New submission from Florin Spătar <[email protected]>:
I added christian.heimes to the nosy list; I hope that's OK
usedforsecurity flag is based on setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
flag. However this flag has no effect in OpenSSL 3.0.0.
[root@lambada ~]# /opt/opsware/bin/python3
Python 3.10.0 (default, Dec 8 2021, 17:05:23) [GCC 4.8.5 20150623 (Red Hat
4.8.5-39)] on linux-x86_64
Type "help", "copyright", "credits" or "license" for more information.
>>> import _hashlib
>>> _hashlib.get_fips_mode()
1
>>> import hashlib
>>> hashlib.md5(b'ceva', usedforsecurity=False).hexdigest()
'970c7956028654ac329b12c10b112058'
>>> hashlib.md5(b'ceva', usedforsecurity=True).hexdigest()
'970c7956028654ac329b12c10b112058'
The last call, when usedforsecurity is True, should fail because MD5 is not
allowed in FIPS mode.
I will add a GitHub pull request for this issue.
----------
assignee: christian.heimes
components: SSL
messages: 409017
nosy: christian.heimes, florinspatar
priority: normal
severity: normal
status: open
title: FIPS usedforsecurity flag is no longer functional with OpenSSL 3.0.0
type: behavior
versions: Python 3.10
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue46149>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
