STINNER Victor <vstin...@python.org> added the comment:
> I'm fine with a used_for_security flag and functions to get/set FIPS state. > Something like hashlib.get_fips_mode() is useful for testing. I proposed PR 19703 to expose OpenSSL FIPS_mode() as hashlib.get_fips_mode(). FIPS support was introduced in version 0.9.7 of OpenSSL and so is available in the minimum OpenSSL required to build Python 3.9. LibreSSL doesn't have FIPS_mode() on purpose. Ted Unangst wrote: "I figured I should mention our current libressl policy wrt FIPS mode. It's gone and it's not coming back." https://marc.info/?l=openbsd-misc&m=139819485423701&w=2 My plan is to use hashlib.get_fips_mode() to skip a few tests if the FIPS mode is enabled. Simple example: test_crypt.test_methods() checks that self.assertEqual(crypt.methods[-1], crypt.METHOD_CRYPT). Except that in FIPS mode, METHOD_CRYPT is not available since it's too weak (3DES if I recall correctly). I would like to skip this test in FIPS mode. My colleague Chalampos also plans to add a FIPS enabled buildbot running RHEL8 to ensure that the Python test suite pass in FIPS mode, and detect regressions in FIPS mode. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue9216> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
