Skip to content

bpo-9216: Expose OpenSSL FIPS_mode() as _hashlib.get_fips_mode() #19703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 29, 2020
Merged

bpo-9216: Expose OpenSSL FIPS_mode() as _hashlib.get_fips_mode() #19703

merged 3 commits into from
Apr 29, 2020

Conversation

vstinner
Copy link
Member

@vstinner vstinner commented Apr 24, 2020
edited by miss-islington
Loading

test.pythoninfo logs OpenSSL FIPS_mode() and Linux
/proc/sys/crypto/fips_enabled in a new "fips" section.

Co-Authored-By: Petr Viktorin encukou@gmail.com

https://bugs.python.org/issue9216

Automerge-Triggered-By: @tiran

@vstinner vstinner requested a review from tiran as a code owner April 24, 2020 13:30
@vstinner
Copy link
Member Author

cc @tiran @pitrou

@vstinner
Copy link
Member Author

Original patch: stratakis@5fa9620

@encukou
Copy link
Member

encukou commented Apr 24, 2020

This should stay private, in _hashlib. It's an OpenSSL detail.

@vstinner
Copy link
Member Author

Original patch: stratakis/cpython@5fa9620

RHEL has two more patches:

  • stratakis@fa3ce51 "Skip error checking in _hashlib.get_fips_mode" which seems to be specific to RHEL OpenSSL
  • stratakis@63426a2 "Don't re-export get_fips_mode from hashlib" Well, I propose to expose it as hashlib.get_fips_mode() on purpose.

@vstinner
Copy link
Member Author

I modified my PR to return a boolean rather directly returning FIPS_mode() integer value.

@vstinner
Copy link
Member Author

It may be interesting to log /proc/sys/crypto/fips_enabled in test.pythoninfo.

@vstinner @encukou
bpo-9216: Expose OpenSSL FIPS_mode() as _hashlib.get_fips_mode()
515a0a0 
test.pythoninfo logs OpenSSL FIPS_mode() and Linux
/proc/sys/crypto/fips_enabled in a new "fips" section.

Co-Authored-By: Petr Viktorin <encukou@gmail.com>
@vstinner vstinner changed the title bpo-9216: Expose OpenSSL FIPS_mode() as hashlib.get_fips_mode() bpo-9216: Expose OpenSSL FIPS_mode() as _hashlib.get_fips_mode() Apr 24, 2020
@vstinner
Copy link
Member Author

This PR contains no documentation nor NEWS entry on purpose: _hashlib.get_fips_mode() must be private.

tiran
tiran requested changes Apr 24, 2020
View reviewed changes
@bedevere-bot
Copy link

When you're done making the requested changes, leave the comment: I have made the requested changes; please review again.

encukou
encukou reviewed Apr 24, 2020
View reviewed changes
Modules/_hashopenssl.c
// then the function will return 0 with an error code of
// CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0x0f06d065)."
// But 0 is also a valid result value.
unsigned long errcode = ERR_peek_last_error();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will fail with other libraries that don't clean the OpenSSL last_error after themselves.
(Apparently that is normal in the OpenSSL world.)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a call to ERR_clear_error() at the function entry point: does it solve the issue that you described?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know :(
Christian might.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this will ensure that there is no error left on the error stack and the function only fails when FIPS_mode() puts an error on the error stack.

@vstinner
Copy link
Member Author

I have made the requested changes; please review again.

@bedevere-bot
Copy link

Thanks for making the requested changes!

@tiran: please review the changes made to this pull request.

@bedevere-bot bedevere-bot requested a review from tiran April 24, 2020 14:55
@vstinner
Copy link
Member Author

I added ERR_clear_error() call: @tiran, @encukou, @stratakis: Would you mind to review my updated PR? It only adds a private _hashlib.get_fips_mode() method with no documentation.

@encukou
Copy link
Member

encukou commented Apr 28, 2020

The patch looks OK: all the issues I had with the original implementation are addressed. But I don't feel qualified to review this – I could just point out what security experts pointed out to me before.

tiran
tiran approved these changes Apr 29, 2020
View reviewed changes
Modules/_hashopenssl.c
// then the function will return 0 with an error code of
// CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0x0f06d065)."
// But 0 is also a valid result value.
unsigned long errcode = ERR_peek_last_error();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this will ensure that there is no error left on the error stack and the function only fails when FIPS_mode() puts an error on the error stack.

@miss-islington miss-islington merged commit e3dfb9b into python:master Apr 29, 2020
@vstinner vstinner deleted the hashlib_get_fips_mode branch April 29, 2020 16:11
@vstinner
Copy link
Member Author

Thanks for the reviews @tiran and @encukou!

@davidmalcolm davidmalcolm mentioned this pull request Apr 25, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@encukou encukou encukou left review comments

@tiran tiran tiran approved these changes

Assignees
No one assigned
Labels
skip news
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@vstinner @encukou @bedevere-bot @tiran @the-knights-who-say-ni @miss-islington