-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
make HMAC work in strict FIPS mode #355
Conversation
606516b
to
6f0327e
Compare
on new FIPS compliant Python HMAC is implemented as a thin wrapper around openssl implementation of HMAC, that makes it impossible to add a field to the hmac object, but they actually do have the block_size field and set it to correct values
I am still getting the following error:
|
@The-Mule that function should never get the '_hmacopenssl.HMAC' object if the second patch is applied... |
Sorry for false alarm. It was human error, thankfully. Anyway, fixes seem to be working fine. Thanks! First commit is simple enough for me to review it. As for second commit (HMAC implementation), is it completely new code or something already reviewed elsewhere? (noticed 2015 in licence headed). |
as new python uses OpenSSL to implement HMAC (so that it is FIPS compliant), using MD5 for HMAC will not work as we need it for older ciphers (and to verify that those old ciphers don't work in FIPS mode) we need to overwrite that limitation
it's new code, fixed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
on new FIPS compliant Python HMAC is implemented as a thin wrapper around
openssl implementation of HMAC, that makes it impossible to add a
field to the hmac object or use MD5 for hmac-ing in FIPS mode
so re-implement HMAC in pure python (still use native hash implementations)
leave implementation of fallback for later: #356
This change is![Reviewable](https://camo.githubusercontent.com/23b05f5fb48215c989e92cc44cf6512512d083132bd3daf689867c8d9d386888/68747470733a2f2f72657669657761626c652e696f2f7265766965775f627574746f6e2e737667)