search

HewlettPackard / python-redfish-utility

Python-based utility for interacting with devices supporting a Redfish Service
Other
86 stars 41 forks source link

Blog post about Python and FIPS is ambigious and causes confusion #27

Closed xnox closed 2 years ago

xnox commented 4 years ago

https://developer.hpe.com/blog/creating-a-python-version-that-enforces-fips

Is a bit ambigious. hashlib itself optionally uses OpenSSL and doesn't actually inform whether or not, internal, non-fips-openssl or a fips-openssl implementation are used, or there is a fallback.

This is documented at https://docs.python.org/3/library/hashlib.html#hashlib.algorithms_guaranteed

And indeed a FIPS certified Ubuntu ships python that does no crash and abort in the hashlib module, when FIPS is activated. See https://bugs.launchpad.net/bugs/1835135

I do like that there are patches available in this repository that expose FIPS_mode() bindings to python, because it is really nice and easy way to query which mode openssl is in, and whether or not it needs changing. It would be nice if that patch was submitted to cpythhon upstream.

The blog post alludes to that one must patch cpython, rebuild python, to add the api binding, and call FIPS_mode_set() for the cpython's ssl module to be in FIPS mode. However, on FIPS certified installations of Ubuntu, the kernel & openssl are automatically set to FIPS_mode, and there are no actions required to ensure that the python's ssl module is operating in a FIPS certified manner.

It would be nice, if an Erratra was issued to the said blog post which explains that rebuilding python, adding custom APIs to the python library, and using hashlib to test things is not needed on FIPS certified Ubuntu as all of that is performed out of the box by default. I.e. one can query FIPS_mode() on Linux with plain vanilla cpython. For example:

from __future__ import print_function
from ctypes import cdll
import ssl
libcrypto = cdll.LoadLibrary(ssl._ssl.__file__)
print(libcrypto.FIPS_mode())

I understand that this project and the blog post is expected to work on both Windows and Linux, with FIPS from various vendors. I'll have to check how to perform above on Windows too. This way the blog post & python-redfish-utility can operate with just stock cpython.

rajeevkallur commented 3 years ago

Will inform the author

sahanaramavana commented 2 years ago

Hi @xnox ,

Here is the blog post for python 3 https://developer.hpe.com/blog/enabling-python-3-with-opensslfips-on-microsoft-windows/

as python 2.7 is deprecated , kindly refer to this.

Thanks & Regards, iLORest Team