[3.10] gh-61460: Stronger HMAC in multiprocessing (GH-20380) #31
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bpo-17258: `multiprocessing` now supports stronger HMAC algorithms for inter-process connection authentication rather than only HMAC-MD5. Signed-off-by: Christian Heimes <[email protected]> gpshead: I Reworked to be more robust while keeping the idea. The protocol modification idea remains, but we now take advantage of the message length as an indicator of legacy vs modern protocol version. No more regular expression usage. We now default to HMAC-SHA256, but do so in a way that will be compatible when communicating with older clients or older servers. No protocol transition period is needed. More integration tests to verify these claims remain true are required. I'm unaware of anyone depending on multiprocessing connections between different Python versions. --------- (cherry picked from commit 3ed57e4) Co-authored-by: Christian Heimes <[email protected]> Signed-off-by: Christian Heimes <[email protected]> Co-authored-by: Gregory P. Smith [Google] <[email protected]>
joneshf-dd
approved these changes
Dec 18, 2024
There was a problem hiding this comment.
Seems like a pretty straight-forward cherry-pick.
(cherry picked from commit 3ed57e4)
👏 praise: Thanks for linking to the original commit! Made it easier to compare.
Thanks! I cheated and used the cpython cherry-picker tool. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
bpo-17258:
multiprocessingnow supports stronger HMAC algorithms for inter-process connection authentication rather than only HMAC-MD5.gpshead: I Reworked to be more robust while keeping the idea.
The protocol modification idea remains, but we now take advantage of the message length as an indicator of legacy vs modern protocol version. No more regular expression usage. We now default to HMAC-SHA256, but do so in a way that will be compatible when communicating with older clients or older servers. No protocol transition period is needed.
More integration tests to verify these claims remain true are required. I'm unaware of anyone depending on multiprocessing connections between different Python versions.
(cherry picked from commit 3ed57e4)