Message367189
> I'm fine with a used_for_security flag and functions to get/set FIPS state. Something like hashlib.get_fips_mode() is useful for testing.
I proposed PR 19703 to expose OpenSSL FIPS_mode() as hashlib.get_fips_mode().
FIPS support was introduced in version 0.9.7 of OpenSSL and so is available in the minimum OpenSSL required to build Python 3.9.
LibreSSL doesn't have FIPS_mode() on purpose. Ted Unangst wrote: "I figured I should mention our current libressl policy wrt FIPS mode. It's gone and it's not coming back."
https://marc.info/?l=openbsd-misc&m=139819485423701&w=2
My plan is to use hashlib.get_fips_mode() to skip a few tests if the FIPS mode is enabled. Simple example: test_crypt.test_methods() checks that self.assertEqual(crypt.methods[-1], crypt.METHOD_CRYPT). Except that in FIPS mode, METHOD_CRYPT is not available since it's too weak (3DES if I recall correctly). I would like to skip this test in FIPS mode.
My colleague Chalampos also plans to add a FIPS enabled buildbot running RHEL8 to ensure that the Python test suite pass in FIPS mode, and detect regressions in FIPS mode. |
|
Date |
User |
Action |
Args |
2020-04-24 13:41:14 | vstinner | set | recipients:
+ vstinner, gregory.p.smith, pitrou, christian.heimes, rbcollins, rpetrov, doughellmann, dmalcolm, dholth, jpokorny, bkabrda, lukecarrier, icordasc, cstratak, yolanda.robla, hroncok, cheryl.sabella, Andrew DiPrinzio, miss-islington |
2020-04-24 13:41:14 | vstinner | set | messageid: <1587735674.26.0.337618244468.issue9216@roundup.psfhosted.org> |
2020-04-24 13:41:14 | vstinner | link | issue9216 messages |
2020-04-24 13:41:14 | vstinner | create | |
|