Skip to content

gh-127298: When in FIPS mode ensure builtin hashes check for usedforsecurity=False #127301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
xnox wants to merge 13 commits into
base: main
Choose a base branch
from
Open

gh-127298: When in FIPS mode ensure builtin hashes check for usedforsecurity=False #127301

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
21b30a1
gh-127298: When in FIPS mode ensure builtin hashes check for usedfors…
xnox Nov 26, 2024
42b912a
use != 0 rather than == 1 and update a comment.
gpshead Nov 27, 2024
ac9dc6d
Update the NEWS to reflect reality.
gpshead Nov 27, 2024
4da9f77
address _some_ correctness details in the test.
gpshead Nov 27, 2024
7a954ff
avoid repeated calls, reword comment.
gpshead Nov 27, 2024
461920d
Update 2024-11-26-16-31-40.gh-issue-127298.jqYJvn.rst
gpshead Nov 27, 2024
dabed52
avoid rerunning test in refleak hunting mode.
gpshead Nov 27, 2024
57241db
Change to spawn _test_hashlib_fips from test_hashlib with an env.
gpshead Nov 27, 2024
3910723
Use subTest to id the algorithm.
gpshead Nov 27, 2024
e8ef380
lint
gpshead Nov 27, 2024
3db1eb5
remove the no longer appropriate mention from ssltests.
gpshead Nov 27, 2024
4e5dddb
fix subTest context manager nesting.
gpshead Nov 27, 2024
fd308b4
Use null provider, which is guaranteed to have nothing
xnox Sep 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Update the NEWS to reflect reality. 
FIPS mode is an OpenSSL feature and we don't require OpenSSL. So anyone wanting to rely on this will need to ensure their build includes Modules/_hashopenssl.c as `_hashlib` linked appropriately.
  • Loading branch information
@gpshead @xnox
gpshead authored and xnox committed Sep 8, 2025
commit ac9dc6d18da3ecd35c6681ac2b9868cbf5519361
12 changes: 8 additions & 4 deletions Misc/NEWS.d/next/Library/2024-11-26-16-31-40.gh-issue-127298.jqYJvn.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
:mod:`hashlib`'s fallback builtin hash implementations now check
usedforsecurity=False, when hashlib is in FIPS mode. This ensures that
approved-only implementations are in use on FIPS systems by default.
The builtin implemenations are made available for unapproved use only.
:mod:`hashlib`'s builtin hash implementations now check ``usedforsecurity=False``,
when the OpenSSL library default provider is in OpenSSL 3's FIPS mode. This helps
ensure that only US FIPS approved implementations are in use by default on systems
configured as such.

This is only active when :mod:`hashlib` has been built with OpenSSL implementation
support and said OpenSSL library includes the FIPS mode feature. Not all variants
do, and OpenSSL is not a *required* build time dependency of ``hashlib``.