[issue9216] FIPS support for hashlib
STINNER Victor
report at bugs.python.org
Fri Apr 24 10:35:24 EDT 2020
STINNER Victor <vstinner at python.org> added the comment:
Petr Viktorin and Christian Heimes convinced me that it's a bad idea to expose OpenSSL FIPS_mode() as a public hashlib.get_fips_mode() function. It is too specific to OpenSSL. For example, FIPS_mode() result is a number which is specific to OpenSSL. Other crypto libraries are likely to use different values.
Moreover, as I wrote in my previous message, other crypto libraries expose the FIPS mode differently. It may not just be a global FIPS mode.
Finally, there are different FIPS modes. For example, Gcrypt has an "Enforced FIPS" mode.
So I modified PR 19703 to only expose FIPS_mode() as a private _hashlib.get_fips_mode() function. Well, as done in RHEL in fact ;-)
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue9216>
_______________________________________
More information about the Python-bugs-list
mailing list