Author vstinner
Recipients Andrew DiPrinzio, bkabrda, cheryl.sabella, christian.heimes, cstratak, dholth, dmalcolm, doughellmann, gregory.p.smith, hroncok, icordasc, jpokorny, lukecarrier, miss-islington, pitrou, rbcollins, rpetrov, vstinner, yolanda.robla
Date 2020-04-24.14:35:23
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Petr Viktorin and Christian Heimes convinced me that it's a bad idea to expose OpenSSL FIPS_mode() as a public hashlib.get_fips_mode() function. It is too specific to OpenSSL. For example, FIPS_mode() result is a number which is specific to OpenSSL. Other crypto libraries are likely to use different values.

Moreover, as I wrote in my previous message, other crypto libraries expose the FIPS mode differently. It may not just be a global FIPS mode.

Finally, there are different FIPS modes. For example, Gcrypt has an "Enforced FIPS" mode.

So I modified PR 19703 to only expose FIPS_mode() as a private _hashlib.get_fips_mode() function. Well, as done in RHEL in fact ;-)
Date User Action Args
2020-04-24 14:35:24vstinnersetrecipients: + vstinner, gregory.p.smith, pitrou, christian.heimes, rbcollins, rpetrov, doughellmann, dmalcolm, dholth, jpokorny, bkabrda, lukecarrier, icordasc, cstratak, yolanda.robla, hroncok, cheryl.sabella, Andrew DiPrinzio, miss-islington
2020-04-24 14:35:24vstinnersetmessageid: <>
2020-04-24 14:35:24vstinnerlinkissue9216 messages
2020-04-24 14:35:23vstinnercreate