[issue46149] FIPS usedforsecurity flag is no longer functional with OpenSSL 3.0.0
Florin Spătar
report at bugs.python.org
Wed Dec 22 05:32:08 EST 2021
New submission from Florin Spătar <florin.spatar at gmail.com>:
I added christian.heimes to the nosy list; I hope that's OK
usedforsecurity flag is based on setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag. However this flag has no effect in OpenSSL 3.0.0.
[root at lambada ~]# /opt/opsware/bin/python3
Python 3.10.0 (default, Dec 8 2021, 17:05:23) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux-x86_64
Type "help", "copyright", "credits" or "license" for more information.
>>> import _hashlib
>>> _hashlib.get_fips_mode()
1
>>> import hashlib
>>> hashlib.md5(b'ceva', usedforsecurity=False).hexdigest()
'970c7956028654ac329b12c10b112058'
>>> hashlib.md5(b'ceva', usedforsecurity=True).hexdigest()
'970c7956028654ac329b12c10b112058'
The last call, when usedforsecurity is True, should fail because MD5 is not allowed in FIPS mode.
I will add a GitHub pull request for this issue.
----------
assignee: christian.heimes
components: SSL
messages: 409017
nosy: christian.heimes, florinspatar
priority: normal
severity: normal
status: open
title: FIPS usedforsecurity flag is no longer functional with OpenSSL 3.0.0
type: behavior
versions: Python 3.10
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue46149>
_______________________________________
More information about the Python-bugs-list
mailing list