From bc44b006cd95c9aaa79e19c1f64ddf57de7439e2 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Fri, 17 May 2024 12:42:40 -0700 Subject: [PATCH] Patching openssl.cnf to add fips section when needed Signed-off-by: John McCrae --- config/software/openssl.rb | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/config/software/openssl.rb b/config/software/openssl.rb index 0206d9104..1e408e4fc 100644 --- a/config/software/openssl.rb +++ b/config/software/openssl.rb @@ -223,6 +223,8 @@ msys_path = ENV["MSYS2_INSTALL_DIR"] ? "#{ENV["MSYS2_INSTALL_DIR"]}" : "#{ENV["OMNIBUS_TOOLCHAIN_INSTALL_DIR"]}/embedded/bin" msys_path = msys_path.gsub("\\", "/") + + # We have to do some voodoo here - We add fips_cnf_file = "#{install_dir}/embedded/bin/fipsmodule.cnf" fips_module_file = "#{msys_path}/usr/local/lib64/ossl-modules/fips.#{windows? ? "dll" : "so"}" @@ -235,16 +237,14 @@ command "sed -i -e 's|# .include fipsmodule.cnf|.include #{fips_cnf_file}|g' #{msys_path}/usr/local/ssl/openssl.cnf" command "sed -i -e 's|# fips = fips_sect|fips = fips_sect|g' #{msys_path}/usr/local/ssl/openssl.cnf" - command "puts" # Work items: -# 1. fix the path for the fipsmodule.cnf - it's pointing to the msys64 folder and when you load the openssl.cnf file, it's pointing to the wrong directory and no FIPS # 2. Need to clean up all the code so Linux builds work too. # 3. # command "echo '>>> fipsmodule.cnf'; cat #{fips_cnf_file}" - # command "#{windows? ? 'Perl.exe' : ''} ./util/wrap.pl -fips #{msys_path}/usr/local/bin/openssl list -provider-path providers -provider fips -providers" + command "#{windows? ? 'Perl.exe' : ''} ./util/wrap.pl -fips #{msys_path}/usr/local/bin/openssl list -provider-path providers -provider fips -providers" # 5/14/2024 - at this point in the build process, the chef/embedded/bin folder only has zlib.dll in it. # Everything else is in an msys folder @@ -269,18 +269,30 @@ # delete "#{install_dir}/embedded/bin/#{file}" # end - %w{ libcrypto-3-x64.dll libssl-3-x64.dll openssl.exe }.each do |file| - copy "#{msys_path}/usr/local/bin/#{file}", "#{install_dir}/embedded/bin/#{file}" - end + if windows? + %w{ libcrypto-3-x64.dll libssl-3-x64.dll openssl.exe }.each do |file| + copy "#{msys_path}/usr/local/bin/#{file}", "#{install_dir}/embedded/bin/#{file}" + end + + %w{ legacy.dll fips.dll }.each do |file| + copy "#{msys_path}/usr/local/lib64/ossl-modules/#{file}", "#{install_dir}/embedded/bin/#{file}" + end + else + %w{ libcrypto-3-x64.so libssl-3-x64.so openssl }.each do |file| + copy "#{msys_path}/usr/local/bin/#{file}", "#{install_dir}/embedded/bin/#{file}" + end - %w{ legacy.dll fips.dll }.each do |file| - copy "#{msys_path}/usr/local/lib64/ossl-modules/#{file}", "#{install_dir}/embedded/bin/#{file}" + %w{ legacy.so fips.so }.each do |file| + copy "#{msys_path}/usr/local/lib64/ossl-modules/#{file}", "#{install_dir}/embedded/bin/#{file}" + end end %w{ openssl.cnf fipsmodule.cnf }.each do |file| copy "#{msys_path}/usr/local/ssl/#{file}", "#{install_dir}/embedded/bin/#{file}" end + command "#{install_dir}/embedded/bin/openssl fipsinstall -out #{install_dir}/embedded/bin/fipsmodule.cnf -module #{install_dir}/embedded/bin/fips#{windows? ? ".dll", ".so"}" + if (version.satisfies?("< 3.1") || fips_mode?) && project.overrides[:openssl] && ChefUtils::VersionString.new(project.overrides[:openssl][:version]).satisfies?(">= 3.0") @@ -292,9 +304,10 @@ # add OPENSSL_FIPS to the environment _if_ fips is active fips_env=fips_mode? ? env.merge({"OPENSSL_FIPS" => "1"}) : env - command "#{install_dir}/embedded/bin/gem install openssl-#{openssl_gem_version}.gem --no-document -- --with-openssl-dir=#{install_dir}/embedded", env: fips_env + command "#{install_dir}/embedded/bin/gem install openssl-#{openssl_gem_version}.gem --no-document -- --with-openssl-dir=#{install_dir}/embedded/bin", env: fips_env command "#{install_dir}/embedded/bin/gem info openssl" + command "#{install_dir}/embedded/bin/openssl list -provider-path providers -provider fips -providers" end # # # Needed now that we switched to msys2 and have not figured out how to tell