diff options
| author | Victor Stinner <vstinner@python.org> | 2020-04-29 16:04:22 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-04-29 16:04:22 (GMT) |
| commit | e3dfb9b967c560f4d094092dcae4a16fc9634681 (patch) | |
| tree | 87cce94d1a8858c6a8cf591557a5778d7e01ae65 /Modules/_hashopenssl.c | |
| parent | e5963ee32035d279c12ef32e87205d4c3e5e4a0e (diff) | |
| download | cpython-e3dfb9b967c560f4d094092dcae4a16fc9634681.zip cpython-e3dfb9b967c560f4d094092dcae4a16fc9634681.tar.gz cpython-e3dfb9b967c560f4d094092dcae4a16fc9634681.tar.bz2 | |
bpo-9216: Expose OpenSSL FIPS_mode() as _hashlib.get_fips_mode() (GH-19703)
test.pythoninfo logs OpenSSL FIPS_mode() and Linux
/proc/sys/crypto/fips_enabled in a new "fips" section.
Co-Authored-By: Petr Viktorin <encukou@gmail.com>
Diffstat (limited to 'Modules/_hashopenssl.c')
| -rw-r--r-- | Modules/_hashopenssl.c | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c index 0919cd3..91834e5 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -25,6 +25,8 @@ #include <openssl/objects.h> #include "openssl/err.h" +#include <openssl/crypto.h> // FIPS_mode() + #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL < 1.1.0 */ #define EVP_MD_CTX_new EVP_MD_CTX_create @@ -1096,12 +1098,53 @@ generate_hash_name_list(void) return state.set; } +/* LibreSSL doesn't support FIPS: + https://marc.info/?l=openbsd-misc&m=139819485423701&w=2 + + Ted Unangst wrote: "I figured I should mention our current libressl policy + wrt FIPS mode. It's gone and it's not coming back." */ +#ifndef LIBRESSL_VERSION_NUMBER +/*[clinic input] +_hashlib.get_fips_mode -> int + +Determine the OpenSSL FIPS mode of operation. + +Effectively any non-zero return value indicates FIPS mode; +values other than 1 may have additional significance. + +See OpenSSL documentation for the FIPS_mode() function for details. +[clinic start generated code]*/ + +static int +_hashlib_get_fips_mode_impl(PyObject *module) +/*[clinic end generated code: output=87eece1bab4d3fa9 input=c2799c3132a36d6c]*/ + +{ + ERR_clear_error(); + int result = FIPS_mode(); + if (result == 0) { + // "If the library was built without support of the FIPS Object Module, + // then the function will return 0 with an error code of + // CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0x0f06d065)." + // But 0 is also a valid result value. + unsigned long errcode = ERR_peek_last_error(); + if (errcode) { + _setException(PyExc_ValueError); + return -1; + } + } + return result; +} +#endif // !LIBRESSL_VERSION_NUMBER + + /* List of functions exported by this module */ static struct PyMethodDef EVP_functions[] = { EVP_NEW_METHODDEF PBKDF2_HMAC_METHODDEF _HASHLIB_SCRYPT_METHODDEF + _HASHLIB_GET_FIPS_MODE_METHODDEF _HASHLIB_HMAC_DIGEST_METHODDEF _HASHLIB_OPENSSL_MD5_METHODDEF _HASHLIB_OPENSSL_SHA1_METHODDEF |