From: Yi Zhao Date: Fri, 9 May 2025 14:55:00 +0000 (+0800) Subject: openssl: add fips support X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29979937e2d40885e7e91bb9a7e7dca6763e3d52;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git openssl: add fips support * Add PACKAGECONFIG[fips] to enable fips build. * Split a new package openssl-ossl-module-fips for fips.so. * Add pkg_postinst_ontarget for openssl-ossl-module-fips to ensure the config file fipsmodule.cnf is created on target. This is because we should not use the same fipsmodule.cnf on different machines. The 'openssl fipsinstall' commandline in pkg_postinst_ontarget will do the following things: 1. Run the FIPS module self tests on target. 2. Generate config file fipsmodule.conf containing information about the FIPS module such as the calculated MAC of the module. Signed-off-by: Yi Zhao Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie --- diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.0.bb b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb index 865e04deb2..fddc4dbc81 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.5.0.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb @@ -31,6 +31,7 @@ PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,crypt PACKAGECONFIG[no-tls1] = "no-tls1" PACKAGECONFIG[no-tls1_1] = "no-tls1_1" PACKAGECONFIG[manpages] = "" +PACKAGECONFIG[fips] = "enable-fips" B = "${WORKDIR}/build" do_configure[cleandirs] = "${B}" @@ -154,7 +155,9 @@ do_compile:append () { } do_install () { - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} + oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs \ + ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)} oe_multilib_header openssl/opensslconf.h oe_multilib_header openssl/configuration.h @@ -172,6 +175,11 @@ do_install () { ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf + + # Generate fipsmodule.cnf in pkg_postinst_ontarget + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then + rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf + fi } do_install:append:class-native () { @@ -229,12 +237,18 @@ do_install_ptest() { ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers } +pkg_postinst_ontarget:${PN}-ossl-module-fips () { + if test -f ${libdir}/ossl-modules/fips.so; then + ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so + fi +} + # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto # package RRECOMMENDS on this package. This will enable the configuration # file to be installed for both the openssl-bin package and the libcrypto # package since the openssl-bin package depends on the libcrypto package. -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy" +PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips" FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" FILES:libssl = "${libdir}/libssl${SOLIBS}" @@ -246,6 +260,7 @@ FILES:${PN}-engines = "${libdir}/engines-3" FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3" FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash" FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so" +FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so" FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/" FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"