Introduction
In previous posts, we saw how to build FIPS enabled Openssl, and how to Patch and Build Python 3.9.2
In this post, we will put all those steps in a Dockerfile.
Python 3.9.2 Patch
Create a file with name: python_patch_3.9.2.patch
diff -aur Lib/ssl.py Lib/ssl.py
--- Lib/ssl.py 2020-10-05 15:07:58.000000000 +0000
+++ Lib/ssl.py 2021-03-02 04:23:32.026226000 +0000
@@ -111,6 +111,11 @@
# LibreSSL does not provide RAND_egd
pass
+try:
+ from _ssl import FIPS_mode, FIPS_mode_set
+except ImportError as e:
+ sys.stderr.write('error in importing\n')
+ sys.stderr.write(str(e))
from _ssl import (
HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1,
diff -aur Modules/Setup Modules/Setup
--- Modules/Setup 2020-10-05 15:07:58.000000000 +0000
+++ Modules/Setup 2021-03-02 04:24:28.071717000 +0000
@@ -207,14 +207,14 @@
#_csv _csv.c
# Socket module helper for socket(2)
-#_socket socketmodule.c
+_socket socketmodule.c
# Socket module helper for SSL support; you must comment out the other
# socket line above, and possibly edit the SSL variable:
-#SSL=/usr/local/ssl
-#_ssl _ssl.c \
-# -DUSE_SSL -I$(SSL)/include -I$(SSL)/include/openssl \
-# -L$(SSL)/lib -lssl -lcrypto
+SSL=/usr/local/ssl
+_ssl _ssl.c \
+ -DUSE_SSL -I$(SSL)/include -I$(SSL)/include/openssl \
+ -L$(SSL)/lib -lssl -lcrypto
# The crypt module is now disabled by default because it breaks builds
# on many systems (where -lcrypt is needed), e.g. Linux (I believe).
diff -aur Modules/_ssl.c Modules/_ssl.c
--- Modules/_ssl.c 2020-10-05 15:07:58.000000000 +0000
+++ Modules/_ssl.c 2021-03-02 04:25:30.930669000 +0000
@@ -5394,6 +5394,20 @@
return PyLong_FromLong(RAND_status());
}
+static PyObject *
+_ssl_FIPS_mode_impl(PyObject *module) {
+ return PyLong_FromLong(FIPS_mode());
+}
+
+static PyObject *
+_ssl_FIPS_mode_set_impl(PyObject *module, int n) {
+ if (FIPS_mode_set(n) == 0) {
+ _setSSLError(ERR_error_string(ERR_get_error(), NULL) , 0, __FILE__, __LINE__);
+ return NULL;
+ }
+ Py_RETURN_NONE;
+}
+
#ifndef OPENSSL_NO_EGD
/* LCOV_EXCL_START */
/*[clinic input]
@@ -5875,6 +5889,8 @@
_SSL_ENUM_CRLS_METHODDEF
_SSL_TXT2OBJ_METHODDEF
_SSL_NID2OBJ_METHODDEF
+ _SSL_FIPS_MODE_METHODDEF
+ _SSL_FIPS_MODE_SET_METHODDEF
{NULL, NULL} /* Sentinel */
};
diff -aur Modules/clinic/_ssl.c.h Modules/clinic/_ssl.c.h
--- Modules/clinic/_ssl.c.h 2020-10-05 15:07:58.000000000 +0000
+++ Modules/clinic/_ssl.c.h 2021-03-02 04:27:06.120295000 +0000
@@ -1204,6 +1204,45 @@
return _ssl_RAND_status_impl(module);
}
+PyDoc_STRVAR(_ssl_FIPS_mode__doc__,
+"FIPS Mode");
+
+#define _SSL_FIPS_MODE_METHODDEF \
+ {"FIPS_mode", (PyCFunction)_ssl_FIPS_mode, METH_NOARGS, _ssl_FIPS_mode__doc__},
+
+static PyObject *
+_ssl_FIPS_mode_impl(PyObject *module);
+
+static PyObject *
+_ssl_FIPS_mode(PyObject *module, PyObject *Py_UNUSED(ignored))
+{
+ return _ssl_FIPS_mode_impl(module);
+}
+
+PyDoc_STRVAR(_ssl_FIPS_mode_set_doc__,
+"FIPS Mode Set");
+
+#define _SSL_FIPS_MODE_SET_METHODDEF \
+ {"FIPS_mode_set", (PyCFunction)_ssl_FIPS_mode_set, METH_O, _ssl_FIPS_mode_set_doc__},
+
+static PyObject *
+_ssl_FIPS_mode_set_impl(PyObject *module, int n);
+
+static PyObject *
+_ssl_FIPS_mode_set(PyObject *module, PyObject *arg)
+{
+ PyObject *return_value = NULL;
+ int n;
+
+ if (!PyArg_Parse(arg, "i:FIPS_mode_set", &n)) {
+ goto exit;
+ }
+ return_value = _ssl_FIPS_mode_set_impl(module, n);
+
+exit:
+ return return_value;
+}
+
#if !defined(OPENSSL_NO_EGD)
PyDoc_STRVAR(_ssl_RAND_egd__doc__,Dockerfile
FROM centos:7
RUN yum update -y
RUN yum -y install git \
libffi-devel libffi libssh2-devel autoconf automake libtool \
libxml2-devel libxslt-devel libjpeg-devel zlib-devel \
make cmake gcc python-devel python-setuptools wget bzip2-devel
# OpenSSL build steps
ENV OPENSSL_FIPS=1
RUN mkdir -p /usr/local/src/ /python_installation \
&& cd /usr/local/src/ \
&& curl -O https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz \
&& curl -O https://www.openssl.org/source/openssl-1.0.2t.tar.gz \
&& tar -xvf openssl-fips-2.0.16.tar.gz \
&& cd openssl-fips-2.0.16 \
&& ./config \
&& make install \
&& cd ../ \
&& tar -xvf openssl-1.0.2t.tar.gz \
&& cd openssl-1.0.2t \
&& ./config shared fips no-ssl2 no-ssl3 \
&& make depend \
&& make install \
&& cd ../ && rm -rf openssl-fips-2.0.16.tar.gz ./openssl-fips-2.0.16 \
&& echo "/usr/local/ssl/lib" > /etc/ld.so.conf.d/openssl-1.0.2t.conf \
&& ldconfig -v \
&& ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl \
&& openssl version
ADD python_patch_3.9.2.patch /python_installation/
ARG PYENV_VERSION=3.9.2
ENV PYENV_INSTALLER_URL=https://raw.githubusercontent.com/pyenv/pyenv-installer/master/bin/pyenv-installer
ENV PYTHON_CONFIGURE_OPTS="--enable-shared"
RUN umask 022 \
&& curl -s -S -L "$PYENV_INSTALLER_URL" -o /usr/bin/pyenv-installer \
&& chmod 0755 /usr/bin/pyenv-installer \
&& /usr/bin/pyenv-installer \
&& eval "$(pyenv init -)" \
&& pyenv install --patch $PYENV_VERSION < /python_installation/python_patch_3.9.2.patch \
&& pyenv global $PYENV_VERSION \
&& pip install --upgrade pip \
&& pip install wheel \
&& CRYPTOGRAPHY_DONT_BUILD_RUST=1 CFLAGS="-I/usr/local/ssl/include" LDFLAGS="-L/usr/local/ssl/lib" pip wheel --no-binary :all: cryptography==3.0 \
&& CRYPTOGRAPHY_DONT_BUILD_RUST=1 CFLAGS="-I/usr/local/ssl/include" LDFLAGS="-L/usr/local/ssl/lib" pip install cryptography-3.0-cp39-cp39-linux_x86_64.whl 
