I agree that exposing them from OpenSSL is undesirable as they lack features. Raising an error sounds reasonable here. On a semi-relevant note here, compiling Python without the internal blake2 implementation results in various test failures.
I’m in the process of the removing this part of the patch as it was an overkill and siphash is not used in a security context here.
Reaching that point is a long-term goal and replacing the internal digests implementation is a different thing than stopping supporting openssl or other cryptographic libraries. And if that point is reached the discussion will be entirely different in scope.
As noted in the initial post, I’m already providing 2 buildbots that test the FIPS mode functionality. And I’m quite well versed in this part of the codebase and as mentioned by @vstinner we’ve been maintaining those patches for years. With the buildbot testing I don’t think it’s gonna be a big maintenance trouble.
Would starting with a PR with (almost) all the changes incorporated to provide a better overview of the scope make sense?