Created
July 26, 2024 18:59
-
-
Save pjones/41be0e2c11920bb6324fe1acab2e4677 to your computer and use it in GitHub Desktop.
Build OpenSSL with FIPS support.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { openssl | |
| }: | |
| openssl.overrideAttrs (orig: { | |
| # Compile the FIPS module: | |
| configureFlags = orig.configureFlags ++ [ | |
| "enable-ec_nistp_64_gcc_128" | |
| "enable-fips" | |
| ]; | |
| # Also install the FIPS module: | |
| installTargets = "install install_fips"; | |
| # Enable FIPS in the configuration files: | |
| postInstall = (orig.postInstall or "") + '' | |
| # Modify the original OpenSSL configuration: | |
| sed -E \ | |
| -e "s|^# \.include fipsmodule\.cnf|.include $etc/etc/ssl/fipsmodule.cnf|" \ | |
| -e "s|^# fips =|fips =|" \ | |
| -e "/^fips =/a base = base_sec\n[base_sec]\nactivate = 1\n" \ | |
| < ${openssl.out}/etc/ssl/openssl.cnf > $etc/etc/ssl/openssl.cnf | |
| ''; | |
| # Generate and patch the fipsmodule.cnf file. It is done here | |
| # because the MAC need to be computed *after* stripping the .so | |
| # file. Also need to use the original openssl binary because the | |
| # postInstall step above broke this one until postFixup runs. | |
| postFixup = (orig.postFixup or "") + '' | |
| # Replace FIPS configuration file with one specific to the module | |
| # we just built: | |
| ${openssl.bin}/bin/openssl fipsinstall \ | |
| -out $etc/etc/ssl/fipsmodule.cnf \ | |
| -module $out/lib/ossl-modules/fips.so | |
| # Then make it look more like Arch Linux: | |
| sed -i -E \ | |
| -e '/^install-(mac|status)/d' \ | |
| -e '/^security-checks/a tls1-prf-ems-check = 0\ndrbg-no-trunc-md = 0' \ | |
| $etc/etc/ssl/fipsmodule.cnf | |
| ''; | |
| }) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment