bpo-9216: Expose OpenSSL FIPS_mode() as _hashlib.get_fips_mode() (GH-19703)
test.pythoninfo logs OpenSSL FIPS_mode() and Linux
/proc/sys/crypto/fips_enabled in a new "fips" section.
Co-Authored-By: Petr Viktorin <encukou@gmail.com>
diff --git a/Lib/test/pythoninfo.py b/Lib/test/pythoninfo.py
index cc0bbc5..cc228fb 100644
--- a/Lib/test/pythoninfo.py
+++ b/Lib/test/pythoninfo.py
@@ -720,6 +720,25 @@
pass
+def collect_fips(info_add):
+ try:
+ import _hashlib
+ except ImportError:
+ _hashlib = None
+
+ if _hashlib is not None:
+ call_func(info_add, 'fips.openssl_fips_mode', _hashlib, 'get_fips_mode')
+
+ try:
+ with open("/proc/sys/crypto/fips_enabled", encoding="utf-8") as fp:
+ line = fp.readline().rstrip()
+
+ if line:
+ info_add('fips.linux_crypto_fips_enabled', line)
+ except OSError:
+ pass
+
+
def collect_info(info):
error = False
info_add = info.add
@@ -735,6 +754,7 @@
collect_datetime,
collect_decimal,
collect_expat,
+ collect_fips,
collect_gdb,
collect_gdbm,
collect_get_config,
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index 33b687e..31d8e55 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -856,6 +856,11 @@
self.assertEqual(expected_hash, hasher.hexdigest())
+ @unittest.skipUnless(hasattr(c_hashlib, 'get_fips_mode'),
+ 'need _hashlib.get_fips_mode')
+ def test_get_fips_mode(self):
+ self.assertIsInstance(c_hashlib.get_fips_mode(), int)
+
class KDFTests(unittest.TestCase):