Description
Feature or enhancement
Proposal:
When OpenSSL is not available, or is not in FIPS mode:
- no change of behaviour
When OpenSSL is available and is in FIPS mode:
- ensure that only OpenSSL implementations are used when usedforsecurity=True
- ensure that all built-in (fallback) implementations require usedforsecurity=False
This addresses all needs of FIPS users that expect approved only cryptography from hashlib by default.
It satisfies Python guarantees of always available algorithms, as built-in fallbacks remain accessible with an explicit consent from the user that unapproved (an FIPS/ISO term) implementation is acceptable to the user.
In FIPS mode it means that all users can gain access to blake2/shake/md5, even when these algorithms are either blocked or unavailable from the runtime OpenSSL in FIPS mode. As long as usedforsecurity=False is used.
This also removes need to recompile or configure python somehow different for a non-fips & fips build, specifically one can safely compile python with all with-builtin-hashlib-hashes enabled.
Diagrams and full details of the current state of hashlib; and FIPS user desires are documented in this issue is opened as a reference for potential implementations to resolve all needs and desires listed there.
This issue will be used as a reference for potential implementations.
Has this already been discussed elsewhere?
I have already discussed this feature proposal on Discourse
Links to previous discussion of this feature:
Discuss:
(note there are some off-topic messages there)