Expose OpenSSL FIPS_mode() as hashlib.get_fips_mode()

Author: encukou

Lib/hashlib.py

@@ -236,6 +236,11 @@ def prf(msg, inner=inner, outer=outer):
 except ImportError:
  pass
 
+try:
+ from _hashlib import get_fips_mode
+except ImportError:
+ pass
+
 
 for __func_name in __always_supported:
  # try them all, some may not work due to the OpenSSL

Modules/_hashopenssl.c

@@ -25,6 +25,9 @@
 #include <openssl/objects.h>
 #include "openssl/err.h"
 
+/* Expose FIPS_mode */
+#include <openssl/crypto.h>
+
 #include "clinic/_hashopenssl.c.h"
 /*[clinic input]
 module _hashlib
@@ -987,6 +990,38 @@ GEN_CONSTRUCTOR(sha256)
 GEN_CONSTRUCTOR(sha384)
 GEN_CONSTRUCTOR(sha512)
 
+/*[clinic input]
+_hashlib.get_fips_mode
+
+Determine the OpenSSL FIPS mode of operation.
+
+Effectively any non-zero return value indicates FIPS mode;
+values other than 1 may have additional significance.
+
+See OpenSSL documentation for the FIPS_mode() function for details.
+[clinic start generated code]*/
+
+static PyObject *
+_hashlib_get_fips_mode_impl(PyObject *module)
+/*[clinic end generated code: output=ad8a7793310d3f98 input=f42a2135df2a5e11]*/
+{
+ int result = FIPS_mode();
+ if (result == 0) {
+ // "If the library was built without support of the FIPS Object Module,
+ // then the function will return 0 with an error code of
+ // CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0x0f06d065)."
+ // But 0 is also a valid result value.
+
+ unsigned long errcode = ERR_peek_last_error();
+ if (errcode) {
+ _setException(PyExc_ValueError);
+ return NULL;
+ }
+ }
+ return PyLong_FromLong(result);
+}
+
+
 /* List of functions exported by this module */
 
 static struct PyMethodDef EVP_functions[] = {
@@ -996,6 +1031,7 @@ static struct PyMethodDef EVP_functions[] = {
  pbkdf2_hmac__doc__},
 #endif
  _HASHLIB_SCRYPT_METHODDEF
+ _HASHLIB_GET_FIPS_MODE_METHODDEF
  CONSTRUCTOR_METH_DEF(md5),
  CONSTRUCTOR_METH_DEF(sha1),
  CONSTRUCTOR_METH_DEF(sha224),