add openssl fips provider#17341
Closed
tobiasb-ms wants to merge 1 commit into
Closed
Conversation
tobiasb-ms
force-pushed
the
tobiasb-ms/openssl-fips-provider
branch
2 times, most recently
from
e6c633a to
eb27bf2
Compare
Extract the FIPS provider module (fips.so) from the openssl package into
a new openssl-fips-provider package, using the upstream fipsinstall
approach for integrity verification instead of embedded HMAC.
== New package: openssl-fips-provider ==
Built from the same openssl source with enable-fips. Ships:
- /usr/lib64/ossl-modules/fips.so
- /etc/pki/tls/fipsmodule.cnf (generated by fipsinstall post-strip)
- /etc/pki/tls/openssl.d/openssl-fips-provider.cnf (drop-in config)
The drop-in registers the fips provider in [provider_sect] and includes
fipsmodule.cnf, making the provider loadable via 'openssl ... -provider
fips' without requiring kernel FIPS mode.
== Changes to openssl ==
- Remove enable-fips from ./Configure (fips.so no longer built here)
- Drop patch 0018 (re-enables fipsinstall subcommand)
- Replace patch 0019 with simplified version: kernel FIPS mode just
activates fips+base providers and sets FIPS properties, relying on
the drop-in for config rather than loading fips_local.cnf directly
- Replace patch 0037 with rebased version (context conflict with 0018
removal in doc/man5/fips_config.pod)
- Remove fips_local.cnf (no longer needed; drop-in provides config)
- Remove %{SOURCE1} hmac-ify call in %check (no fips.so to process)
- Keep Requires: openssl-fips-provider on openssl-libs
All other FIPS patches remain — they modify libcrypto/libssl runtime
behavior for loading and activating an external FIPS provider.
== Patch differences between openssl and openssl-fips-provider ==
Both packages share the same upstream source and nearly all patches.
Differences:
Dropped from both:
- 0018 (FIPS-disable-fipsinstall): re-enable fipsinstall subcommand
Dropped only from openssl-fips-provider:
- 0020 (FIPS-INTEG-CHECK-Embed-hmac-in-fips.so): embedded HMAC
integrity check, replaced by fipsinstall/fipsmodule.cnf approach
- 0022 (FIPS-INTEG-CHECK-Execute-KATS-before-HMAC): KAT reordering
for embedded HMAC verification, irrelevant without 0020
These remain in openssl because the patched files (providers/fips/
self_test.c) exist in the source tree but are not compiled without
enable-fips — they are inert and removing them would add overlay
complexity for no functional benefit.
Rebased in both:
- 0019 (FIPS-Force-fips-provider-on): simplified to just activate
providers in kernel FIPS mode, drop fips_local.cnf loading
- 0037 (FIPS-TLS-Enforce-EMS): rebased fips_config.pod hunk against
full upstream file (old version depended on 0018's gutting)
== Config model ==
- openssl.d drop-in: makes provider loadable (registers fips_sect,
includes MAC data from fipsmodule.cnf)
- Patch 0019: auto-activates fips+base in kernel FIPS mode
- Crypto-policies: NOT included in drop-in (activation via
update-crypto-policies is a separate concern)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
tobiasb-ms
force-pushed
the
tobiasb-ms/openssl-fips-provider
branch
from
eb27bf2 to
1f28794
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change adds the FIPS provider for
openssl. Modeled after RHEL, it is built in a separate component --openssl-fips-providerso we can pin it separately from the mainopensslcomponent. This is important because once certified, we will almost never want to revopenssl-fips-provider.opensslthen takes a run-time dependency onopenssl-fips-provider, so it should always have the FIPS provider available.That said,
openssl-fips-provideris still based on the same source -- theopensslupstream. It builds very similarly toopenssl, but then instead of deleting thefips-related things it deletes everything else.We diverged significantly from RHEL on how to implement the FIPS provider -- going way, way closer to an unmodified
opensslversion. Our patches are now almost all outside of the FIPS boundary, and we package it the wayopensslwants it packaged -- with the HMAC in a config file rather than embedded.I've build and run these locally and everything behaves the same as Fedora. I've also built on the build server.