René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Ensure builtin hashlib implementations honor usedforsecurity=True when _hashlib is in FIPS mode","articleBody":"# Feature or enhancement\n\n### Proposal:\n\nWhen OpenSSL is not available, or is not in FIPS mode:\n- no change of behaviour\n\nWhen OpenSSL is available and is in FIPS mode:\n- ensure that only OpenSSL implementations are used when usedforsecurity=True\n- ensure that all built-in (fallback) implementations require usedforsecurity=False\n\nThis addresses all needs of FIPS users that expect approved only cryptography from hashlib by default.\nIt satisfies Python guarantees of always available algorithms, as built-in fallbacks remain accessible with an explicit consent from the user that unapproved (an FIPS/ISO term) implementation is acceptable to the user.\n\nIn FIPS mode it means that all users can gain access to blake2/shake/md5, even when these algorithms are either blocked or unavailable from the runtime OpenSSL in FIPS mode. As long as usedforsecurity=False is used.\n\nThis also removes need to recompile or configure python somehow different for a non-fips \u0026 fips build, specifically one can safely compile python with all with-builtin-hashlib-hashes enabled.\n\nDiagrams and full details of the current state of hashlib; and FIPS user desires are documented in this issue is opened as a reference for potential implementations to resolve all needs and desires listed there.\n\nThis issue will be used as a reference for potential implementations.\n\n### Has this already been discussed elsewhere?\n\nI have already discussed this feature proposal on Discourse\n\n### Links to previous discussion of this feature:\n\nDiscuss:\n- https://discuss.python.org/t/python-and-openssl-fips-mode/51389/12 \n\n(note there are some off-topic messages there)\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-127301\n* gh-127492\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/xnox","@type":"Person","name":"xnox"},"datePublished":"2024-11-26T15:13:42.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":3},"url":"https://github.com/127298/cpython/issues/127298"}