Author vstinner
Recipients Andrew DiPrinzio, bkabrda, cheryl.sabella, christian.heimes, cstratak, dholth, dmalcolm, doughellmann, gregory.p.smith, hroncok, icordasc, jpokorny, lukecarrier, miss-islington, pitrou, rbcollins, rpetrov, vstinner, yolanda.robla
Date 2020-04-24.14:18:41
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
I'm trying to understand how "portable" is it to expose OpenSSL FIPS_mode() as hashlib.get_fips_mode() which would return a boolean (True or False).

It seems like FIPS is more complex than that. Other crypto libraries which implement FIPS have a different way to expose FIPS mode to the consumer of the API:

* NSS seems to have a different API for functions in FIPS mode:
* GnuTLS provides gnutls_fips140_mode_enabled() which returns an unsigned integer: "return non-zero if true or zero if false"
* Gcrypt doesn't seem to expose a function to know if FIPS is enabled or not. It also has an "Enforced FIPS" mode:


* Bouncy Castle has a "FIPS provider": an object should be requested in FIPS mode

See also RHEL 8 Security Hardening documentation, "Chapter 3. Using system-wide cryptographic policies":

For my needs (skip tests which are not relevant in FIPS mode), it seems like keeping the function private in _hashlib.get_fips_mode() is enough.

My plan is to use it in as function which would return False if _hashlib.get_fips_mode() is missing.
Date User Action Args
2020-04-24 14:18:41vstinnersetrecipients: + vstinner, gregory.p.smith, pitrou, christian.heimes, rbcollins, rpetrov, doughellmann, dmalcolm, dholth, jpokorny, bkabrda, lukecarrier, icordasc, cstratak, yolanda.robla, hroncok, cheryl.sabella, Andrew DiPrinzio, miss-islington
2020-04-24 14:18:41vstinnersetmessageid: <>
2020-04-24 14:18:41vstinnerlinkissue9216 messages
2020-04-24 14:18:41vstinnercreate