[Cryptography-dev] cryptography built with custom OpenSSL missing FIPS functionality

Thu, 03 Oct 2019 17:45:12 -0700 

Hi All,

Running into an interesting problem here. I have built cryptography in a
centos container using a custom OpenSSL (1.0.2t) with FIPS object module
(2.0.16). This all works well and fine but FIPS functionality seems to be
missing. For example, when running:

print backend._lib.FIPS_mode_set(1)
print ''.join([backend._lib.OPENSSL_VERSION_TEXT[i] for i in range(30)])

I expect to get "1" and "OpenSSL 1.0.2t-fips 10 Sep 2019". Instead, I am
getting "0" and "OpenSSL 1.0.2t 10 Sep 2019" (without the -fips
designation).

Since the output of "openssl version" using the OpenSSL binary that I built
shows "OpenSSL 1.0.2t-fips 10 Sep 2019", I assume that my OpenSSL build is
fine and therefore something went wrong in my cryptography build.

As a quick way to reproduce this, I have attached a Dockerfile that can
reproduce what I'm seeing. Does anyone know if what I'm seeing is expected
or perhaps I'm doing something wrong in my cryptography build? Since I'm
not much of an expert in C and building from source, I'm hoping this is
just a small mistake on my part.

Appreciate any help here!

Thank you,
Ryan

FROM centos

# Install build dependencies
RUN yum groupinstall -y  "Development Tools" && \
    yum install -y python-devel libffi-devel

# Install Python dependencies
RUN curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py && \
    python get-pip.py && \
    pip install virtualenv setuptools wheel pip

# Build Fips object module
RUN curl -O https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz && \
    tar xvf openssl-fips-2.0.16.tar.gz && \
    cd openssl-fips-2.0.16 && \
    ./config && \
    make && \
    make install

# Build OpenSSL
RUN curl -O https://www.openssl.org/source/openssl-1.0.2t.tar.gz && \
    tar xvf openssl-1.0.2t.tar.gz && \
    cd /openssl-1.0.2t && \
    ./config fips no-shared -fPIC --prefix=/openssl-1.0.2t/openssl && \
    make depend && \
    make && \
    make install

# Build cryptography
RUN CFLAGS="-I/openssl-1.0.2t/openssl/include"
LDFLAGS="-L/openssl-1.0.2t/openssl/lib" pip wheel --no-cache --no-binary
:all: cryptography && \
    pip install cryptography*.whl

# Test if fips is enabled
RUN python -c "\
from cryptography.hazmat.backends.openssl.backend import backend;\
print backend._lib.FIPS_mode_set(1);\
print ''.join([backend._lib.OPENSSL_VERSION_TEXT[i] for i in range(30)])"

_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev

Reply via email to