Skip to content

[3.10] gh-61460: Stronger HMAC in multiprocessing (GH-20380) #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 18, 2024
Merged

[3.10] gh-61460: Stronger HMAC in multiprocessing (GH-20380) #31

merged 1 commit into from
Dec 18, 2024

Conversation

@csabella
Copy link

bpo-17258: multiprocessing now supports stronger HMAC algorithms for inter-process connection authentication rather than only HMAC-MD5.

gpshead: I Reworked to be more robust while keeping the idea.

The protocol modification idea remains, but we now take advantage of the message length as an indicator of legacy vs modern protocol version. No more regular expression usage. We now default to HMAC-SHA256, but do so in a way that will be compatible when communicating with older clients or older servers. No protocol transition period is needed.

More integration tests to verify these claims remain true are required. I'm unaware of anyone depending on multiprocessing connections between different Python versions.

(cherry picked from commit 3ed57e4)

@tiran @gpshead @csabella
[3.10] pythongh-61460: Stronger HMAC in multiprocessing (pythonGH-20380)
42f8222 
bpo-17258:  `multiprocessing` now supports stronger HMAC algorithms for inter-process connection authentication rather than only HMAC-MD5.

Signed-off-by: Christian Heimes <christian@python.org>

gpshead: I Reworked to be more robust while keeping the idea.

The protocol modification idea remains, but we now take advantage of the
message length as an indicator of legacy vs modern protocol version.  No
more regular expression usage.  We now default to HMAC-SHA256, but do so
in a way that will be compatible when communicating with older clients
or older servers. No protocol transition period is needed.

More integration tests to verify these claims remain true are required. I'm
unaware of anyone depending on multiprocessing connections between
different Python versions.

---------

(cherry picked from commit 3ed57e4)

Co-authored-by: Christian Heimes <christian@python.org>
Signed-off-by: Christian Heimes <christian@python.org>
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
@csabella csabella marked this pull request as ready for review December 18, 2024 18:07
joneshf-dd
joneshf-dd approved these changes Dec 18, 2024
View reviewed changes
Copy link

@joneshf-dd joneshf-dd left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like a pretty straight-forward cherry-pick.

(cherry picked from commit 3ed57e4)

👏 praise: Thanks for linking to the original commit! Made it easier to compare.

@csabella
Copy link
Author

👏 praise: Thanks for linking to the original commit! Made it easier to compare.

Thanks! I cheated and used the cpython cherry-picker tool.

@csabella csabella merged commit a4f4627 into 3.10 Dec 18, 2024
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joneshf-dd joneshf-dd joneshf-dd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@csabella @joneshf-dd @tiran