Skip to content

Commit

Permalink
Make OpenSSL build FIPS capable
Browse files Browse the repository at this point in the history
  • Loading branch information
kopatsy committed Sep 23, 2024
1 parent 18bbe80 commit 90c2d4e
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 4 deletions.
11 changes: 10 additions & 1 deletion cpython-unix/build-cpython.sh
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,9 @@ sed ${sed_args} "s|/tools/host|${TOOLS_PATH}/host|g" ${TOOLS_PATH}/host/share/au
# We force linking of external static libraries by removing the shared
# libraries. This is hacky. But we're building in a temporary container
# and it gets the job done.
find ${TOOLS_PATH}/deps -name '*.so*' -exec rm {} \;
# `fips.so` is an exception as it needs to be available to enable FIPS via
# openssl configuration.
find ${TOOLS_PATH}/deps -name '*.so*' ! -name 'fips.so' -exec rm {} \;

tar -xf Python-${PYTHON_VERSION}.tar.xz

Expand Down Expand Up @@ -925,6 +927,13 @@ if [ -d "${TOOLS_PATH}/deps/usr/share/terminfo" ]; then
cp -av ${TOOLS_PATH}/deps/usr/share/terminfo ${ROOT}/out/python/install/share/
fi

# Copy files required to enable FIPS if enabled.
if [ -f ${TOOLS_PATH}/deps/fipsmodule.cnf ]; then
cp -rv ${TOOLS_PATH}/deps/lib/ossl-modules ${ROOT}/out/python/install/lib
mkdir -p ${ROOT}/out/python/install/share/ssl
cp -av ${TOOLS_PATH}/deps/fipsmodule.cnf ${ROOT}/out/python/install/share/ssl/fipsmodule.cnf
fi

# config.c defines _PyImport_Inittab and extern references to modules, which
# downstream consumers may want to strip. We bundle config.c and config.c.in so
# a custom one can be produced downstream.
Expand Down
17 changes: 14 additions & 3 deletions cpython-unix/build-openssl-3.0.sh
Original file line number Diff line number Diff line change
Expand Up @@ -16,18 +16,24 @@ pushd openssl-${OPENSSL_3_0_VERSION}
# Otherwise it gets set to /tools/deps/ssl by default.
case "${TARGET_TRIPLE}" in
*apple*)
EXTRA_FLAGS="--openssldir=/private/etc/ssl"
OPENSSL_DIR=/private/etc/ssl
;;
*)
EXTRA_FLAGS="--openssldir=/etc/ssl"
OPENSSL_DIR=/etc/ssl
;;
esac
EXTRA_FLAGS="--openssldir=${OPENSSL_DIR}"
EXTRA_INSTALL_FLAGS=""

# musl is missing support for various primitives.
# TODO disable secure memory is a bit scary. We should look into a proper
# workaround.
if [ "${CC}" = "musl-clang" ]; then
EXTRA_FLAGS="${EXTRA_FLAGS} no-async -DOPENSSL_NO_ASYNC -D__STDC_NO_ATOMICS__=1 no-engine -DOPENSSL_NO_SECURE_MEMORY"
else
# fips.so linking fails with musl.
EXTRA_INSTALL_FLAGS="install_fips"
EXTRA_FLAGS="${EXTRA_FLAGS} enable-fips"
fi

# The -arch cflags confuse Configure. And OpenSSL adds them anyway.
Expand All @@ -47,4 +53,9 @@ EXTRA_FLAGS="${EXTRA_FLAGS} ${EXTRA_TARGET_CFLAGS}"
${EXTRA_FLAGS}

make -j ${NUM_CPUS}
make -j ${NUM_CPUS} install_sw install_ssldirs DESTDIR=${ROOT}/out
make -j ${NUM_CPUS} install_sw install_ssldirs ${EXTRA_INSTALL_FLAGS} DESTDIR=${ROOT}/out

if [ -f ${ROOT}/out${OPENSSL_DIR}/fipsmodule.cnf ]; then
# install_fips does not use DESTDIR. we need to copy it so it gets added to the archive.
cp ${ROOT}/out${OPENSSL_DIR}/fipsmodule.cnf ${ROOT}/out/tools/deps/fipsmodule.cnf
fi
8 changes: 8 additions & 0 deletions src/validation.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1730,6 +1730,14 @@ fn validate_distribution(
let mut entry = entry.map_err(|e| anyhow!("failed to iterate over archive: {}", e))?;
let path = entry.path()?.to_path_buf();

// FIPS module is loaded dynamically by OpenSSL statically linked in libpython3.
// It is expected to depend on ssl/crypto symbols.
if let Some(file_name) = path.file_name() {
if file_name == "fips.dylib" || file_name == "fips.so" {
continue
}
}

seen_paths.insert(path.clone());

if let Some(link_name) = entry.link_name()? {
Expand Down

0 comments on commit 90c2d4e

Please sign in to comment.