Author vstinner
Recipients Andrew DiPrinzio, bkabrda, cheryl.sabella, christian.heimes, cstratak, dholth, dmalcolm, doughellmann, gregory.p.smith, hroncok, icordasc, jpokorny, lukecarrier, miss-islington, pitrou, rbcollins, rpetrov, vstinner, yolanda.robla
Date 2020-04-24.13:41:14
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1587735674.26.0.337618244468.issue9216@roundup.psfhosted.org>
In-reply-to
Content
> I'm fine with a used_for_security flag and functions to get/set FIPS state. Something like hashlib.get_fips_mode() is useful for testing.

I proposed PR 19703 to expose OpenSSL FIPS_mode() as hashlib.get_fips_mode().

FIPS support was introduced in version 0.9.7 of OpenSSL and so is available in the minimum OpenSSL required to build Python 3.9.

LibreSSL doesn't have FIPS_mode() on purpose. Ted Unangst wrote: "I figured I should mention our current libressl policy wrt FIPS mode.  It's gone and it's not coming back."
https://marc.info/?l=openbsd-misc&m=139819485423701&w=2

My plan is to use hashlib.get_fips_mode() to skip a few tests if the FIPS mode is enabled. Simple example: test_crypt.test_methods() checks that self.assertEqual(crypt.methods[-1], crypt.METHOD_CRYPT). Except that in FIPS mode, METHOD_CRYPT is not available since it's too weak (3DES if I recall correctly). I would like to skip this test in FIPS mode.

My colleague Chalampos also plans to add a FIPS enabled buildbot running RHEL8 to ensure that the Python test suite pass in FIPS mode, and detect regressions in FIPS mode.
History
Date User Action Args
2020-04-24 13:41:14vstinnersetrecipients: + vstinner, gregory.p.smith, pitrou, christian.heimes, rbcollins, rpetrov, doughellmann, dmalcolm, dholth, jpokorny, bkabrda, lukecarrier, icordasc, cstratak, yolanda.robla, hroncok, cheryl.sabella, Andrew DiPrinzio, miss-islington
2020-04-24 13:41:14vstinnersetmessageid: <1587735674.26.0.337618244468.issue9216@roundup.psfhosted.org>
2020-04-24 13:41:14vstinnerlinkissue9216 messages
2020-04-24 13:41:14vstinnercreate