Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gh-84559: multiprocessing: detect if forkserver cannot work due to missing hmac-sha256 #127467

Draft
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

gpshead
Copy link
Member

@gpshead gpshead commented Dec 1, 2024

Default to the spawn start method in that scenario.

Mostly I want to see if this meaningfully lets the odd configuration FIPS buildbot make further progress or not.

This PR is now stacked on top of #127492.

…to missing hmac-sha256

Default to the spawn start method in that scenario.
@gpshead
Copy link
Member Author

gpshead commented Dec 1, 2024

!buildbot FIPS

@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @gpshead for commit 7474d73 🤖

The command will test the builders whose names match following regular expression: FIPS

The builders matched are:

  • AMD64 CentOS9 FIPS Only Blake2 Builtin Hash PR
  • AMD64 RHEL8 FIPS No Builtin Hashes PR
  • AMD64 RHEL8 FIPS Only Blake2 Builtin Hash PR
  • AMD64 CentOS9 FIPS No Builtin Hashes PR

@gpshead gpshead changed the title gh-84559: multiprocessing detect of forkserver cannot work due to missing hmac-sha256 gh-84559: multiprocessing: detect if forkserver cannot work due to missing hmac-sha256 Dec 1, 2024
@gpshead
Copy link
Member Author

gpshead commented Dec 2, 2024

!buildbot FIPS

@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @gpshead for commit 740cb40 🤖

The command will test the builders whose names match following regular expression: FIPS

The builders matched are:

  • AMD64 CentOS9 FIPS Only Blake2 Builtin Hash PR
  • AMD64 RHEL8 FIPS No Builtin Hashes PR
  • AMD64 RHEL8 FIPS Only Blake2 Builtin Hash PR
  • AMD64 CentOS9 FIPS No Builtin Hashes PR

@xnox
Copy link

xnox commented Dec 10, 2024

On hosts without the hmac-sha256 algorithm available (rare)

Is this artificially created host, or something realistic? Without sha256 there would not be any realistic TLS working. And HMAC construction should also be always available.

Would it be a host with tampered/missing openssl & no built-in fallbacks? But then like nothing else is working either (hashlib, ssl)

I'm trying to understand if this is really more "support multiprocessing without openssl & without fallback crypto algorithms" as in no cryptography whats-so-ever, rather than "missing sha256" which I would have thought is a broken, and hopefully impossible, situation.

@gpshead
Copy link
Member Author

gpshead commented Dec 11, 2024

This is a with a dumb "openssl fips mode" config that blocks all ciphers, running a python also configured not to have a fallback builtin sha256 module. configure --without-builtin-hashlib-hashes, and set the OPENSSL_CONF= environment variable to point to a file like https://github.com/python/cpython/blob/905ba7f06c12f7ef9985ccaa2bf24229f759a2e1/Lib/test/hashlibdata/openssl.cnf and you can repro this kind of setup.

this is primarily a "get the test suite to work in this situation" as we have a buildbot running with that type of config to better understand odd config failure modes.

i don't expect anyone to actually run their system with such a borked config. I'm not spending a lot of time on this, but I do consider it a "nice to have" for the redistributors who make strange "fips mode" envrionments for customers. they should wind up with less pain this way. Even though it isn't how any CPython binary release we ship would ever be configured. ie, it should unblock #127298.

@gpshead
Copy link
Member Author

gpshead commented Dec 11, 2024

IIRC, anything involving a (non-fork start method?) multiprocessing Connection will fail without the relevant hmac auth algorithm. But not all multiprocessing features rely on those. I do not intend to document what does and doesn't work in this situation - we don't make any guarantees here.

@xnox
Copy link

xnox commented Dec 11, 2024

This is a with a dumb "openssl fips mode" config that blocks all ciphers, running a python also configured not to have a fallback builtin sha256 module. configure --without-builtin-hashlib-hashes, and set the OPENSSL_CONF= environment variable to point to a file like https://github.com/python/cpython/blob/905ba7f06c12f7ef9985ccaa2bf24229f759a2e1/Lib/test/hashlibdata/openssl.cnf and you can repro this kind of setup.

this is primarily a "get the test suite to work in this situation" as we have a buildbot running with that type of config to better understand odd config failure modes.

i don't expect anyone to actually run their system with such a borked config. I'm not spending a lot of time on this, but I do consider it a "nice to have" for the redistributors who make strange "fips mode" envrionments for customers. they should wind up with less pain this way. Even though it isn't how any CPython binary release we ship would ever be configured. ie, it should unblock #127298.

Ack, whilst SHA-2 is still valid for post-2035 as per https://csrc.nist.gov/pubs/ir/8547/ipd it could be the case that people move on to just SHA-3 & SHAKE, at which point SHA-2 hmac may become irrelevant in favour of KMAC-256. And these changes will make things limp along.

For pre-2035 horizon, the relevant changes that we do need from this pr is the test/ changes and the multiprocessing is nice-to-have (or borderline theoretical / making it easier to reason about by using absolutely crypto-less config AKA zero-knowledge as to what future holds).

So can this be marked not-draft? what is missing to land the testsuite changes of this PR, or even this whole PR to unblock #127298?

@xnox
Copy link

xnox commented Dec 11, 2024

Oh I see this PR is in draft, because it is based on #127492 and that one needs to land first, which indeed has the required perquisites. Ok I am catching up to all the things now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants