add openssl fips provider#17341
Draft
tobiasb-ms wants to merge 2 commits into
Draft
Conversation
New package that builds fips.so and fipsmodule.cnf from OpenSSL 3.5.4 using the upstream fipsinstall approach (not Red Hat's embedded HMAC). Key design decisions: - Builds with enable-fips, runs fipsinstall AFTER debuginfo strip - Removes Patch0018/0020/0022 (RH embedded HMAC approach) - Keeps Patch0017 rebranded for Azure Linux - Ships only fips.so and fipsmodule.cnf (all other files cleaned) - fipsmodule.cnf has activate=1 stripped so the provider is loadable but not auto-activated by default - Published to rpm-base (not rpm-sdk) - Requires: openssl-libs (runtime) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Modify the openssl component to work with the standalone openssl-fips-provider package: - Remove patches 0017, 0018, 0020, 0022 (RH embedded HMAC approach) - Replace hmacify with fipsinstall in %check - Rebrand FIPS vendor string to Azure Linux - Replace fips_local.cnf symlink with real file that .includes both fipsmodule.cnf (HMAC data) and crypto-policies backend - Wire fipsmodule.cnf and fips_sect into openssl.cnf so -provider fips works without manual config editing (provider registered but not auto-activated) - Fix Patch0037 (fips_config.pod hunk doesn't apply to 3.5.4) - Suppress openssl-libs -> openssl-fips-provider Requires (temporary, until dependency resolver is happy) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
🔒❌ Lock files are out of dateFIX: — run this and commit the result: azldev component update -p opensslOr download the fix patch and apply it: gh run download 26063932482 -R microsoft/azurelinux -n locks-patch
git apply locks.patchChanged components (1)
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change adds the FIPS provider for
openssl. Modeled after RHEL, it is built in a separate component --openssl-fips-providerso we can pin it separately from the mainopensslcomponent. This is important because once certified, we will almost never want to revopenssl-fips-provider.opensslthen takes a run-time dependency onopenssl-fips-provider, so it should always have the FIPS provider available.That said,
openssl-fips-provideris still based on the same source -- theopensslupstream. It builds very similarly toopenssl, but then instead of deleting thefips-related things it deletes everything else.We diverged significantly from RHEL on how to implement the FIPS provider -- going way, way closer to an unmodified
opensslversion. Our patches are now almost all outside of the FIPS boundary, and we package it the wayopensslwants it packaged -- with the HMAC in a config file rather than embedded.I've build and run these locally and everything behaves the same as Fedora. I've also built on the build server.