This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients Andrew DiPrinzio, bkabrda, cheryl.sabella, christian.heimes, cstratak, dholth, dmalcolm, doughellmann, gregory.p.smith, hroncok, icordasc, jpokorny, lukecarrier, miss-islington, pitrou, rbcollins, rpetrov, vstinner, yolanda.robla
Date 2020-04-24.14:18:41
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1587737921.32.0.960684931994.issue9216@roundup.psfhosted.org>
In-reply-to
Content
I'm trying to understand how "portable" is it to expose OpenSSL FIPS_mode() as hashlib.get_fips_mode() which would return a boolean (True or False).

It seems like FIPS is more complex than that. Other crypto libraries which implement FIPS have a different way to expose FIPS mode to the consumer of the API:

* NSS seems to have a different API for functions in FIPS mode: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_cryptographic_module/FIPS_mode_of_operation
* GnuTLS provides gnutls_fips140_mode_enabled() which returns an unsigned integer: "return non-zero if true or zero if false"
* Gcrypt doesn't seem to expose a function to know if FIPS is enabled or not. It also has an "Enforced FIPS" mode:

  * https://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html
  * https://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html

* Bouncy Castle has a "FIPS provider": an object should be requested in FIPS mode

See also RHEL 8 Security Hardening documentation, "Chapter 3. Using system-wide cryptographic policies":
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

For my needs (skip tests which are not relevant in FIPS mode), it seems like keeping the function private in _hashlib.get_fips_mode() is enough.

My plan is to use it in as test.support.get_fips_mode() function which would return False if _hashlib.get_fips_mode() is missing.
History
Date User Action Args
2020-04-24 14:18:41vstinnersetrecipients: + vstinner, gregory.p.smith, pitrou, christian.heimes, rbcollins, rpetrov, doughellmann, dmalcolm, dholth, jpokorny, bkabrda, lukecarrier, icordasc, cstratak, yolanda.robla, hroncok, cheryl.sabella, Andrew DiPrinzio, miss-islington
2020-04-24 14:18:41vstinnersetmessageid: <1587737921.32.0.960684931994.issue9216@roundup.psfhosted.org>
2020-04-24 14:18:41vstinnerlinkissue9216 messages
2020-04-24 14:18:41vstinnercreate