Skip to content

gh-127298: When in FIPS mode ensure builtin hashes check for usedforsecurity=False #127301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
xnox wants to merge 13 commits into
base: main
Choose a base branch
from
Open

gh-127298: When in FIPS mode ensure builtin hashes check for usedforsecurity=False #127301

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
21b30a1
gh-127298: When in FIPS mode ensure builtin hashes check for usedfors…
xnox Nov 26, 2024
42b912a
use != 0 rather than == 1 and update a comment.
gpshead Nov 27, 2024
ac9dc6d
Update the NEWS to reflect reality.
gpshead Nov 27, 2024
4da9f77
address _some_ correctness details in the test.
gpshead Nov 27, 2024
7a954ff
avoid repeated calls, reword comment.
gpshead Nov 27, 2024
461920d
Update 2024-11-26-16-31-40.gh-issue-127298.jqYJvn.rst
gpshead Nov 27, 2024
dabed52
avoid rerunning test in refleak hunting mode.
gpshead Nov 27, 2024
57241db
Change to spawn _test_hashlib_fips from test_hashlib with an env.
gpshead Nov 27, 2024
3910723
Use subTest to id the algorithm.
gpshead Nov 27, 2024
e8ef380
lint
gpshead Nov 27, 2024
3db1eb5
remove the no longer appropriate mention from ssltests.
gpshead Nov 27, 2024
4e5dddb
fix subTest context manager nesting.
gpshead Nov 27, 2024
fd308b4
Use null provider, which is guaranteed to have nothing
xnox Sep 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
avoid repeated calls, reword comment.
  • Loading branch information
@gpshead @xnox
gpshead authored and xnox committed Sep 8, 2025
commit 7a954ff0b5b87a65c19bab6c30bcc9c7544972d5
15 changes: 10 additions & 5 deletions Lib/hashlib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,12 +86,12 @@ def __usedforsecurity_check(md, name, *args, **kwargs):
raise ValueError(name + " is blocked when usedforsecurity=True")
return md(*args, **kwargs)

# If _hashlib is in FIPS mode, use the above wrapper to ensure builtin
# implementation checks usedforsecurity kwarg. It means all builtin
# implementations are treated as an unapproved implementation, as they
# are unlikely to have been certified by NIST.
# If the _hashlib OpenSSL wrapper is in FIPS mode, wrap other implementations
# to check the usedforsecurity kwarg. All builtin implementations are treated
# as only available for useforsecurity=False purposes in the presence of such
# a configured and linked OpenSSL.
def __get_wrapped_builtin(md, name):
if _hashlib is not None and _hashlib.get_fips_mode() != 0:
if __openssl_fips_mode != 0:
from functools import partial
return partial(__usedforsecurity_check, md, name)
return md
Expand Down Expand Up @@ -209,10 +209,15 @@ def __hash_new(name, *args, **kwargs):
__get_hash = __get_openssl_constructor
algorithms_available = algorithms_available.union(
_hashlib.openssl_md_meth_names)
try:
__openssl_fips_mode = _hashlib.get_fips_mode()
except ValueError:
__openssl_fips_mode = 0
except ImportError:
_hashlib = None
new = __py_new
__get_hash = __get_builtin_constructor
__openssl_fips_mode = 0

try:
# OpenSSL's PKCS5_PBKDF2_HMAC requires OpenSSL 1.0+ with HMAC and SHA
Expand Down