}/pkgconfig/python-%{LDVERSION_debug}-embed.pc + +# Analog of the -tools subpackage's files: +# None for now; we could build precanned versions that have the appropriate +# shebang if needed + +# Analog of the tkinter subpackage's files: +%{dynload_dir}/_tkinter.%{SOABI_debug}.so + +# Analog of the -test subpackage's files: +%{dynload_dir}/_ctypes_test.%{SOABI_debug}.so +%{dynload_dir}/_testbuffer.%{SOABI_debug}.so +%{dynload_dir}/_testcapi.%{SOABI_debug}.so +%{dynload_dir}/_testimportmultiple.%{SOABI_debug}.so +%{dynload_dir}/_testinternalcapi.%{SOABI_debug}.so +%{dynload_dir}/_testmultiphase.%{SOABI_debug}.so + +%endif # with debug_build + +# We put the debug-gdb.py file inside /usr/lib/debug to avoid noise from ldconfig +# See https://bugzilla.redhat.com/show_bug.cgi?id=562980 +# +# The /usr/lib/rpm/redhat/macros defines %%__debug_package to use +# debugfiles.list, and it appears that everything below /usr/lib/debug and +# (/usr/src/debug) gets added to this file (via LISTFILES) in +# /usr/lib/rpm/find-debuginfo.sh +# +# Hence by installing it below /usr/lib/debug we ensure it is added to the +# -debuginfo subpackage +# (if it doesn't, then the rpmbuild ought to fail since the debug-gdb.py +# payload file would be unpackaged) + +# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1476593 +%undefine _debuginfo_subpackages + +# ====================================================== +# Finally, the changelog: +# ====================================================== + +%changelog +* Tue Dec 13 2022 Charalampos Stratakis - 3.8.16-1 +- Update to 3.8.16 +- Security fix for CVE-2022-45061 +Resolves: rhbz#2144072 + +* Mon Sep 12 2022 Charalampos Stratakis - 3.8.14-1 +- Rebase to 3.8.14 +- Security fixes for CVE-2020-10735 and CVE-2021-28861 +Resolves: rhbz#1834423, rhbz#2120642 + +* Tue Jun 14 2022 Charalampos Stratakis - 3.8.13-1 +- Rebase to 3.8.13 +- Security fix for CVE-2015-20107 +- Fix the test suite support for Expat >= 2.4.5 +Resolves: rhbz#2075390 + +* Wed Sep 15 2021 Charalampos Stratakis - 3.8.12-1 +- Update to 3.8.12 +Resolves: rhbz#2004587 + +* Tue Sep 07 2021 Charalampos Stratakis - 3.8.11-1 +- Update to 3.8.11 +- Fix for CVE-2021-3733 and CVE-2021-3737 +Resolves: rhbz#1995234, rhbz#1995162 + +* Mon Aug 02 2021 Tomas Orsava - 3.8.8-4 +- Adjusted the postun scriptlets to enable upgrading to RHEL 9 +- Resolves: rhbz#1933055 + +* Tue Jul 27 2021 Charalampos Stratakis - 3.8.8-3 +- Security fix for CVE-2021-29921: Leading zeros in IPv4 addresses are no longer tolerated +Resolves: rhbz#1957458 + +* Fri Apr 30 2021 Charalampos Stratakis - 3.8.8-2 +- Security fix for CVE-2021-3426: information disclosure via pydoc +Resolves: rhbz#1935913 + +* Mon Mar 15 2021 Lumír Balhar - 3.8.8-1 +- Update to 3.8.8 and fix CVE-2021-23336 +Resolves: rhbz#1928904 + +* Fri Jan 22 2021 Charalampos Stratakis - 3.8.6-3 +- Security fix for CVE-2021-3177 +Resolves: rhbz#1919161 + +* Fri Oct 23 2020 Lumír Balhar - 3.8.6-2 +- Add support for upstream architecture names +https://fedoraproject.org/wiki/Changes/Python_Upstream_Architecture_Names +Resolves: rhbz#1868006 + +* Fri Oct 09 2020 Charalampos Stratakis - 3.8.6-1 +- Update to 3.8.6 +- Security fix for CVE-2020-26116 +Resolves: rhbz#1886755, rhbz#1883259 + +* Mon Aug 17 2020 Tomas Orsava - 3.8.3-3 +- Avoid infinite loop when reading specially crafted TAR files (CVE-2019-20907) +Resolves: rhbz#1856481 +- Resolve hash collisions for Pv4Interface and IPv6Interface (CVE-2020-14422) +Resolves: rhbz#1854926 + +* Wed Jun 24 2020 Tomas Orsava - 3.8.3-2 +- Fix sqlite3 deterministic test +Related: rhbz#1847416 + +* Wed Jun 24 2020 Tomas Orsava - 3.8.3-1 +- Rebased to 3.8.3 final +- Backported changes from Fedora + - Recommend python3-tkinter when tk is installed + - Add bcond for no_semantic_interposition (enabled by default) + - Update the ensurepip module to work with setuptools >= 45 +Resolves: rhbz#1847416 + +* Thu May 07 2020 Charalampos Stratakis - 3.8.0-10 +- Fix test_hashlib and test_hmac under FIPS mode +Resolves: rhbz#1812477 + +* Thu Apr 23 2020 Lumír Balhar - 3.8.0-9 +- Fix ensurepip to run pip via runpy to fix compatibility with pip 19.3.1 +Resolves: rhbz#1827623 + +* Wed Apr 22 2020 Charalampos Stratakis - 3.8.0-8 +- Skip test_startup_imports from test_site if we have a .pth file in sys.path +Resolves: rhbz#1815643 + +* Fri Apr 03 2020 Charalampos Stratakis - 3.8.0-7 +- Security fix for CVE-2020-8492 +Resolves: rhbz#1810622 + +* Mon Feb 24 2020 Tomas Orsava - 3.8.0-6 +- Implement alternatives for /usr/bin/python, python3 and related executables +- Resolves: rhbz#1807041 + +* Fri Jan 10 2020 Charalampos Stratakis - 3.8.0-5 +- Add support for FIPS mode +- Resolves: rhbz#1793589 + +* Thu Dec 12 2019 Tomas Orsava - 3.8.0-4 +- Exclude unsupported i686 arch + +* Mon Nov 25 2019 Tomas Orsava - 3.8.0-3 +- Build Python with -fno-semantic-interposition for better performance + https://fedoraproject.org/wiki/Changes/PythonNoSemanticInterpositionSpeedup + +* Wed Nov 13 2019 Tomas Orsava - 3.8.0-2 +- Converting to RHEL8 +- Changes from Fedora + - Removed gpgverifycation as the tool used in Fedora is not present in RHEL8 + - Added versioned pathfix.py and 2to3 scripts into bindir + - Depend on python3-rpm-generators always, because they run on Python 3.6 +- Added python38-rpm-macros subpackage + - Fixed py3_install_wheel macro because python38-pip does not have + the --strip-prefix patch + +* Mon Oct 14 2019 Miro Hrončok - 3.8.0-1 +- Update to Python 3.8.0 final + +* Tue Oct 01 2019 Miro Hrončok - 3.8.0~rc1-1 +- Rebased to Python 3.8.0rc1 + +* Fri Aug 30 2019 Miro Hrončok - 3.8.0~b4-1 +- Rebased to Python 3.8.0b4 + +* Thu Aug 15 2019 Miro Hrončok - 3.8.0~b3-4 +- Enable Profile-guided optimization for all arches, not just x86 (#1741015) + +* Wed Aug 14 2019 Miro Hrončok - 3.8.0~b3-3 +- Rebuilt for Python 3.8 + +* Wed Aug 14 2019 Miro Hrončok - 3.8.0~b3-2 +- Bootstrap for Python 3.8 + +* Tue Aug 13 2019 Miro Hrončok - 3.8.0~b3-1 +- Update to 3.8.0b3 + +* Sun Aug 11 2019 Miro Hrončok - 3.7.4-5 +- Conditionalize python3-devel runtime dependencies on RPM packages and setuptools + +* Fri Jul 26 2019 Fedora Release Engineering - 3.7.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Jul 15 2019 Lumír Balhar - 3.7.4-3 +- Move test.support module to python3-test subpackage + https://fedoraproject.org/wiki/Changes/Move_test.support_module_to_python3-test_subpackage +- Restore pyc to TIMESTAMP invalidation mode as default in rpmbubild + +* Fri Jul 12 2019 Miro Hrončok - 3.7.4-2 +- https://fedoraproject.org/wiki/Changes/Python_means_Python3 +- The python-unversioned-command package is no longer Python 2, but 3 +- The python, pydoc, python-config, python-debug, idle, pygettext.py and + msgfmt.py commands are now in python3 + +* Tue Jul 09 2019 Miro Hrončok - 3.7.4-1 +- Update to 3.7.4 + +* Tue Jul 02 2019 Miro Hrončok - 3.7.4~rc2-1 +- Update to 3.7.4rc2 + +* Tue Jun 25 2019 Miro Hrončok - 3.7.4~rc1-1 +- Update to 3.7.4rc1 + +* Tue May 07 2019 Charalampos Stratakis - 3.7.3-3 +- Fix handling of pre-normalization characters in urlsplit +- Disallow control chars in http URLs (#1695572, #1700684, #1688169, #1706851) + +* Wed Apr 17 2019 Patrik Kopkan - 3.7.3-2 +- Makes man python3.7m show python3.7 man pages (#1612241) + +* Wed Mar 27 2019 Miro Hrončok - 3.7.3-1 +- Update to 3.7.3 + +* Thu Mar 21 2019 Miro Hrončok - 3.7.3~rc1-1 +- Update to 3.7.3rc1 + +* Thu Mar 14 2019 Miro Hrončok - 3.7.2-8 +- Security fix for CVE-2019-9636 (#1688543, #1688546) + +* Sun Feb 17 2019 Igor Gnatenko - 3.7.2-7 +- Rebuild for readline 8.0 + +* Tue Feb 12 2019 Miro Hrončok - 3.7.2-6 +- Reduced default build flags used to build extension modules + https://fedoraproject.org/wiki/Changes/Python_Extension_Flags + +* Sat Feb 02 2019 Fedora Release Engineering - 3.7.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Jan 16 2019 Miro Hrončok - 3.7.2-4 +- Security fix for CVE-2019-5010 (#1666519, #1666522) + +* Mon Jan 14 2019 Björn Esser - 3.7.2-3 +- Rebuilt for libcrypt.so.2 (#1666033) + +* Fri Jan 04 2019 Miro Hrončok - 3.7.2-2 +- No longer revert upstream commit 3b699932e5ac3e7 +- This was a dirty workaround for (#1644936) + +* Tue Dec 25 2018 Miro Hrončok - 3.7.2-1 +- Update to 3.7.2 + +* Fri Dec 07 2018 Miro Hrončok - 3.7.1-5 +- Make sure we don't ship any exe files (not needed an prebuilt) + +* Wed Nov 21 2018 Miro Hrončok - 3.7.1-4 +- Make sure the entire test.support module is in python3-libs (#1651245) + +* Tue Nov 06 2018 Victor Stinner - 3.7.1-3 +- Verify the value of '-s' when execute the CLI of cProfile (rhbz#1160640) + +* Sun Nov 04 2018 Miro Hrončok - 3.7.1-2 +- Temporarily revert upstream commit 3b699932e5ac3e7 +- This is dirty workaround for (#1644936) + +* Mon Oct 22 2018 Miro Hrončok - 3.7.1-1 +- Update to 3.7.1 + +* Thu Sep 27 2018 Petr Viktorin - 3.7.0-10 +- Compile the debug build with -Og rather than -O0 + +* Thu Aug 30 2018 Miro Hrončok - 3.7.0-9 +- Require python3-setuptools from python3-devel to prevent packaging errors (#1623914) + +* Fri Aug 17 2018 Miro Hrončok - 3.7.0-8 +- Add /usr/bin/pygettext3.py and msgfmt3.py to python3-devel +Resolves: rhbz#1571474 + +* Fri Aug 17 2018 Miro Hrončok - 3.7.0-7 +- Backport TLS 1.3 related fixes to fix FTBFS +Resolves: rhbz#1609291 + +* Wed Aug 15 2018 Miro Hrončok - 3.7.0-6 +- Use RPM built wheels of pip and setuptools in ensurepip instead of our rewheel patch + +* Fri Aug 10 2018 Igor Gnatenko - 3.7.0-5 +- Fix wrong requirement on gdbm + +* Fri Jul 20 2018 Miro Hrončok - 3.7.0-4 +- Allow to call Py_Main() after Py_Initialize() +Resolves: rhbz#1595421 + +* Sat Jul 14 2018 Fedora Release Engineering - 3.7.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jul 12 2018 Igor Gnatenko - 3.7.0-2 +- Rebuild for new gdbm + +* Wed Jun 27 2018 Miro Hrončok - 3.7.0-1 +- Update to 3.7.0 final + +* Wed Jun 13 2018 Miro Hrončok - 3.7.0-0.21.rc1 +- Finish bootstrapping, enable rewheel, tests, optimizations + +* Tue Jun 12 2018 Miro Hrončok - 3.7.0-0.20.rc1 +- Update to 3.7.0rc1 +- Bootstrap, disable rewheel, tests, optimizations + +* Mon Apr 23 2018 Miro Hrončok - 3.6.5-4 +- Fix multiprocessing regression on newer glibcs +- Enable test_multiprocessing_fork(server) and _spawn again +Resolves: rhbz#1569933 + +* Thu Apr 19 2018 Miro Hrončok - 3.6.5-3 +- Skip test_multiprocessing_fork(server) and _spawn for now + +* Wed Apr 18 2018 Miro Hrončok - 3.6.5-2 +- Add flatpackage conditionals + +* Thu Mar 29 2018 Charalampos Stratakis - 3.6.5-1 +- Update to 3.6.5 + +* Sat Mar 24 2018 Miro Hrončok - 3.6.4-20 +- Fix broken macro invocation and broken building of C Python extensions +Resolves: rhbz#1560103 + +* Fri Mar 16 2018 Miro Hrončok - 3.6.4-19 +- Add -n option for pathfix.py +Resolves: rhbz#1546990 + +* Thu Mar 15 2018 Miro Hrončok - 3.6.4-18 +- Fix the py_byte_compile macro to work on Python 2 +- Remove the pybytecompile macro file from the flat package +Resolves: rhbz#1484993 + +* Tue Mar 13 2018 Charalampos Stratakis - 3.6.4-17 +- Do not send IP addresses in SNI TLS extension + +* Sat Feb 24 2018 Florian Weimer - 3.6.4-16 +- Rebuild with new LDFLAGS from redhat-rpm-config + +* Wed Feb 21 2018 Miro Hrončok - 3.6.4-15 +- Filter out automatic /usr/bin/python3.X requirement, + recommend the main package from libs instead +Resolves: rhbz#1547131 + +* Thu Feb 15 2018 Iryna Shcherbina - 3.6.4-14 +- Remove the python3-tools package (#rhbz 1312030) +- Move /usr/bin/2to3 to python3-devel +- Move /usr/bin/idle and idlelib to python3-idle +- Provide python3-tools from python3-idle + +* Fri Feb 09 2018 Igor Gnatenko - 3.6.4-13 +- Escape macros in %%changelog + +* Fri Feb 02 2018 Michal Cyprian - 3.6.4-12 +- Remove sys.executable check from change-user-install-location patch +Resolves: rhbz#1532287 + +* Thu Feb 01 2018 Charalampos Stratakis - 3.6.4-11 +- Define TLS cipher suite on build time. + +* Wed Jan 31 2018 Tomas Orsava - 3.6.4-10 +- Disable test_gdb for all arches and test_buffer for ppc64le in anticipation + of the F28 mass rebuild +- Re-enable these tests after the mass rebuild when they can be properly + addressed + +* Tue Jan 23 2018 Charalampos Stratakis - 3.6.4-9 +- Restore the PyExc_RecursionErrorInst public symbol + +* Tue Jan 23 2018 Björn Esser - 3.6.4-8 +- Add patch to explicitly link _ctypes module with -ldl (#1537489) +- Refactored patch for libxcrypt +- Re-enable strict symbol checks in the link editor + +* Mon Jan 22 2018 Björn Esser - 3.6.4-7 +- Add patch for libxcrypt +- Disable strict symbol checks in the link editor + +* Sat Jan 20 2018 Björn Esser - 3.6.4-6 +- Rebuilt for switch to libxcrypt + +* Fri Jan 19 2018 Charalampos Stratakis - 3.6.4-5 +- Fix localeconv() encoding for LC_NUMERIC + +* Thu Jan 18 2018 Igor Gnatenko - 3.6.4-4 +- R: gdbm-devel → R: gdbm for python3-libs + +* Wed Jan 17 2018 Miro Hrončok - 3.6.4-3 +- Require large enough gdbm (fixup for previous bump) + +* Tue Jan 16 2018 Charalampos Stratakis - 3.6.4-2 +- Rebuild for reverted gdbm 1.13 on Fedora 27 + +* Mon Jan 15 2018 Charalampos Stratakis - 3.6.4-1 +- Update to version 3.6.4 + +* Fri Jan 12 2018 Charalampos Stratakis - 3.6.3-5 +- Fix the compilation of the nis module. + +* Tue Nov 21 2017 Miro Hrončok - 3.6.3-4 +- Raise the release of platform-python obsoletes for better maintainability + +* Wed Nov 15 2017 Miro Hrončok - 3.6.3-3 +- Obsolete platform-python and it's subpackages + +* Mon Oct 09 2017 Charalampos Stratakis - 3.6.3-2 +- Fix memory corruption due to allocator mix +Resolves: rhbz#1498207 + +* Fri Oct 06 2017 Charalampos Stratakis - 3.6.3-1 +- Update to Python 3.6.3 + +* Fri Sep 29 2017 Miro Hrončok - 3.6.2-19 +- Move pathfix.py to bindir, https://github.com/fedora-python/python-rpm-porting/issues/24 +- Make the -devel package require redhat-rpm-config +Resolves: rhbz#1496757 + +* Wed Sep 13 2017 Iryna Shcherbina - 3.6.2-18 +- Fix /usr/bin/env dependency from python3-tools +Resolves: rhbz#1482118 + +* Wed Sep 06 2017 Iryna Shcherbina - 3.6.2-17 +- Include `-g` in the flags sent to the linker (LDFLAGS) +Resolves: rhbz#1483222 + +* Tue Sep 05 2017 Petr Viktorin - 3.6.2-16 +- Specfile cleanup +- Make the main description also applicable to the SRPM +- Add audiotest.au to the test package + +* Fri Sep 01 2017 Miro Hrončok - 3.6.2-15 +- Remove %%{pylibdir}/Tools/scripts/2to3 + +* Fri Sep 01 2017 Miro Hrončok - 3.6.2-14 +- Expat >= 2.1.0 is everywhere, remove explicit requires +- Conditionalize systemtap-devel BuildRequires +- For consistency, require /usr/sbin/ifconfig instead of net-tools + +* Mon Aug 28 2017 Petr Viktorin - 3.6.2-13 +- Rename patch files to be consistent +- Run autotools to generate the configure script before building +- Merge lib64 patches (104 into 102) +- Skip test_bdist_rpm using test config rather than a patch (removes patch 137) +- Remove patches 157 and 186, which had test changes left over after upstreaming +- Remove patch 188, a temporary workaround for hashlib tests +- Merge patches 180, 206, 243, 5001 (architecture naming) into new patch 274 +- Move python2-tools conflicts to tools subpackage (it was wrongly in tkinter) + +* Mon Aug 28 2017 Michal Cyprian - 3.6.2-12 +- Use python3 style of calling super() without arguments in rpath + patch to prevent recursion in UnixCCompiler subclasses +Resolves: rhbz#1458122 + +* Mon Aug 21 2017 Petr Viktorin - 3.6.2-11 +- Add bcond for --without optimizations +- Reword package descriptions +- Remove Group declarations +- Skip failing test_float_with_comma + +* Mon Aug 21 2017 Miro Hrončok - 3.6.2-10 +- Remove system-python, see https://fedoraproject.org/wiki/Changes/Platform_Python_Stack + +* Wed Aug 16 2017 Petr Viktorin - 3.6.2-9 +- Use bconds for configuring the build +- Reorganize the initial sections + +* Wed Aug 16 2017 Miro Hrončok - 3.6.2-8 +- Have /usr/bin/2to3 (rhbz#1111275) +- Provide 2to3 and idle3, list them in summary and description (rhbz#1076401) + +* Fri Aug 11 2017 Michal Cyprian - 3.6.2-7 +- Revert "Add --executable option to install.py command" + This enhancement is currently not needed and it can possibly + collide with `pip --editable`option + +* Mon Aug 07 2017 Iryna Shcherbina - 3.6.2-6 +- Fix the "urllib FTP protocol stream injection" vulnerability +Resolves: rhbz#1478916 + +* Tue Aug 01 2017 Tomas Orsava - 3.6.2-5 +- Dropped BuildRequires on db4-devel which was useful for Python 2 (module + bsddb), however, no longer needod for Python 3 +- Tested building Python 3 with and without the dependency, all tests pass and + filelists of resulting RPMs are identical + +* Sun Jul 30 2017 Florian Weimer - 3.6.2-4 +- Do not generate debuginfo subpackages (#1476593) +- Rebuild with binutils fix for ppc64le (#1475636) + +* Thu Jul 27 2017 Fedora Release Engineering - 3.6.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jul 25 2017 Charalampos Stratakis - 3.6.2-2 +- Make test_asyncio to not depend on the current SIGHUP signal handler. + +* Tue Jul 18 2017 Charalampos Stratakis - 3.6.2-1 +- Update to Python 3.6.2 + +* Tue Jun 27 2017 Charalampos Stratakis - 3.6.1-10 +- Update to the latest upstream implementation of PEP 538 + +* Mon Jun 26 2017 Michal Cyprian - 3.6.1-9 +- Make pip and distutils in user environment install into separate location + +* Fri Jun 23 2017 Charalampos Stratakis - 3.6.1-8 +- Fix test_alpn_protocols from test_ssl +- Do not require rebundled setuptools dependencies + +* Tue May 16 2017 Tomas Orsava - 3.6.1-7 +- Added a dependency to the devel subpackage on python3-rpm-generators which + have been excised out of rpm-build +- Updated notes on bootstrapping Python on top of this specfile accordingly +- Involves: rhbz#1410631, rhbz#1444925 + +* Tue May 09 2017 Charalampos Stratakis - 3.6.1-6 +- Enable profile guided optimizations for x86_64 and i686 architectures +- Update to a newer implementation of PEP 538 +- Update description to reflect that Python 3 is now the default Python + +* Fri May 05 2017 Charalampos Stratakis - 3.6.1-5 +- Update PEP 538 to the latest upstream implementation + +* Tue Apr 18 2017 Charalampos Stratakis - 3.6.1-4 +- Enable link time optimizations +- Move windows executables to the devel subpackage (rhbz#1426257) + +* Thu Apr 13 2017 Tomas Orsava - 3.6.1-3 +- Rename python3.Xdm-config script from -debug to be arch specific +Resolves: rhbz#1179073 + +* Wed Apr 05 2017 Charalampos Stratakis - 3.6.1-2 +- Install the Makefile in its proper location (rhbz#1438219) + +* Wed Mar 22 2017 Iryna Shcherbina - 3.6.1-1 +- Update to version 3.6.1 final + +* Tue Mar 21 2017 Tomas Orsava - 3.6.1-0.2.rc1 +- Fix syntax error in %%py_byte_compile macro (rhbz#1433569) + +* Thu Mar 16 2017 Iryna Shcherbina - 3.6.1-0.1.rc1 +- Update to Python 3.6.1 release candidate 1 +- Add patch 264 to skip a known test failure on aarch64 + +* Fri Mar 10 2017 Charalampos Stratakis - 3.6.0-21 +- Use proper command line parsing in _testembed +- Backport of PEP 538: Coercing the legacy C locale to a UTF-8 based locale + https://fedoraproject.org/wiki/Changes/python3_c.utf-8_locale + +* Mon Feb 27 2017 Charalampos Stratakis - 3.6.0-20 +- Add desktop entry and appdata.xml file for IDLE 3 (rhbz#1392049) + +* Fri Feb 24 2017 Michal Cyprian - 3.6.0-19 +- Revert "Set values of prefix and exec_prefix to /usr/local for + /usr/bin/python* executables..." to prevent build failures + of packages using alternate build tools + +* Tue Feb 21 2017 Michal Cyprian - 3.6.0-18 +- Set values of prefix and exec_prefix to /usr/local for + /usr/bin/python* executables +- Use new %%_module_build macro + +* Fri Feb 17 2017 Michal Cyprian - 3.6.0-13 +- Add --executable option to install.py command + +* Wed Feb 15 2017 Charalampos Stratakis - 3.6.0-12 +- BuildRequire the new dependencies of setuptools when rewheel mode is enabled +in order for the virtualenvs to work properly + +* Sat Feb 11 2017 Fedora Release Engineering - 3.6.0-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Feb 01 2017 Stephen Gallagher - 3.6.0-10 +- Add missing %%license macro + +* Thu Jan 26 2017 Tomas Orsava - 3.6.0-9 +- Modify the runtime dependency of python3-libs on system-python-libs again, + because previous attempt didn't work properly with dnf resolving mechanism + +* Wed Jan 25 2017 Tomas Orsava - 3.6.0-8 +- Modify the runtime dependency of python3-libs on system-python-libs to use + just the version and release number, but not the dist tag due to Modularity + +* Mon Jan 16 2017 Charalampos Stratakis - 3.6.0-7 +- Fix error check, so that Random.seed actually uses OS randomness (rhbz#1412275) +- Skip test_aead_aes_gcm during rpmbuild + +* Thu Jan 12 2017 Igor Gnatenko - 3.6.0-6 +- Rebuild for readline 7.x + +* Tue Jan 10 2017 Charalampos Stratakis - 3.6.0-5 +- Require glibc >= 2.24.90-26 for system-python-libs (rhbz#1410644) + +* Mon Jan 09 2017 Charalampos Stratakis - 3.6.0-4 +- Define HAVE_LONG_LONG as 1 for backwards compatibility + +* Thu Jan 05 2017 Miro Hrončok - 3.6.0-3 +- Don't blow up on EL7 kernel (random generator) (rhbz#1410175) + +* Tue Dec 27 2016 Charalampos Stratakis - 3.6.0-1 +- Update to Python 3.6.0 final + +* Fri Dec 09 2016 Charalampos Stratakis - 3.6.0-0.6.rc1 +- Enable rewheel + +* Wed Dec 07 2016 Charalampos Stratakis - 3.6.0-0.5.rc1 +- Update to Python 3.6.0 release candidate 1 + +* Mon Dec 05 2016 Charalampos Stratakis - 3.6.0-0.4.b4 +- Update to Python 3.6.0 beta 4 + +* Mon Dec 05 2016 Charalampos Stratakis - 3.5.2-7 +- Set to work with pip version 9.0.1 + +* Wed Oct 12 2016 Charalampos Stratakis - 3.5.2-6 +- Use proper patch numbering and base upstream branch for +porting ssl and hashlib modules to OpenSSL 1.1.0 +- Drop hashlib patch for now +- Add riscv64 arch to 64bit and no-valgrind arches + +* Tue Oct 11 2016 Tomáš Mráz - 3.5.2-5 +- Make it build with OpenSSL-1.1.0 based on upstream patch + +* Wed Sep 14 2016 Charalampos Stratakis - 3.5.2-4 +- Obsolete and Provide python35 package + +* Mon Sep 12 2016 Charalampos Stratakis - 3.5.2-3 +- Update %%py_byte_compile macro +- Remove unused configure flags (rhbz#1374357) + +* Fri Sep 09 2016 Tomas Orsava - 3.5.2-2 +- Updated .pyc 'bytecompilation with the newly installed interpreter' to also + recompile optimized .pyc files +- Removed .pyo 'bytecompilation with the newly installed interpreter', as .pyo + files are no more +- Resolves rhbz#1373635 + +* Mon Aug 15 2016 Tomas Orsava - 3.5.2-1 +- Rebased to version 3.5.2 +- Set to work with pip version 8.1.2 +- Removed patches 207, 237, 241 as fixes are already contained in Python 3.5.2 +- Removed arch or environment specific patches 194, 196, 203, and 208 + as test builds indicate they are no longer needed +- Updated patches 102, 146, and 242 to work with the new Python codebase +- Removed patches 200, 201, 5000 which weren't even being applied + +* Tue Aug 09 2016 Charalampos Stratakis - 3.5.1-15 +- Fix for CVE-2016-1000110 HTTPoxy attack +- SPEC file cleanup + +* Mon Aug 01 2016 Michal Toman - 3.5.1-14 +- Build properly on MIPS + +* Tue Jul 19 2016 Fedora Release Engineering - 3.5.1-13 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Fri Jul 08 2016 Charalampos Stratakis - 3.5.1-12 +- Refactor patch for properly fixing CVE-2016-5636 + +* Fri Jul 08 2016 Charalampos Stratakis - 3.5.1-11 +- Fix test_pyexpat failure with Expat version of 2.2.0 + +* Fri Jul 08 2016 Miro Hrončok - 3.5.1-10 +- Move xml module to system-python-libs + +* Thu Jun 16 2016 Tomas Orsava - 3.5.1-9 +- Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack +- Raise an error when STARTTLS fails +- rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 +- rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345 +- Fixed upstream: https://hg.python.org/cpython/rev/d590114c2394 + +* Mon Jun 13 2016 Charalampos Stratakis - 3.5.1-8 +- Added patch for fixing possible integer overflow and heap corruption in zipimporter.get_data() + +* Fri Mar 04 2016 Miro Hrončok - 3.5.1-7 +- Move distutils to system-python-libs + +* Wed Feb 24 2016 Robert Kuska - 3.5.1-6 +- Provide python3-enum34 + +* Fri Feb 19 2016 Miro Hrončok - 3.5.1-5 +- Provide System Python packages and macros + +* Thu Feb 04 2016 Fedora Release Engineering - 3.5.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jan 13 2016 Orion Poplwski - 3.5.1-2 +- Drop python3 macros, require python/python3-rpm-macros + +* Mon Dec 14 2015 Robert Kuska - 3.5.1-1 +- Update to 3.5.1 +- Removed patch 199 and 207 (upstream) + +* Sun Nov 15 2015 Robert Kuska - 3.5.0-5 +- Remove versioned libpython from devel package + +* Fri Nov 13 2015 Than Ngo 3.5.0-4 +- add correct arch for ppc64/ppc64le to fix build failure + +* Wed Nov 11 2015 Robert Kuska - 3.5.0-3 +- Hide the private _Py_atomic_xxx symbols from public header + +* Wed Oct 14 2015 Robert Kuska - 3.5.0-2 +- Rebuild with wheel set to 1 + +* Tue Sep 15 2015 Matej Stuchlik - 3.5.0-1 +- Update to 3.5.0 + +* Mon Jun 29 2015 Thomas Spura - 3.4.3-4 +- python3-devel: Require python-macros for version independant macros such as + python_provide. See fpc#281 and fpc#534. + +* Thu Jun 18 2015 Fedora Release Engineering - 3.4.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Jun 17 2015 Matej Stuchlik - 3.4.3-4 +- Use 1024bit DH key in test_ssl +- Use -O0 when compiling -debug build +- Update pip version variable to the version we actually ship + +* Wed Jun 17 2015 Matej Stuchlik - 3.4.3-3 +- Make relocating Python by changing _prefix actually work +Resolves: rhbz#1231801 + +* Mon May 4 2015 Peter Robinson 3.4.3-2 +- Disable test_gdb on aarch64 (rhbz#1196181), it joins all other non x86 arches + +* Thu Mar 12 2015 Matej Stuchlik - 3.4.3-1 +- Updated to 3.4.3 +- BuildPython now accepts additional build options +- Temporarily disabled test_gdb on arm (rhbz#1196181) + +* Wed Feb 25 2015 Matej Stuchlik - 3.4.2-7 +- Fixed undefined behaviour in faulthandler which caused test to hang on x86_64 + (http://bugs.python.org/issue23433) + +* Sat Feb 21 2015 Till Maas - 3.4.2-6 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Tue Feb 17 2015 Ville Skyttä - 3.4.2-5 +- Own systemtap dirs (#710733) + +* Mon Jan 12 2015 Dan Horák - 3.4.2-4 +- build with valgrind on ppc64le +- disable test_gdb on s390(x) until rhbz#1181034 is resolved + +* Tue Dec 16 2014 Robert Kuska - 3.4.2-3 +- New patches: 170 (gc asserts), 200 (gettext headers), + 201 (gdbm memory leak) + +* Thu Dec 11 2014 Robert Kuska - 3.4.2-2 +- OpenSSL disabled SSLv3 in SSLv23 method + +* Thu Nov 13 2014 Matej Stuchlik - 3.4.2-1 +- Update to 3.4.2 +- Refreshed patches: 156 (gdb autoload) +- Removed: 195 (Werror declaration), 197 (CVE-2014-4650) + +* Mon Nov 03 2014 Slavek Kabrda - 3.4.1-16 +- Fix CVE-2014-4650 - CGIHTTPServer URL handling +Resolves: rhbz#1113529 + +* Sun Sep 07 2014 Karsten Hopp 3.4.1-15 +- exclude test_gdb on ppc* (rhbz#1132488) + +* Thu Aug 21 2014 Slavek Kabrda - 3.4.1-14 +- Update rewheel patch with fix from https://github.com/bkabrda/rewheel/pull/1 + +* Sun Aug 17 2014 Fedora Release Engineering - 3.4.1-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 8 2014 Peter Robinson 3.4.1-12 +- aarch64 has valgrind, just list those that don't support it + +* Sun Jun 08 2014 Fedora Release Engineering - 3.4.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Jun 04 2014 Karsten Hopp 3.4.1-10 +- bump release and rebuild to link with the correct tcl/tk libs on ppcle + +* Tue Jun 03 2014 Matej Stuchlik - 3.4.1-9 +- Change paths to bundled projects in rewheel patch + +* Fri May 30 2014 Miro Hrončok - 3.4.1-8 +- In config script, use uname -m to write the arch + +* Thu May 29 2014 Dan Horák - 3.4.1-7 +- update the arch list where valgrind exists - %%power64 includes also + ppc64le which is not supported yet + +* Thu May 29 2014 Miro Hrončok - 3.4.1-6 +- Forward arguments to the arch specific config script +Resolves: rhbz#1102683 + +* Wed May 28 2014 Miro Hrončok - 3.4.1-5 +- Rename python3.Xm-config script to arch specific. +Resolves: rhbz#1091815 + +* Tue May 27 2014 Bohuslav Kabrda - 3.4.1-4 +- Use python3-*, not python-* runtime requires on setuptools and pip +- rebuild for tcl-8.6 + +* Tue May 27 2014 Matej Stuchlik - 3.4.1-3 +- Update the rewheel module + +* Mon May 26 2014 Miro Hrončok - 3.4.1-2 +- Fix multilib dependencies. +Resolves: rhbz#1091815 + +* Sun May 25 2014 Matej Stuchlik - 3.4.1-1 +- Update to Python 3.4.1 + +* Sun May 25 2014 Matej Stuchlik - 3.4.0-8 +- Fix test_gdb failure on ppc64le +Resolves: rhbz#1095355 + +* Thu May 22 2014 Miro Hrončok - 3.4.0-7 +- Add macro %%python3_version_nodots + +* Sun May 18 2014 Matej Stuchlik - 3.4.0-6 +- Disable test_faulthandler, test_gdb on aarch64 +Resolves: rhbz#1045193 + +* Fri May 16 2014 Matej Stuchlik - 3.4.0-5 +- Don't add Werror=declaration-after-statement for extension + modules through setup.py (PyBT#21121) + +* Mon May 12 2014 Matej Stuchlik - 3.4.0-4 +- Add setuptools and pip to Requires + +* Tue Apr 29 2014 Matej Stuchlik - 3.4.0-3 +- Point __os_install_post to correct brp-* files + +* Tue Apr 15 2014 Matej Stuchlik - 3.4.0-2 +- Temporarily disable tests requiring SIGHUP (rhbz#1088233) + +* Tue Apr 15 2014 Matej Stuchlik - 3.4.0-1 +- Update to Python 3.4 final +- Add patch adding the rewheel module +- Merge patches from master + +* Wed Jan 08 2014 Bohuslav Kabrda - 3.4.0-0.1.b2 +- Update to Python 3.4 beta 2. +- Refreshed patches: 55 (systemtap), 146 (hashlib-fips), 154 (test_gdb noise) +- Dropped patches: 114 (statvfs constants), 177 (platform unicode) + +* Mon Nov 25 2013 Bohuslav Kabrda - 3.4.0-0.1.b1 +- Update to Python 3.4 beta 1. +- Refreshed patches: 102 (lib64), 111 (no static lib), 125 (less verbose COUNT +ALLOCS), 141 (fix COUNT_ALLOCS in test_module), 146 (hashlib fips), +157 (UID+GID overflows), 173 (ENOPROTOOPT in bind_port) +- Removed patch 00187 (remove pthread atfork; upstreamed) + +* Mon Nov 04 2013 Bohuslav Kabrda - 3.4.0-0.1.a4 +- Update to Python 3.4 alpha 4. +- Refreshed patches: 55 (systemtap), 102 (lib64), 111 (no static lib), +114 (statvfs flags), 132 (unittest rpmbuild hooks), 134 (fix COUNT_ALLOCS in +test_sys), 143 (tsc on ppc64), 146 (hashlib fips), 153 (test gdb noise), +157 (UID+GID overflows), 173 (ENOPROTOOPT in bind_port), 186 (dont raise +from py_compile) +- Removed patches: 129 (test_subprocess nonreadable dir - no longer fails in +Koji), 142 (the mock issue that caused this is fixed) +- Added patch 187 (remove thread atfork) - will be in next version +- Refreshed script for checking pyc and pyo timestamps with new ignored files. +- The fips patch is disabled for now until upstream makes a final decision +what to do with sha3 implementation for 3.4.0. + +* Wed Oct 30 2013 Bohuslav Kabrda - 3.3.2-7 +- Bytecompile all *.py files properly during build (rhbz#1023607) + +* Fri Aug 23 2013 Matej Stuchlik - 3.3.2-6 +- Added fix for CVE-2013-4238 (rhbz#996399) + +* Fri Jul 26 2013 Dennis Gilmore - 3.3.2-5 +- fix up indentation in arm patch + +* Fri Jul 26 2013 Dennis Gilmore - 3.3.2-4 +- disable a test that fails on arm +- enable valgrind support on arm arches + +* Tue Jul 02 2013 Bohuslav Kabrda - 3.3.2-3 +- Fix build with libffi containing multilib wrapper for ffi.h (rhbz#979696). + +* Mon May 20 2013 Bohuslav Kabrda - 3.3.2-2 +- Add patch for CVE-2013-2099 (rhbz#963261). + +* Thu May 16 2013 Bohuslav Kabrda - 3.3.2-1 +- Updated to Python 3.3.2. +- Refreshed patches: 153 (gdb test noise) +- Dropped patches: 175 (configure -Wformat, fixed upstream), 182 (gdb +test threads) +- Synced patch numbers with python.spec. + +* Thu May 9 2013 David Malcolm - 3.3.1-4 +- fix test.test_gdb.PyBtTests.test_threads on ppc64 (patch 181; rhbz#960010) + +* Thu May 02 2013 Bohuslav Kabrda - 3.3.1-3 +- Add patch that enables building on ppc64p7 (replace the sed, so that +we get consistent with python2 spec and it's more obvious that we're doing it. + +* Wed Apr 24 2013 Bohuslav Kabrda - 3.3.1-2 +- Add fix for gdb tests failing on arm, rhbz#951802. + +* Tue Apr 09 2013 Bohuslav Kabrda - 3.3.1-1 +- Updated to Python 3.3.1. +- Refreshed patches: 55 (systemtap), 111 (no static lib), 146 (hashlib fips), +153 (fix test_gdb noise), 157 (uid, gid overflow - fixed upstream, just +keeping few more downstream tests) +- Removed patches: 3 (audiotest.au made it to upstream tarball) +- Removed workaround for http://bugs.python.org/issue14774, discussed in +http://bugs.python.org/issue15298 and fixed in revision 24d52d3060e8. + +* Mon Mar 25 2013 David Malcolm - 3.3.0-10 +- fix gcc 4.8 incompatibility (rhbz#927358); regenerate autotool intermediates + +* Mon Mar 25 2013 David Malcolm - 3.3.0-9 +- renumber patches to keep them in sync with python.spec + +* Fri Mar 15 2013 Toshio Kuratomi - 3.3.0-8 +- Fix error in platform.platform() when non-ascii byte strings are decoded to + unicode (rhbz#922149) + +* Thu Mar 14 2013 Toshio Kuratomi - 3.3.0-7 +- Fix up shared library extension (rhbz#889784) + +* Thu Mar 07 2013 Karsten Hopp 3.3.0-6 +- add ppc64p7 build target, optimized for Power7 + +* Mon Mar 4 2013 David Malcolm - 3.3.0-5 +- add workaround for ENOPROTOOPT seen running selftests in Koji +(rhbz#913732) + +* Mon Mar 4 2013 David Malcolm - 3.3.0-4 +- remove config flag from /etc/rpm/macros.{python3|pybytecompile} + +* Mon Feb 11 2013 David Malcolm - 3.3.0-3 +- add aarch64 (rhbz#909783) + +* Thu Nov 29 2012 David Malcolm - 3.3.0-2 +- add BR on bluez-libs-devel (rhbz#879720) + +* Sat Sep 29 2012 David Malcolm - 3.3.0-1 +- 3.3.0rc3 -> 3.3.0; drop alphatag + +* Mon Sep 24 2012 David Malcolm - 3.3.0-0.6.rc3 +- 3.3.0rc2 -> 3.3.0rc3 + +* Mon Sep 10 2012 David Malcolm - 3.3.0-0.5.rc2 +- 3.3.0rc1 -> 3.3.0rc2; refresh patch 55 + +* Mon Aug 27 2012 David Malcolm - 3.3.0-0.4.rc1 +- 3.3.0b2 -> 3.3.0rc1; refresh patches 3, 55 + +* Mon Aug 13 2012 David Malcolm - 3.3.0-0.3.b2 +- 3.3b1 -> 3.3b2; drop upstreamed patch 152; refresh patches 3, 102, 111, +134, 153, 160; regenenerate autotools patch; rework systemtap patch to work +correctly when LANG=C (patch 55); importlib.test was moved to +test.test_importlib upstream + +* Mon Aug 13 2012 Karsten Hopp 3.3.0-0.2.b1 +- disable some failing checks on PPC* (rhbz#846849) + +* Fri Aug 3 2012 David Malcolm - 3.3.0-0.1.b1 +- 3.2 -> 3.3: https://fedoraproject.org/wiki/Features/Python_3.3 +- 3.3.0b1: refresh patches 3, 55, 102, 111, 113, 114, 134, 157; drop upstream +patch 147; regenenerate autotools patch; drop "--with-wide-unicode" from +configure (PEP 393); "plat-linux2" -> "plat-linux" (upstream issue 12326); +"bz2" -> "_bz2" and "crypt" -> "_crypt"; egg-info files are no longer shipped +for stdlib (upstream issues 10645 and 12218); email/test moved to +test/test_email; add /usr/bin/pyvenv[-3.3] and venv module (PEP 405); add +_decimal and _lzma modules; make collections modules explicit in payload again +(upstream issue 11085); add _testbuffer module to tests subpackage (added in +upstream commit 3f9b3b6f7ff0); fix test failures (patches 160 and 161); +workaround erroneously shared _sysconfigdata.py upstream issue #14774; fix +distutils.sysconfig traceback (patch 162); add BuildRequires: xz-devel (for +_lzma module); skip some tests within test_socket (patch 163) + +* Sat Jul 21 2012 Fedora Release Engineering - 3.2.3-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jul 20 2012 David Malcolm - 3.3.0-0.1.b1 + +* Fri Jun 22 2012 David Malcolm - 3.2.3-10 +- use macro for power64 (rhbz#834653) + +* Mon Jun 18 2012 David Malcolm - 3.2.3-9 +- fix missing include in uid/gid handling patch (patch 157; rhbz#830405) + +* Wed May 30 2012 Bohuslav Kabrda - 3.2.3-8 +- fix tapset for debug build + +* Tue May 15 2012 David Malcolm - 3.2.3-7 +- update uid/gid handling to avoid int overflows seen with uid/gid +values >= 2^31 on 32-bit architectures (patch 157; rhbz#697470) + +* Fri May 4 2012 David Malcolm - 3.2.3-6 +- renumber autotools patch from 300 to 5000 +- specfile cleanups + +* Mon Apr 30 2012 David Malcolm - 3.2.3-5 +- fix test_gdb.py (patch 156; rhbz#817072) + +* Fri Apr 20 2012 David Malcolm - 3.2.3-4 +- avoid allocating thunks in ctypes unless absolutely necessary, to avoid +generating SELinux denials on "import ctypes" and "import uuid" when embedding +Python within httpd (patch 155; rhbz#814391) + +* Fri Apr 20 2012 David Malcolm - 3.2.3-3 +- add explicit version requirements on expat to avoid linkage problems with +XML_SetHashSalt + +* Thu Apr 12 2012 David Malcolm - 3.2.3-2 +- fix test_gdb (patch 153) + +* Wed Apr 11 2012 David Malcolm - 3.2.3-1 +- 3.2.3; refresh patch 102 (lib64); drop upstream patches 148 (gdbm magic +values), 149 (__pycache__ fix); add patch 152 (test_gdb regex) + +* Thu Feb 9 2012 Thomas Spura - 3.2.2-13 +- use newly installed python for byte compiling (now for real) + +* Sun Feb 5 2012 Thomas Spura - 3.2.2-12 +- use newly installed python for byte compiling (#787498) + +* Wed Jan 4 2012 Ville Skyttä - 3.2.2-11 +- Build with $RPM_LD_FLAGS (#756863). +- Use xz-compressed source tarball. + +* Wed Dec 07 2011 Karsten Hopp 3.2.2-10 +- disable rAssertAlmostEqual in test_cmath on PPC (#750811) + +* Mon Oct 17 2011 Rex Dieter - 3.2.2-9 +- python3-devel missing autogenerated pkgconfig() provides (#746751) + +* Mon Oct 10 2011 David Malcolm - 3.2.2-8 +- cherrypick fix for distutils not using __pycache__ when byte-compiling +files (rhbz#722578) + +* Fri Sep 30 2011 David Malcolm - 3.2.2-7 +- re-enable gdbm (patch 148; rhbz#742242) + +* Fri Sep 16 2011 David Malcolm - 3.2.2-6 +- add a sys._debugmallocstats() function (patch 147) + +* Wed Sep 14 2011 David Malcolm - 3.2.2-5 +- support OpenSSL FIPS mode in _hashlib and hashlib; don't build the _md5 and +_sha* modules, relying on _hashlib in hashlib (rhbz#563986; patch 146) + +* Tue Sep 13 2011 David Malcolm - 3.2.2-4 +- disable gdbm module to prepare for gdbm soname bump + +* Mon Sep 12 2011 David Malcolm - 3.2.2-3 +- renumber and rename patches for consistency with python.spec (8 to 55, 106 +to 104, 6 to 111, 104 to 113, 105 to 114, 125, 131, 130 to 143) + +* Sat Sep 10 2011 David Malcolm - 3.2.2-2 +- rewrite of "check", introducing downstream-only hooks for skipping specific +cases in an rpmbuild (patch 132), and fixing/skipping failing tests in a more +fine-grained manner than before; (patches 106, 133-142 sparsely, moving +patches for consistency with python.spec: 128 to 134, 126 to 135, 127 to 141) + +* Tue Sep 6 2011 David Malcolm - 3.2.2-1 +- 3.2.2 + +* Thu Sep 1 2011 David Malcolm - 3.2.1-7 +- run selftests with "--verbose" +- disable parts of test_io on ppc (rhbz#732998) + +* Wed Aug 31 2011 David Malcolm - 3.2.1-6 +- use "--findleaks --verbose3" when running test suite + +* Tue Aug 23 2011 David Malcolm - 3.2.1-5 +- re-enable and fix the --with-tsc option on ppc64, and rework it on 32-bit +ppc to avoid aliasing violations (patch 130; rhbz#698726) + +* Tue Aug 23 2011 David Malcolm - 3.2.1-4 +- don't use --with-tsc on ppc64 debug builds (rhbz#698726) + +* Thu Aug 18 2011 David Malcolm - 3.2.1-3 +- add %%python3_version to the rpm macros (rhbz#719082) + +* Mon Jul 11 2011 Dennis Gilmore - 3.2.1-2 +- disable some tests on sparc arches + +* Mon Jul 11 2011 David Malcolm - 3.2.1-1 +- 3.2.1; refresh lib64 patch (102), subprocess unit test patch (129), disabling +of static library build (due to Modules/_testembed; patch 6), autotool +intermediates (patch 300) + +* Fri Jul 8 2011 David Malcolm - 3.2-5 +- use the gdb hooks from the upstream tarball, rather than keeping our own copy + +* Fri Jul 8 2011 David Malcolm - 3.2-4 +- don't run test_openpty and test_pty in %%check + +* Fri Jul 8 2011 David Malcolm - 3.2-3 +- cleanup of BuildRequires; add comment headings to specfile sections + +* Tue Apr 19 2011 David Malcolm - 3.2-2 +- fix the libpython.stp systemtap tapset (rhbz#697730) + +* Mon Feb 21 2011 David Malcolm - 3.2-1 +- 3.2 +- drop alphatag +- regenerate autotool patch + +* Mon Feb 14 2011 David Malcolm - 3.2-0.13.rc3 +- add a /usr/bin/python3-debug symlink within the debug subpackage + +* Mon Feb 14 2011 David Malcolm - 3.2-0.12.rc3 +- 3.2rc3 +- regenerate autotool patch + +* Wed Feb 09 2011 Fedora Release Engineering - 3.2-0.11.rc2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 31 2011 David Malcolm - 3.2-0.10.rc2 +- 3.2rc2 + +* Mon Jan 17 2011 David Malcolm - 3.2-0.9.rc1 +- 3.2rc1 +- rework patch 6 (static lib removal) +- remove upstreamed patch 130 (ppc debug build) +- regenerate patch 300 (autotool intermediates) +- updated packaging to reflect upstream rewrite of "Demo" (issue 7962) +- added libpython3.so and 2to3-3.2 + +* Wed Jan 5 2011 David Malcolm - 3.2-0.8.b2 +- set EXTRA_CFLAGS to our CFLAGS, rather than overriding OPT, fixing a linker +error with dynamic annotations (when configured using --with-valgrind) +- fix the ppc build of the debug configuration (patch 130; rhbz#661510) + +* Tue Jan 4 2011 David Malcolm - 3.2-0.7.b2 +- add --with-valgrind to configuration (on architectures that support this) + +* Wed Dec 29 2010 David Malcolm - 3.2-0.6.b2 +- work around test_subprocess failure seen in koji (patch 129) + +* Tue Dec 28 2010 David Malcolm - 3.2-0.5.b2 +- 3.2b2 +- rework patch 3 (removal of mimeaudio tests), patch 6 (no static libs), +patch 8 (systemtap), patch 102 (lib64) +- remove patch 4 (rendered redundant by upstream r85537), patch 103 (PEP 3149), +patch 110 (upstreamed expat fix), patch 111 (parallel build fix for grammar +fixed upstream) +- regenerate patch 300 (autotool intermediates) +- workaround COUNT_ALLOCS weakref issues in test suite (patch 126, patch 127, +patch 128) +- stop using runtest.sh in %%check (dropped by upstream), replacing with +regrtest; fixup list of failing tests +- introduce "pyshortver", "SOABI_optimized" and "SOABI_debug" macros +- rework manifests of shared libraries to use "SOABI_" macros, reflecting +PEP 3149 +- drop itertools, operator and _collections modules from the manifests as py3k +commit r84058 moved these inside libpython; json/tests moved to test/json_tests +- move turtle code into the tkinter subpackage + +* Wed Nov 17 2010 David Malcolm - 3.2-0.5.a1 +- fix sysconfig to not rely on the -devel subpackage (rhbz#653058) + +* Thu Sep 9 2010 David Malcolm - 3.2-0.4.a1 +- move most of the content of the core package to the libs subpackage, given +that the libs aren't meaningfully usable without the standard libraries + +* Wed Sep 8 2010 David Malcolm - 3.2-0.3.a1 +- Move test.support to core package (rhbz#596258) +- Add various missing __pycache__ directories to payload + +* Sun Aug 22 2010 Toshio Kuratomi - 3.2-0.2.a1 +- Add __pycache__ directory for site-packages + +* Sun Aug 22 2010 Thomas Spura - 3.2-0.1.a1 +- on 64bit "stdlib" was still "/usr/lib/python*" (modify *lib64.patch) +- make find-provides-without-python-sonames.sh 64bit aware + +* Sat Aug 21 2010 David Malcolm - 3.2-0.0.a1 +- 3.2a1; add alphatag +- rework %%files in the light of PEP 3147 (__pycache__) +- drop our configuration patch to Setup.dist (patch 0): setup.py should do a +better job of things, and the %%files explicitly lists our modules (r82746 +appears to break the old way of doing things). This leads to various modules +changing from "foomodule.so" to "foo.so". It also leads to the optimized build +dropping the _sha1, _sha256 and _sha512 modules, but these are provided by +_hashlib; _weakref becomes a builtin module; xxsubtype goes away (it's only for +testing/devel purposes) +- fixup patches 3, 4, 6, 8, 102, 103, 105, 111 for the rebase +- remove upstream patches: 7 (system expat), 106, 107, 108 (audioop reformat +plus CVE-2010-1634 and CVE-2010-2089), 109 (CVE-2008-5983) +- add machinery for rebuilding "configure" and friends, using the correct +version of autoconf (patch 300) +- patch the debug build's usage of COUNT_ALLOCS to be less verbose (patch 125) +- "modulator" was removed upstream +- drop "-b" from patch applications affecting .py files to avoid littering the +installation tree + +* Thu Aug 19 2010 Toshio Kuratomi - 3.1.2-13 +- Turn on computed-gotos. +- Fix for parallel make and graminit.c + +* Fri Jul 2 2010 David Malcolm - 3.1.2-12 +- rebuild + +* Fri Jul 2 2010 David Malcolm - 3.1.2-11 +- Fix an incompatibility between pyexpat and the system expat-2.0.1 that led to +a segfault running test_pyexpat.py (patch 110; upstream issue 9054; rhbz#610312) + +* Fri Jun 4 2010 David Malcolm - 3.1.2-10 +- ensure that the compiler is invoked with "-fwrapv" (rhbz#594819) +- reformat whitespace in audioop.c (patch 106) +- CVE-2010-1634: fix various integer overflow checks in the audioop +module (patch 107) +- CVE-2010-2089: further checks within the audioop module (patch 108) +- CVE-2008-5983: the new PySys_SetArgvEx entry point from r81399 (patch 109) + +* Thu May 27 2010 Dan Horák - 3.1.2-9 +- reading the timestamp counter is available only on some arches (see Python/ceval.c) + +* Wed May 26 2010 David Malcolm - 3.1.2-8 +- add flags for statvfs.f_flag to the constant list in posixmodule (i.e. "os") +(patch 105) + +* Tue May 25 2010 David Malcolm - 3.1.2-7 +- add configure-time support for COUNT_ALLOCS and CALL_PROFILE debug options +(patch 104); enable them and the WITH_TSC option within the debug build + +* Mon May 24 2010 David Malcolm - 3.1.2-6 +- build and install two different configurations of Python 3: debug and +standard, packaging the debug build in a new "python3-debug" subpackage +(patch 103) + +* Tue Apr 13 2010 David Malcolm - 3.1.2-5 +- exclude test_http_cookies when running selftests, due to hang seen on +http://koji.fedoraproject.org/koji/taskinfo?taskID=2088463 (cancelled after +11 hours) +- update python-gdb.py from v5 to py3k version submitted upstream + +* Wed Mar 31 2010 David Malcolm - 3.1.2-4 +- update python-gdb.py from v4 to v5 (improving performance and stability, +adding commands) + +* Thu Mar 25 2010 David Malcolm - 3.1.2-3 +- update python-gdb.py from v3 to v4 (fixing infinite recursion on reference +cycles and tracebacks on bytes 0x80-0xff in strings, adding handlers for sets +and exceptions) + +* Wed Mar 24 2010 David Malcolm - 3.1.2-2 +- refresh gdb hooks to v3 (reworking how they are packaged) + +* Sun Mar 21 2010 David Malcolm - 3.1.2-1 +- update to 3.1.2: http://www.python.org/download/releases/3.1.2/ +- drop upstreamed patch 2 (.pyc permissions handling) +- drop upstream patch 5 (fix for the test_tk and test_ttk_* selftests) +- drop upstreamed patch 200 (path-fixing script) + +* Sat Mar 20 2010 David Malcolm - 3.1.1-28 +- fix typo in libpython.stp (rhbz:575336) + +* Fri Mar 12 2010 David Malcolm - 3.1.1-27 +- add pyfuntop.stp example (source 7) +- convert usage of $$RPM_BUILD_ROOT to %%{buildroot} throughout, for +consistency with python.spec + +* Mon Feb 15 2010 Thomas Spura - 3.1.1-26 +- rebuild for new package of redhat-rpm-config (rhbz:564527) +- use 'install -p' when running 'make install' + +* Fri Feb 12 2010 David Malcolm - 3.1.1-25 +- split configure options into multiple lines for easy of editing +- add systemtap static markers (wcohen, mjw, dmalcolm; patch 8), a systemtap +tapset defining "python.function.entry" and "python.function.return" to make +the markers easy to use (dmalcolm; source 5), and an example of using the +tapset to the docs (dmalcolm; source 6) (rhbz:545179) + +* Mon Feb 8 2010 David Malcolm - 3.1.1-24 +- move the -gdb.py file from %%{_libdir}/INSTSONAME-gdb.py to +%%{_prefix}/lib/debug/%%{_libdir}/INSTSONAME.debug-gdb.py to avoid noise from +ldconfig (bug 562980), and which should also ensure it becomes part of the +debuginfo subpackage, rather than the libs subpackage +- introduce %%{py_SOVERSION} and %%{py_INSTSONAME} to reflect the upstream +configure script, and to avoid fragile scripts that try to figure this out +dynamically (e.g. for the -gdb.py change) + +* Mon Feb 8 2010 David Malcolm - 3.1.1-23 +- add gdb hooks for easier debugging (Source 4) + +* Thu Jan 28 2010 David Malcolm - 3.1.1-22 +- update python-3.1.1-config.patch to remove downstream customization of build +of pyexpat and elementtree modules +- add patch adapted from upstream (patch 7) to add support for building against +system expat; add --with-system-expat to "configure" invocation +- remove embedded copies of expat and zlib from source tree during "prep" + +* Mon Jan 25 2010 David Malcolm - 3.1.1-21 +- introduce %%{dynload_dir} macro +- explicitly list all lib-dynload files, rather than dynamically gathering the +payload into a temporary text file, so that we can be sure what we are +shipping +- introduce a macros.pybytecompile source file, to help with packaging python3 +modules (Source3; written by Toshio) +- rename "2to3-3" to "python3-2to3" to better reflect python 3 module packaging +plans + +* Mon Jan 25 2010 David Malcolm - 3.1.1-20 +- change python-3.1.1-config.patch to remove our downstream change to curses +configuration in Modules/Setup.dist, so that the curses modules are built using +setup.py with the downstream default (linking against libncursesw.so, rather +than libncurses.so), rather than within the Makefile; add a test to %%install +to verify the dso files that the curses module is linked against the correct +DSO (bug 539917; changes _cursesmodule.so -> _curses.so) + +* Fri Jan 22 2010 David Malcolm - 3.1.1-19 +- add %%py3dir macro to macros.python3 (to be used during unified python 2/3 +builds for setting up the python3 copy of the source tree) + +* Wed Jan 20 2010 David Malcolm - 3.1.1-18 +- move lib2to3 from -tools subpackage to main package (bug 556667) + +* Sun Jan 17 2010 David Malcolm - 3.1.1-17 +- patch Makefile.pre.in to avoid building static library (patch 6, bug 556092) + +* Fri Jan 15 2010 David Malcolm - 3.1.1-16 +- use the %%{_isa} macro to ensure that the python-devel dependency on python +is for the correct multilib arch (#555943) +- delete bundled copy of libffi to make sure we use the system one + +* Fri Jan 15 2010 David Malcolm - 3.1.1-15 +- fix the URLs output by pydoc so they point at python.org's 3.1 build of the +docs, rather than the 2.6 build + +* Wed Jan 13 2010 David Malcolm - 3.1.1-14 +- replace references to /usr with %%{_prefix}; replace references to +/usr/include with %%{_includedir} (Toshio) + +* Mon Jan 11 2010 David Malcolm - 3.1.1-13 +- fix permission on find-provides-without-python-sonames.sh from 775 to 755 + +* Mon Jan 11 2010 David Malcolm - 3.1.1-12 +- remove build-time requirements on tix and tk, since we already have +build-time requirements on the -devel subpackages for each of these (Thomas +Spura) +- replace usage of %%define with %%global (Thomas Spura) +- remove forcing of CC=gcc as this old workaround for bug 109268 appears to +longer be necessary +- move various test files from the "tools"/"tkinter" subpackages to the "test" +subpackage + +* Thu Jan 7 2010 David Malcolm - 3.1.1-11 +- add %%check section (thanks to Thomas Spura) +- update patch 4 to use correct shebang line +- get rid of stray patch file from buildroot + +* Tue Nov 17 2009 Andrew McNabb - 3.1.1-10 +- switched a few instances of "find |xargs" to "find -exec" for consistency. +- made the description of __os_install_post more accurate. + +* Wed Nov 4 2009 David Malcolm - 3.1.1-9 +- add macros.python3 to the -devel subpackage, containing common macros for use +when packaging python3 modules + +* Tue Nov 3 2009 David Malcolm - 3.1.1-8 +- add a provides of "python(abi)" (see bug 532118) +- fix issues identified by a.badger in package review (bug 526126, comment 39): + - use "3" thoughout metadata, rather than "3.*" + - remove conditional around "pkg-config openssl" + - use standard cleanup of RPM_BUILD_ROOT + - replace hardcoded references to /usr with _prefix macro + - stop removing egg-info files + - use /usr/bin/python3.1 rather than /use/bin/env python3.1 when fixing +up shebang lines + - stop attempting to remove no-longer-present .cvsignore files + - move the post/postun sections above the "files" sections + +* Thu Oct 29 2009 David Malcolm - 3.1.1-7 +- remove commented-away patch 51 (python-2.6-distutils_rpm.patch): the -O1 +flag is used by default in the upstream code +- "Makefile" and the config-32/64.h file are needed by distutils/sysconfig.py +_init_posix(), so we include them in the core package, along with their parent +directories (bug 531901) + +* Tue Oct 27 2009 David Malcolm - 3.1.1-6 +- reword description, based on suggestion by amcnabb +- fix the test_email and test_imp selftests (patch 3 and patch 4 respectively) +- fix the test_tk and test_ttk_* selftests (patch 5) +- fix up the specfile's handling of shebang/perms to avoid corrupting +test_httpservers.py (sed command suggested by amcnabb) + +* Thu Oct 22 2009 David Malcolm - 3.1.1-5 +- fixup importlib/_bootstrap.py so that it correctly handles being unable to +open .pyc files for writing (patch 2, upstream issue 7187) +- actually apply the rpath patch (patch 1) + +* Thu Oct 22 2009 David Malcolm - 3.1.1-4 +- update patch0's setup of the crypt module to link it against libcrypt +- update patch0 to comment "datetimemodule" back out, so that it is built +using setup.py (see Setup, option 3), thus linking it statically against +timemodule.c and thus avoiding a run-time "undefined symbol: +_PyTime_DoubleToTimet" failure on "import datetime" + +* Wed Oct 21 2009 David Malcolm - 3.1.1-3 +- remove executable flag from various files that shouldn't have it +- fix end-of-line encodings +- fix a character encoding + +* Tue Oct 20 2009 David Malcolm - 3.1.1-2 +- disable invocation of brp-python-bytecompile in postprocessing, since +it would be with the wrong version of python (adapted from ivazquez' +python3000 specfile) +- use a custom implementation of __find_provides in order to filter out bogus +provides lines for the various .so modules +- fixup distutils/unixccompiler.py to remove standard library path from rpath +(patch 1, was Patch0 in ivazquez' python3000 specfile) +- split out libraries into a -libs subpackage +- update summaries and descriptions, basing content on ivazquez' specfile +- fixup executable permissions on .py, .xpm and .xbm files, based on work in +ivazquez's specfile +- get rid of DOS batch files +- fixup permissions for shared libraries from non-standard 555 to standard 755 +- move /usr/bin/python*-config to the -devel subpackage +- mark various directories as being documentation + +* Thu Sep 24 2009 Andrew McNabb 3.1.1-1 +- Initial package for Python 3.