This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author florinspatar
Recipients christian.heimes, florinspatar
Date 2021-12-22.10:32:07
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1640169128.02.0.712227783585.issue46149@roundup.psfhosted.org>
In-reply-to
Content 
I added christian.heimes to the nosy list; I hope that's OK

usedforsecurity flag is based on setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag. However this flag has no effect in OpenSSL 3.0.0.

    [root@lambada ~]# /opt/opsware/bin/python3
    Python 3.10.0 (default, Dec  8 2021, 17:05:23) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux-x86_64
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import _hashlib                                        
    >>> _hashlib.get_fips_mode()                               
    1
    >>> import hashlib
    >>> hashlib.md5(b'ceva', usedforsecurity=False).hexdigest()
    '970c7956028654ac329b12c10b112058'
    >>> hashlib.md5(b'ceva', usedforsecurity=True).hexdigest()
    '970c7956028654ac329b12c10b112058'

The last call, when usedforsecurity is True, should fail because MD5 is not allowed in FIPS mode.

I will add a GitHub pull request for this issue.
History
Date User Action Args
2021-12-22 10:32:08florinspatarsetrecipients: + florinspatar, christian.heimes
2021-12-22 10:32:08florinspatarsetmessageid: <1640169128.02.0.712227783585.issue46149@roundup.psfhosted.org>
2021-12-22 10:32:07florinspatarlinkissue46149 messages
2021-12-22 10:32:07florinspatarcreate