STINNER Victor <vstin...@python.org> added the comment:
I'm trying to understand how "portable" is it to expose OpenSSL FIPS_mode() as hashlib.get_fips_mode() which would return a boolean (True or False). It seems like FIPS is more complex than that. Other crypto libraries which implement FIPS have a different way to expose FIPS mode to the consumer of the API: * NSS seems to have a different API for functions in FIPS mode: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_cryptographic_module/FIPS_mode_of_operation * GnuTLS provides gnutls_fips140_mode_enabled() which returns an unsigned integer: "return non-zero if true or zero if false" * Gcrypt doesn't seem to expose a function to know if FIPS is enabled or not. It also has an "Enforced FIPS" mode: * https://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html * https://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html * Bouncy Castle has a "FIPS provider": an object should be requested in FIPS mode See also RHEL 8 Security Hardening documentation, "Chapter 3. Using system-wide cryptographic policies": https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening For my needs (skip tests which are not relevant in FIPS mode), it seems like keeping the function private in _hashlib.get_fips_mode() is enough. My plan is to use it in as test.support.get_fips_mode() function which would return False if _hashlib.get_fips_mode() is missing. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue9216> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
