openssl: add fips support

author Yi Zhao <yi.zhao@windriver.com>

Fri, 9 May 2025 14:55:00 +0000 (22:55 +0800)

committer Richard Purdie <richard.purdie@linuxfoundation.org>

Thu, 15 May 2025 09:10:40 +0000 (10:10 +0100)
author Yi Zhao <yi.zhao@windriver.com>
Fri, 9 May 2025 14:55:00 +0000 (22:55 +0800)
committer Richard Purdie <richard.purdie@linuxfoundation.org>
Thu, 15 May 2025 09:10:40 +0000 (10:10 +0100)
diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.0.bb b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb

index 865e04deb220c1f4485ad205170c344e607e5020..fddc4dbc813cd06333d72c38852db14ef39d25c1 100644 (file)
--- a/meta/recipes-connectivity/openssl/openssl_3.5.0.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb
@@ -31,6 +31,7 @@ PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,crypt
  PACKAGECONFIG[no-tls1] = "no-tls1"
  PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
  PACKAGECONFIG[manpages] = ""
+PACKAGECONFIG[fips] = "enable-fips"
  
  B = "${WORKDIR}/build"
  do_configure[cleandirs] = "${B}"
@@ -154,7 +155,9 @@ do_compile:append () {
  }
  
  do_install () {
-       oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)}
+       oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs \
+           ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} \
+           ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)}
  
         oe_multilib_header openssl/opensslconf.h
         oe_multilib_header openssl/configuration.h
@@ -172,6 +175,11 @@ do_install () {
         ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
         ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
         ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
+
+       # Generate fipsmodule.cnf in pkg_postinst_ontarget
+       if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
+               rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
+       fi
  }
  
  do_install:append:class-native () {
@@ -229,12 +237,18 @@ do_install_ptest() {
         ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers
  }
  
+pkg_postinst_ontarget:${PN}-ossl-module-fips () {
+       if test -f ${libdir}/ossl-modules/fips.so; then
+               ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so
+       fi
+}
+
  # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
  # package RRECOMMENDS on this package. This will enable the configuration
  # file to be installed for both the openssl-bin package and the libcrypto
  # package since the openssl-bin package depends on the libcrypto package.
  
-PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips"
  
  FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
  FILES:libssl = "${libdir}/libssl${SOLIBS}"
@@ -246,6 +260,7 @@ FILES:${PN}-engines = "${libdir}/engines-3"
  FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
  FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
  FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
+FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so"
  FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
  FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
author	Yi Zhao <yi.zhao@windriver.com>
	Fri, 9 May 2025 14:55:00 +0000 (22:55 +0800)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Thu, 15 May 2025 09:10:40 +0000 (10:10 +0100)