OpenSSL packages for the Testing Environment¶
The testing environment uses FIPS-enabled OpenSSL packages based on the original Debian packages. These packages are automatically installed in the root image when the environment is built.
The following steps may be used to rebuild the packages. This how-to uses Ubuntu 14.04, but it's similar on Debian or other Ubuntu releases.
Note: This how-to does not exactly follow the instructions provided by the OpenSSL project. For FIPS compliance these have to be followed to the letter, but we ignore that for our test environment.
sbuild¶
The packages are built using sbuild in chroot environments managed with schroot. This build environment can be installed as follows.
sudo apt-get install sbuild debian-archive-keyring sudo sbuild-createchroot <release> /path/to/chroot http://httpredir.debian.org/debian --keyring=/usr/share/keyrings/debian-archive-keyring.gpg
<release> is e.g. jessie. On Ubuntu 14.04 the line profile=sbuild has to get removed from the file /etc/schroot/chroot.d/<release>-amd64-sbuild-XXXX, otherwise entering the chroot won't work correctly.
The following command provides a list of all schroot environments:
sudo schroot -l
A schroot environment may be entered with:
sudo schroot -c <release>-amd64-sbuild
To self-sign the binary packages a key pair has to be generated with:
sudo sbuild-update --keygen
OpenSSL FIPS canister¶
Before the package can be built the FIPS canister has to be built and installed in the schroot environment created above.
mkdir -p ~/openssl-fips/canister cd ~/openssl-fips/canister wget http://www.openssl.org/source/openssl-fips-x.x.x.tar.gz tar xf openssl-fips-x.x.x.tar.gz cd openssl-fips-x.x.x/ sudo schroot -c <release>-amd64-sbuild
Then in the schroot:
# ./config # make install # logout
FIPS-enabled OpenSSL¶
The sources for the current packages can easily be obtained using the corresponding .dsc file from Debian's package tracker.
mkdir -p ~/openssl-fips/openssl cd ~/openssl-fips/openssl dget -u http://http.debian.net/debian/pool/main/o/openssl/openssl_xxx.dsc cd openssl-xxx/
To build the packages with FIPS support the debian/rules file has to be modified:
- Add fips and no-speed to
CONFARGS. no-speed is required because thespeedutility somehow does not link to the FIPS-enabled library and then does not find some symbols during the package build. Unfortunately, thespeed.csource file is not actually able to follow theOPENSSL_NO_SPEEDoption, so a patch is required. In order to build a proper source package this has to be done with quilt (see below). - Remove all
make testcalls as these test stuff that is disabled in FIPS mode.
To patch the speed utility quilt is required:
sudo apt-get install quilt export QUILT_PATCHES=debian/patches export QUILT_REFRESH_ARGS="-p ab --no-timestamps --no-index" quilt new speed-opensslconf.patch quilt add apps/speed.c
Add the following in apps/speed.c right before the #ifndef OPENSSL_NO_SPEED line. So it looks like this:
#include <openssl/opensslconf.h> #ifndef OPENSSL_NO_SPEED
Update the patch:
quilt refresh
To update the changelog use the following (the values are examples, i.e. what we currently use):
export DEBFULLNAME="strongSwan Testing" export DEBEMAIL=debian@strongswan.org dch --local strongswan --distribution <release>
The version number doesn't really matter as the local repository is pinned in the testing environment so even if there is a newer version in the main repository our version should get installed. But it could still get set to a value that is always higher than minor revisions of the packages (e.g. instead of 1.0.1e-2+deb7u17 use 1.0.1e-strongswan1~2+deb7u17).
Now a new source package may be built:
debuild --no-lintian -S -sa -us -uc -I -i cd ..
Based on that the binary packages can be built using sbuild:
sudo sbuild -d <release> openssl_xxx-strongswan1-xxx.dsc
APT Repository¶
Our custom repository is currently managed with reprepro. To add the new binary packages something like the following may be used:
reprepro -b /path/to/debian/repo includedeb <release> <debfile>