From 21935c0b70d1b34198ecbe17ab7a14aeb03bdedc Mon Sep 17 00:00:00 2001 From: Alessandro Bono Date: Fri, 17 Nov 2023 17:58:38 +0100 Subject: [PATCH] openssl: Build OpenSSL FIPS provider Following the OpenSSL instructions[1]. Enable the FIPS provider with the enable-fips option. As suggested, we compile the latest OpenSSL version (as today is 3.2.0) and then we compile the latest OpenSSL FIPS validated version (as today is 3.0.8). Once everything is compiled we pick (via make target install_fips) only the FIPS relevant files (namely fips.dll and fipsmodule.cnf files) from the OpenSSL FIPS build and replace the ones from the simple OpenSSL build. By doing this we can have the latest OpenSSL release with all the security fixes but with the approved FIPS provider, which for legal reasons its codebase don't change unless strictly required. This is what is suggested also in the Downloads page[2]: ``` Please follow the Security Policy instructions to download, build and install a validated OpenSSL FIPS provider. Other OpenSSL Releases MAY use the validated FIPS provider, but MUST NOT build and use their own FIPS provider. For example you can build OpenSSL 3.2 and use the OpenSSL 3.0.8 FIPS provider with it. ``` Note: in order to be FIPS compliant, the fipsmodule.cnf file must be generated on the target machine and shall not be copied. From the NIST document[3]: ``` The Module shall have the self-tests run, and the Module config file output generated on each platform where it is intended to be used. The Module config file output data shall not be copied from one machine to another. ``` The fipsmodule.cnf configuration file can be generated with: ``` openssl fipsinstall -module /path/to/fips.dll -out /path/to/fipsmodule.cnf ``` [1] https://github.com/openssl/openssl/blob/0ddcb55b602800d4a1bcf1e76ca32939ed4fdaa4/README-FIPS.md#installing-the-fips-provider-and-using-it-with-the-latest-release [2] https://www.openssl.org/source/ [3] https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf --- .../{openssl => openssl-base}/certdata.txt | 0 .../{openssl => openssl-base}/mk-ca-bundle.pl | 0 .../patches/{openssl => openssl-base}/mod.md | 0 .../pc-files/libcrypto.pc | 0 .../pc-files/libssl.pc | 0 .../pc-files/openssl.pc | 0 gvsbuild/projects/openssl.py | 38 +++++++++++++++++-- 7 files changed, 35 insertions(+), 3 deletions(-) rename gvsbuild/patches/{openssl => openssl-base}/certdata.txt (100%) rename gvsbuild/patches/{openssl => openssl-base}/mk-ca-bundle.pl (100%) rename gvsbuild/patches/{openssl => openssl-base}/mod.md (100%) rename gvsbuild/patches/{openssl => openssl-base}/pc-files/libcrypto.pc (100%) rename gvsbuild/patches/{openssl => openssl-base}/pc-files/libssl.pc (100%) rename gvsbuild/patches/{openssl => openssl-base}/pc-files/openssl.pc (100%) diff --git a/gvsbuild/patches/openssl/certdata.txt b/gvsbuild/patches/openssl-base/certdata.txt similarity index 100% rename from gvsbuild/patches/openssl/certdata.txt rename to gvsbuild/patches/openssl-base/certdata.txt diff --git a/gvsbuild/patches/openssl/mk-ca-bundle.pl b/gvsbuild/patches/openssl-base/mk-ca-bundle.pl similarity index 100% rename from gvsbuild/patches/openssl/mk-ca-bundle.pl rename to gvsbuild/patches/openssl-base/mk-ca-bundle.pl diff --git a/gvsbuild/patches/openssl/mod.md b/gvsbuild/patches/openssl-base/mod.md similarity index 100% rename from gvsbuild/patches/openssl/mod.md rename to gvsbuild/patches/openssl-base/mod.md diff --git a/gvsbuild/patches/openssl/pc-files/libcrypto.pc b/gvsbuild/patches/openssl-base/pc-files/libcrypto.pc similarity index 100% rename from gvsbuild/patches/openssl/pc-files/libcrypto.pc rename to gvsbuild/patches/openssl-base/pc-files/libcrypto.pc diff --git a/gvsbuild/patches/openssl/pc-files/libssl.pc b/gvsbuild/patches/openssl-base/pc-files/libssl.pc similarity index 100% rename from gvsbuild/patches/openssl/pc-files/libssl.pc rename to gvsbuild/patches/openssl-base/pc-files/libssl.pc diff --git a/gvsbuild/patches/openssl/pc-files/openssl.pc b/gvsbuild/patches/openssl-base/pc-files/openssl.pc similarity index 100% rename from gvsbuild/patches/openssl/pc-files/openssl.pc rename to gvsbuild/patches/openssl-base/pc-files/openssl.pc diff --git a/gvsbuild/projects/openssl.py b/gvsbuild/projects/openssl.py index 8917e2f25..1d5d85f82 100644 --- a/gvsbuild/projects/openssl.py +++ b/gvsbuild/projects/openssl.py @@ -20,11 +20,11 @@ @project_add -class OpenSSL(Tarball, Project): +class OpenSSLBase(Tarball, Project): def __init__(self): Project.__init__( self, - "openssl", + "openssl-base", version="3.2.0", archive_url="https://www.openssl.org/source/openssl-{version}.tar.gz", hash="14c826f07c7e433706fb5c69fa9e25dab95684844b4c962a2cf1bf183eb4690e", @@ -36,7 +36,7 @@ def __init__(self): ) def build(self): - common_options = r"no-comp no-docs no-ssl3 --openssldir=%(gtk_dir)s/etc/ssl --prefix=%(gtk_dir)s" + common_options = r"enable-fips no-comp no-docs no-ssl3 --openssldir=%(gtk_dir)s/etc/ssl --prefix=%(gtk_dir)s" debug_option = "debug-" if self.builder.opts.configuration == "debug" else "" target_option = "VC-WIN32 " if self.builder.x86 else "VC-WIN64A " @@ -56,3 +56,35 @@ def build(self): self.install(r".\cert.pem bin") self.install(r".\LICENSE share\doc\openssl") self.install_pc_files() + + +@project_add +class OpenSSL(Tarball, Project): + def __init__(self): + Project.__init__( + self, + "openssl", + version="3.0.8", + archive_url="https://www.openssl.org/source/openssl-{version}.tar.gz", + hash="6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e", + dependencies=[ + "openssl-base", + ], + ) + + def build(self): + common_options = "enable-fips no-ssl3 no-comp --openssldir=%(gtk_dir)s/etc/ssl --prefix=%(gtk_dir)s" + debug_option = "debug-" if self.builder.opts.configuration == "debug" else "" + target_option = "VC-WIN32 " if self.builder.x86 else "VC-WIN64A " + + self.exec_vs( + r"%(perl_dir)s\bin\perl.exe Configure " + + debug_option + + target_option + + common_options + ) + + with contextlib.suppress(Exception): + self.exec_vs(r"nmake /nologo clean") + self.exec_vs(r"nmake /nologo") + self.exec_vs(r"nmake /nologo install_fips")