Expose OpenSSL FIPS_mode() as hashlib.get_fips_mode()

Author: encukou

Lib/hashlib.py

@@ -236,6 +236,11 @@ def prf(msg, inner=inner, outer=outer):
 except ImportError:
     pass
 
+try:
+    from _hashlib import get_fips_mode
+except ImportError:
+    pass
+
 
 for __func_name in __always_supported:
     # try them all, some may not work due to the OpenSSL

Modules/_hashopenssl.c

@@ -25,6 +25,9 @@
 #include <openssl/objects.h>
 #include "openssl/err.h"
 
+/* Expose FIPS_mode */
+#include <openssl/crypto.h>
+
 #include "clinic/_hashopenssl.c.h"
 /*[clinic input]
 module _hashlib
@@ -987,6 +990,38 @@ GEN_CONSTRUCTOR(sha256)
 GEN_CONSTRUCTOR(sha384)
 GEN_CONSTRUCTOR(sha512)
 
+/*[clinic input]
+_hashlib.get_fips_mode
+
+Determine the OpenSSL FIPS mode of operation.
+
+Effectively any non-zero return value indicates FIPS mode;
+values other than 1 may have additional significance.
+
+See OpenSSL documentation for the FIPS_mode() function for details.
+[clinic start generated code]*/
+
+static PyObject *
+_hashlib_get_fips_mode_impl(PyObject *module)
+/*[clinic end generated code: output=ad8a7793310d3f98 input=f42a2135df2a5e11]*/
+{
+    int result = FIPS_mode();
+    if (result == 0) {
+        // "If the library was built without support of the FIPS Object Module,
+        // then the function will return 0 with an error code of
+        // CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0x0f06d065)."
+        // But 0 is also a valid result value.
+
+        unsigned long errcode = ERR_peek_last_error();
+        if (errcode) {
+            _setException(PyExc_ValueError);
+            return NULL;
+        }
+    }
+    return PyLong_FromLong(result);
+}
+
+
 /* List of functions exported by this module */
 
 static struct PyMethodDef EVP_functions[] = {
@@ -996,6 +1031,7 @@ static struct PyMethodDef EVP_functions[] = {
      pbkdf2_hmac__doc__},
 #endif
     _HASHLIB_SCRYPT_METHODDEF
+    _HASHLIB_GET_FIPS_MODE_METHODDEF
     CONSTRUCTOR_METH_DEF(md5),
     CONSTRUCTOR_METH_DEF(sha1),
     CONSTRUCTOR_METH_DEF(sha224),