Message 367189 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	Andrew DiPrinzio, bkabrda, cheryl.sabella, christian.heimes, cstratak, dholth, dmalcolm, doughellmann, gregory.p.smith, hroncok, icordasc, jpokorny, lukecarrier, miss-islington, pitrou, rbcollins, rpetrov, vstinner, yolanda.robla
Date	2020-04-24.13:41:14
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1587735674.26.0.337618244468.issue9216@roundup.psfhosted.org>
In-reply-to

Content
> I'm fine with a used_for_security flag and functions to get/set FIPS state. Something like hashlib.get_fips_mode() is useful for testing. I proposed PR 19703 to expose OpenSSL FIPS_mode() as hashlib.get_fips_mode(). FIPS support was introduced in version 0.9.7 of OpenSSL and so is available in the minimum OpenSSL required to build Python 3.9. LibreSSL doesn't have FIPS_mode() on purpose. Ted Unangst wrote: "I figured I should mention our current libressl policy wrt FIPS mode. It's gone and it's not coming back." https://marc.info/?l=openbsd-misc&m=139819485423701&w=2 My plan is to use hashlib.get_fips_mode() to skip a few tests if the FIPS mode is enabled. Simple example: test_crypt.test_methods() checks that self.assertEqual(crypt.methods[-1], crypt.METHOD_CRYPT). Except that in FIPS mode, METHOD_CRYPT is not available since it's too weak (3DES if I recall correctly). I would like to skip this test in FIPS mode. My colleague Chalampos also plans to add a FIPS enabled buildbot running RHEL8 to ensure that the Python test suite pass in FIPS mode, and detect regressions in FIPS mode.

> I'm fine with a used_for_security flag and functions to get/set FIPS state. Something like hashlib.get_fips_mode() is useful for testing.

I proposed PR 19703 to expose OpenSSL FIPS_mode() as hashlib.get_fips_mode().

FIPS support was introduced in version 0.9.7 of OpenSSL and so is available in the minimum OpenSSL required to build Python 3.9.

LibreSSL doesn't have FIPS_mode() on purpose. Ted Unangst wrote: "I figured I should mention our current libressl policy wrt FIPS mode.  It's gone and it's not coming back."
https://marc.info/?l=openbsd-misc&m=139819485423701&w=2

My plan is to use hashlib.get_fips_mode() to skip a few tests if the FIPS mode is enabled. Simple example: test_crypt.test_methods() checks that self.assertEqual(crypt.methods[-1], crypt.METHOD_CRYPT). Except that in FIPS mode, METHOD_CRYPT is not available since it's too weak (3DES if I recall correctly). I would like to skip this test in FIPS mode.

My colleague Chalampos also plans to add a FIPS enabled buildbot running RHEL8 to ensure that the Python test suite pass in FIPS mode, and detect regressions in FIPS mode.

History
Date	User	Action	Args
2020-04-24 13:41:14	vstinner	set	recipients: + vstinner, gregory.p.smith, pitrou, christian.heimes, rbcollins, rpetrov, doughellmann, dmalcolm, dholth, jpokorny, bkabrda, lukecarrier, icordasc, cstratak, yolanda.robla, hroncok, cheryl.sabella, Andrew DiPrinzio, miss-islington
2020-04-24 13:41:14	vstinner	set	messageid: <1587735674.26.0.337618244468.issue9216@roundup.psfhosted.org>
2020-04-24 13:41:14	vstinner	link	issue9216 messages
2020-04-24 13:41:14	vstinner	create