Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: add openssl-3.0-fips builds #5037

Merged
merged 2 commits into from
Jan 16, 2025
Merged

ci: add openssl-3.0-fips builds #5037

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
64d5a0d
ci: add openssl-3.0-fips builds
lrstewart Jan 15, 2025
31bbae5
Fix config
lrstewart Jan 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 37 additions & 5 deletions codebuild/bin/install_openssl_3_0.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,27 +17,46 @@ set -ex
pushd "$(pwd)"

usage() {
echo "install_openssl_3_0.sh build_dir install_dir os_name"
echo "install_openssl_3_0.sh build_dir install_dir os_name [fips]"
exit 1
}

if [ "$#" -ne "3" ]; then
if [ "$#" -eq "3" ]; then
FIPS=false
elif [ "$#" -eq "4" ] && [ "$4" = "fips" ]; then
FIPS=true
else
usage
fi

BUILD_DIR=$1
INSTALL_DIR=$2
OS_NAME=$3
source codebuild/bin/jobs.sh
RELEASE=3.0.7
config=$(cat codebuild/bin/s2n_fips_openssl.cnf)

# Only some versions of Openssl-3 are FIPS validated.
# The list can be found at https://openssl-library.org/source/
# Maintain separate release versions so that we can change the non-FIPS version
# without worrying about whether or not the new version is FIPS validated.
if $FIPS; then
RELEASE=3.0.9
else
RELEASE=3.0.7
fi

mkdir -p $BUILD_DIR
cd "$BUILD_DIR"
curl --retry 3 -L https://github.com/openssl/openssl/archive/refs/tags/openssl-${RELEASE}.zip --output OpenSSL_${RELEASE}.zip
curl --retry 3 -L --output OpenSSL_${RELEASE}.zip \
https://github.com/openssl/openssl/archive/refs/tags/openssl-${RELEASE}.zip
Comment on lines +50 to +51
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just reordered the arguments here so I could wrap the line :P

unzip OpenSSL_${RELEASE}.zip
cd openssl-openssl-${RELEASE}

CONFIGURE="./Configure "
if $FIPS; then
CONFIGURE="./Configure enable-fips"
else
CONFIGURE="./Configure"
fi

mkdir -p $INSTALL_DIR
# Use g3 to get debug symbols in libcrypto to chase memory leaks
Expand All @@ -59,4 +78,17 @@ pushd $INSTALL_DIR
ln -s lib64 lib
popd

# Openssl3 uses the openssl config file to enable fips
# See https://docs.openssl.org/master/man7/fips_module/#making-all-applications-use-the-fips-module-by-default
if $FIPS; then
# We assume that the configs are in the /ssl directory of $INSTALL_DIR
pushd $INSTALL_DIR
Comment on lines +84 to +85
Copy link
Contributor Author

@lrstewart lrstewart Jan 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pushd is kind of a duplicate. We do pushd above to make the links, and previously I just moved the popd down below this logic. But I suspect that was confusing Sam based on #5037 (comment), which is a sign it probably would have confused future devs too. Might as well make it very clear this code depends on being in the install directory.

config_path=./ssl/openssl.cnf
# We need an absolute path for the fips config
fips_config_path=$(pwd)/ssl/fipsmodule.cnf
config=$(echo "$config" | sed "s,S2N_FIPS_CONFIG_PATH,$fips_config_path,")
echo "$config" > $config_path
popd
fi

exit 0
Loading
Loading