OpenSSL packages for the Testing Environment¶
Because OpenSSL's FIPS module is only compatible with OpenSSL 1.0.2 this is currently not used anymore.
The testing environment uses FIPS-enabled OpenSSL packages based on the original Debian packages. These packages are automatically installed in the root image when the environment is built.
The following steps may be used to rebuild the packages. This how-to uses Ubuntu 14.04, but it's similar on Debian or other Ubuntu releases.
Note: This how-to does not exactly follow the instructions provided by the OpenSSL project. For FIPS compliance these have to be followed to the letter, but we ignore that for our test environment.
sbuild¶
The packages are built using sbuild in chroot environments managed with schroot. This build environment can be installed as follows.
sudo apt-get install sbuild debian-archive-keyring sudo sbuild-createchroot <release> /path/to/chroot http://httpredir.debian.org/debian --keyring=/usr/share/keyrings/debian-archive-keyring.gpg
<release> is e.g. jessie. On Ubuntu 14.04 the line profile=sbuild
has to get removed from the file /etc/schroot/chroot.d/<release>-amd64-sbuild-XXXX
, otherwise entering the chroot won't work correctly.
The following command provides a list of all schroot environments:
sudo schroot -l
A schroot environment may be entered with:
sudo schroot -c <release>-amd64-sbuild
Only required with versions of sbuild < 0.67.0¶
To self-sign the binary packages a key pair has to be generated with:
sudo sbuild-update --keygen
OpenSSL FIPS canister¶
Before the package can be built the sources for the FIPS canister have to be prepared:
mkdir -p ~/openssl-fips/canister cd ~/openssl-fips/canister wget https://www.openssl.org/source/openssl-fips-x.x.x.tar.gz tar xf openssl-fips-x.x.x.tar.gz cd openssl-fips-x.x.x/
and built and installed in the schroot environment created above (note that in newer versions the source:
prefix is required to make persistent changes):
sudo schroot -c source:<release>-amd64-sbuild
Then in the schroot:
# ./config # make install # logout
FIPS-enabled OpenSSL¶
Note: The current FIPS module (2.0) is not compatible with OpenSSL 1.1.0 and newer
The sources for the current packages can easily be obtained using the corresponding .dsc file from Debian's package tracker.
mkdir -p ~/openssl-fips/openssl cd ~/openssl-fips/openssl dget -u http://http.debian.net/debian/pool/main/o/openssl/openssl_xxx.dsc cd openssl-xxx/
To build the packages with FIPS support the debian/rules
file has to be modified:
- Add fips and no-speed to
CONFARGS
. no-speed is required because thespeed
utility somehow does not link to the FIPS-enabled library and then does not find some symbols during the package build. Unfortunately, thespeed.c
source file is not actually able to follow theOPENSSL_NO_SPEED
option, so a patch is required. In order to build a proper source package this has to be done with quilt (see below). - Remove all
make test
calls (orbuild* test
in newer releases) as these test stuff that is disabled in FIPS mode. It might also be possible to addnocheck
toDEB_BUILD_OPTIONS
.
To patch the speed utility quilt is required:
sudo apt-get install quilt export QUILT_PATCHES=debian/patches export QUILT_REFRESH_ARGS="-p ab --no-timestamps --no-index" quilt new speed-opensslconf.patch quilt add apps/speed.c
Add the following in apps/speed.c
right before the #ifndef OPENSSL_NO_SPEED
line. So it looks like this:
#include <openssl/opensslconf.h> #ifndef OPENSSL_NO_SPEED
Update the patch:
quilt refresh
To update the changelog use the following (the values are examples, i.e. what we currently use):
export DEBFULLNAME="strongSwan Testing" export DEBEMAIL=debian@strongswan.org dch --local strongswan --distribution <release>
The version number doesn't really matter as the local repository is pinned in the testing environment so even if there is a newer version in the main repository our version should get installed. But it could still get set to a value that is always higher than minor revisions of the packages (e.g. instead of 1.0.1e-2+deb7u17
use 1.0.1e-strongswan1~2+deb7u17
).
Now a new source package may be built:
debuild --no-lintian -S -sa -us -uc -I -i cd ..
Based on that the binary packages can be built using sbuild:
sudo sbuild -d <release> openssl_xxx-strongswan1-xxx.dsc
APT Repository¶
Our custom repository is currently managed with reprepro
. To add the new binary packages something like the following may be used:
reprepro -b /path/to/debian/repo includedeb <release> <debfile>