Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: add openssl-3.0-fips builds #5037

Merged
merged 2 commits into from
Jan 16, 2025
Merged

ci: add openssl-3.0-fips builds #5037

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
64d5a0d
ci: add openssl-3.0-fips builds
lrstewart Jan 15, 2025
31bbae5
Fix config
lrstewart Jan 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 36 additions & 6 deletions codebuild/bin/install_openssl_3_0.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,27 +17,44 @@ set -ex
pushd "$(pwd)"

usage() {
echo "install_openssl_3_0.sh build_dir install_dir os_name"
echo "install_openssl_3_0.sh build_dir install_dir os_name [fips]"
exit 1
}

if [ "$#" -ne "3" ]; then
if [ "$#" -eq "3" ]; then
FIPS=false
elif [ "$#" -eq "4" ] && [ "$4" = "fips" ]; then
FIPS=true
else
usage
fi

BUILD_DIR=$1
INSTALL_DIR=$2
OS_NAME=$3
source codebuild/bin/jobs.sh
RELEASE=3.0.7
prelude=$(cat codebuild/bin/openssl_fips_prelude)

# Only some versions of Openssl-3 are FIPS validated.
# The list can be found at https://openssl-library.org/source/
if $FIPS; then
RELEASE=3.0.9
else
RELEASE=3.0.7
fi

mkdir -p $BUILD_DIR
cd "$BUILD_DIR"
curl --retry 3 -L https://github.com/openssl/openssl/archive/refs/tags/openssl-${RELEASE}.zip --output OpenSSL_${RELEASE}.zip
curl --retry 3 -L --output OpenSSL_${RELEASE}.zip \
https://github.com/openssl/openssl/archive/refs/tags/openssl-${RELEASE}.zip
Comment on lines +50 to +51
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just reordered the arguments here so I could wrap the line :P

unzip OpenSSL_${RELEASE}.zip
cd openssl-openssl-${RELEASE}

CONFIGURE="./Configure "
if $FIPS; then
CONFIGURE="./Configure enable-fips"
else
CONFIGURE="./Configure"
fi

mkdir -p $INSTALL_DIR
# Use g3 to get debug symbols in libcrypto to chase memory leaks
Expand All @@ -53,10 +70,23 @@ make -j $JOBS test
make -j $JOBS install

popd
pushd $INSTALL_DIR

# sym-link lib -> lib64 since codebuild assumes /lib path
pushd $INSTALL_DIR
ln -s lib64 lib

# Openssl3 uses the openssl config file to enable fips
# See https://docs.openssl.org/master/man7/fips_module/#making-all-applications-use-the-fips-module-by-default
if $FIPS; then
config_dir=$(LD_LIBRARY_PATH=lib ./bin/openssl version -d | sed -r "s/OPENSSLDIR: \"(.*?)\"/\1/")
config="$config_dir"/openssl.cnf
fips_config="$config_dir"/fipsmodule.cnf
prelude=$(echo "$prelude" | sed "s,FIPS_CONFIG_PATH,$fips_config,")
old_contents=$(cat $config)
echo "$prelude" > $config
echo "$old_contents" >> $config
fi

popd

exit 0
22 changes: 22 additions & 0 deletions codebuild/bin/openssl_fips_prelude
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Copied from the docs:
# https://docs.openssl.org/master/man7/fips_module/#making-all-applications-use-the-fips-module-by-default
# This prelude is copied and pasted at the top of the openssl.cfg file.

config_diagnostics = 1
openssl_conf = openssl_init

.include FIPS_CONFIG_PATH

[openssl_init]
providers = provider_sect
alg_section = algorithm_sect

[provider_sect]
fips = fips_sect
base = base_sect

[base_sect]
activate = 1

[algorithm_sect]
default_properties = fips=yes
Loading