Verifying Openssl configuration

config/patches/openssl/openssl-3.0.0-add-fips-sect-to-openssl.cnf.patch

@@ -0,0 +1,14 @@
+--- "a/openssl.cnf"
++++ "b/openssl.cnf"
+@@ -75,6 +75,11 @@ activate = 1
+ [legacy_sect]
+ activate = 1
+
++[fips_sect]
++activate = 1
++conditional-errors = 1
++security-checks = 1
++
+ ####################################################################
+ [ ca ]
+ default_ca = CA_default # The default ca section

config/patches/openssl/openssl-3.0.0-enable-legacy-provider.patch

@@ -22,27 +22,3 @@ index ac858d6..d1cb967 100644
 
  ####################################################################
  [ ca ]
-diff --git a/apps/openssl.cnf b/apps/openssl.cnf
-index 12bc408..35a4282 100644
---- a/apps/openssl.cnf
-+++ b/apps/openssl.cnf
-@@ -56,6 +56,7 @@ providers = provider_sect
- # List of providers to load
- [provider_sect]
- default = default_sect
-+legacy = legacy_sect
- # The fips section name should match the section name inside the
- # included fipsmodule.cnf.
- # fips = fips_sect
-@@ -69,8 +70,10 @@ default = default_sect
- # OpenSSL may not work correctly which could lead to significant system
- # problems including inability to remotely access the system.
- [default_sect]
--# activate = 1
-+activate = 1
-
-+[legacy_sect]
-+activate = 1
-
- ####################################################################
- [ ca ]

config/patches/openssl/openssl-3.0.1-do-not-install-docs.patch

@@ -8,15 +8,4 @@
 +install: install_sw install_ssldirs {- $disabled{fips} ? "" : "install_fips" -}
 
  uninstall: uninstall_docs uninstall_sw {- $disabled{fips} ? "" : "uninstall_fips" -}
-
---- openssl-3.0.1/Configurations/windows-makefile.tmpl.orig 2022-03-04 04:46:02.850951693 +0000
-+++ openssl-3.0.1/Configurations/windows-makefile.tmpl 2022-03-04 04:46:13.353494915 +0000
-@@ -453,7 +453,7 @@
- @$(ECHO) "Tests are not supported with your chosen Configure options"
- @{- output_on() if !$disabled{tests}; "\@rem" -}
-
--install: install_sw install_ssldirs install_docs {- $disabled{fips} ? "" : "install_fips" -}
-+install: install_sw install_ssldirs {- $disabled{fips} ? "" : "install_fips" -}
-
- uninstall: uninstall_docs uninstall_sw {- $disabled{fips} ? "" : "uninstall_fips" -}
 

config/software/chef.rb

@@ -65,6 +65,7 @@
  bundle_excludes = excluded_groups + %w{development test}
 
  bundle "install --without #{bundle_excludes.join(" ")}", env: env
+ # bundle "config set --local without #{bundle_excludes.join(" ")}", env: env
 
  ruby "post-bundle-install.rb", env: env
 

config/software/openssl-customization.rb

@@ -61,30 +61,30 @@ def get_sanitized_rbconfig(config)
  File.join(embedded_ruby_lib_dir, "openssl.rb")
  end
 
- if windows?
- embedded_ruby_site_dir = get_sanitized_rbconfig("sitelibdir")
- source_ssl_env_hack = File.join(project_dir, "windows", "ssl_env_hack.rb")
- destination_ssl_env_hack = File.join(embedded_ruby_site_dir, "ssl_env_hack.rb")
+ # if windows?
+ #  embedded_ruby_site_dir = get_sanitized_rbconfig("sitelibdir")
+ #  source_ssl_env_hack = File.join(project_dir, "windows", "ssl_env_hack.rb")
+ #  destination_ssl_env_hack = File.join(embedded_ruby_site_dir, "ssl_env_hack.rb")
 
- create_directory(embedded_ruby_site_dir)
+ #  create_directory(embedded_ruby_site_dir)
 
- copy(source_ssl_env_hack, destination_ssl_env_hack)
+ #  copy(source_ssl_env_hack, destination_ssl_env_hack)
 
- # Unfortunately there is no patch on windows, but luckily we only need to append a line to the openssl.rb
- # to pick up our script which find the CA bundle in omnibus installations and points SSL_CERT_FILE to it
- # if it's not already set
- File.open(source_openssl_rb, "r+") do |f|
- unpatched_openssl_rb = f.read
- f.rewind
- f.write("\nrequire 'ssl_env_hack'\n")
- f.write(unpatched_openssl_rb)
- end
- else
- File.open(source_openssl_rb, "r+") do |f|
- unpatched_openssl_rb = f.read
- f.rewind
- f.write(unpatched_openssl_rb)
- end
- end
+ #  # Unfortunately there is no patch on windows, but luckily we only need to append a line to the openssl.rb
+ #  # to pick up our script which find the CA bundle in omnibus installations and points SSL_CERT_FILE to it
+ #  # if it's not already set
+ #  File.open(source_openssl_rb, "r+") do |f|
+ #  unpatched_openssl_rb = f.read
+ #  f.rewind
+ #  f.write("\nrequire 'ssl_env_hack'\n")
+ #  f.write(unpatched_openssl_rb)
+ #  end
+ # else
+ #  File.open(source_openssl_rb, "r+") do |f|
+ #  unpatched_openssl_rb = f.read
+ #  f.rewind
+ #  f.write(unpatched_openssl_rb)
+ #  end
+ # end
  end
 end

config/software/openssl-fips.rb

@@ -50,16 +50,7 @@
 
  if windows?
  default_env = with_standard_compiler_flags(with_embedded_path)
-
- if windows_arch_i386?
- # Patch Makefile.org to update the compiler flags/options table for mingw.
- patch source: "openssl-fips-fix-compiler-flags-table-for-msys.patch", env: default_env
-
- platform = "mingw"
- else
- platform = "mingw64"
- end
-
+ platform = "mingw64"
  configure_command = ["perl.exe ./Configure #{platform}"]
  configure_command << "--prefix=#{install_dir}/embedded"
  elsif ppc64? && rhel?