libcrypto: conditionally build the fips and legacy providers
Needs ReviewPublic
Actions

Authored by ngie on Apr 21 2024, 5:48 PM.

Details

Reviewers: None

Summary

This change adds the WITH{_OUT}_OPENSSL_{FIPS,LEGACY}_PROVIDER build
knobs to control whether or not the fips and legacy providers should be
built and installed with the FreeBSD version of OpenSSL.

The fips provider distributed with the FreeBSD base version of OpenSSL
isn't guaranteed to be FIPS 140-* validated, so give consumers of
FreeBSD's base system version of OpenSSL the option of not
building/installing an unvalidated FIPS provider. The legacy provider on
the other hand, does provide some value, except in scenarios where
consumers of FreeBSD want to burn all legacy provider provided
algorithms for "security reasons" by not supporting deprecated
algorithms.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 57261
Build 54149: arc lint + arc unit

Event Timeline

ngie created this revision.Apr 21 2024, 5:48 PM

Herald added subscribers: emaste, imp, bdrewery. · View Herald TranscriptApr 21 2024, 5:48 PM

ngie requested review of this revision.Apr 21 2024, 5:48 PM

Harbormaster completed remote builds in B57261: Diff 137466.Apr 21 2024, 5:48 PM

The only FIPS-validated modules are 3.0.0, 3.0.8, and 3.0.9.
Building a different FIPS module will not result in a valid FIPS configuration.
The base should also include a valid FIPS provider to produce a valid FIPS configuration.
To clarify this, you can build OpenSSL 3.2 and use the OpenSSL 3.0.9 FIPS provider.
Instructions on how to do this can be found here: Installing the FIPS provider and using it with the latest release.