Hi, (2nd attempt, first mail didn't make it)
I have a bunch of tickets with security-related improvements or features for Python 3.6. Most of the tickets come with patches and tests. Some of the patches might be outdated or conflict with tip. I have branches on my private github fork for all patches. Please review the patches and decide which features you like to include in future releases. Make ssl module compatible with OpenSSL 1.1.0 --------------------------------------------- http://bugs.python.org/issue26470 https://github.com/tiran/cpython/commits/feature/openssl110 https://github.com/tiran/cpython/commits/feature/openssl110_27 OpenSSL 1.1.0 changes several APIs, e.g. it makes structs opaque. The ticket has patches for 2.7 and 3.x series. It should be applied to all Python versions that are open for security patches. Add ChaCha20 Poly1305 to SSL ciphers ------------------------------------ http://bugs.python.org/issue27766 https://github.com/tiran/cpython/commits/feature/chacha20 The ticket changes the default cipher list and moves ChaCha20 Poly1305 up front. For now the patch makes only sense with OpenSSL 1.1.0 since 1.0.2 does not include the cipher. I expect to see backports, though. It should be applied to all Python versions, too. ssl: add public API for IA-32 processor capabilities vector ----------------------------------------------------------- http://bugs.python.org/issue27768 This ticket doesn't have a patch yet. I'm going to move code from ticket 27766 to a separate ticket. Alex and Cory have requested to make the API public. Add AF_ALG (Linux Kernel crypto) to socket module ------------------------------------------------- http://bugs.python.org/issue27744 https://github.com/tiran/cpython/commits/feature/af_alg AF_ALG is a Linux-only socket it to interface with Kernel space crypto. It's limited but has a couple of really useful properties, e.g. zero-copy hashing of files with sendfile() or storing key material securely in Kernel memory. Add BLAKE2 to hashlib --------------------- http://bugs.python.org/issue26798 https://github.com/tiran/cpython/commits/feature/blake2 BLAKE2 is a fast and powerful hash algorithm. It's as secure as SHA-2 family, faster than MD5 and has built-in features like MAC support, variable output length, salting and personalization. Donald uses BLAKE2 for PyPI. The patch was refused on python-dev because it introduces too much new code. Add SHA-3 and SHAKE (Keccak) support ------------------------------------ http://bugs.python.org/issue16113 https://github.com/tiran/cpython/commits/feature/sha3 SHA-3 is the successor of SHA-2. Like BLAKE2 the patch was refused on python-dev because it introduces too much new code. Add truncated SHA512/224 and SHA512/256 --------------------------------------- http://bugs.python.org/issue26834 https://github.com/tiran/cpython/commits/feature/sha512truncated Truncated SHA512/224 and SHA512/256 use the SHA512 algorithm instead of SHA256 algorithm. Like SHA384 it's SHA512 with a different init vector and truncated output. Christian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
