OpenSSL packages for the Testing Environment¶
Because OpenSSL's FIPS module is only compatible with OpenSSL 1.0.2 this is currently not used anymore.
The testing environment uses FIPS-enabled OpenSSL packages based on the original Debian packages. These packages are automatically installed in the root image when the environment is built.
The following steps may be used to rebuild the packages. This how-to uses Ubuntu 14.04, but it's similar on Debian or other Ubuntu releases.
Note: This how-to does not exactly follow the instructions provided by the OpenSSL project. For FIPS compliance these have to be followed to the letter, but we ignore that for our test environment.
sudo apt-get install sbuild debian-archive-keyring sudo sbuild-createchroot <release> /path/to/chroot http://httpredir.debian.org/debian --keyring=/usr/share/keyrings/debian-archive-keyring.gpg
<release> is e.g. jessie. On Ubuntu 14.04 the line
profile=sbuild has to get removed from the file
/etc/schroot/chroot.d/<release>-amd64-sbuild-XXXX, otherwise entering the chroot won't work correctly.
The following command provides a list of all schroot environments:
sudo schroot -l
A schroot environment may be entered with:
sudo schroot -c <release>-amd64-sbuild
Only required with versions of sbuild < 0.67.0¶
To self-sign the binary packages a key pair has to be generated with:
sudo sbuild-update --keygen
OpenSSL FIPS canister¶
Before the package can be built the sources for the FIPS canister have to be prepared:
mkdir -p ~/openssl-fips/canister cd ~/openssl-fips/canister wget https://www.openssl.org/source/openssl-fips-x.x.x.tar.gz tar xf openssl-fips-x.x.x.tar.gz cd openssl-fips-x.x.x/
and built and installed in the schroot environment created above (note that in newer versions the
source: prefix is required to make persistent changes):
sudo schroot -c source:<release>-amd64-sbuild
Then in the schroot:
# ./config # make install # logout
Note: The current FIPS module (2.0) is not compatible with OpenSSL 1.1.0 and newer
mkdir -p ~/openssl-fips/openssl cd ~/openssl-fips/openssl dget -u http://http.debian.net/debian/pool/main/o/openssl/openssl_xxx.dsc cd openssl-xxx/
To build the packages with FIPS support the
debian/rules file has to be modified:
- Add fips and no-speed to
CONFARGS. no-speed is required because the
speedutility somehow does not link to the FIPS-enabled library and then does not find some symbols during the package build. Unfortunately, the
speed.csource file is not actually able to follow the
OPENSSL_NO_SPEEDoption, so a patch is required. In order to build a proper source package this has to be done with quilt (see below).
- Remove all
make testcalls (or
build* testin newer releases) as these test stuff that is disabled in FIPS mode. It might also be possible to add
To patch the speed utility quilt is required:
sudo apt-get install quilt export QUILT_PATCHES=debian/patches export QUILT_REFRESH_ARGS="-p ab --no-timestamps --no-index" quilt new speed-opensslconf.patch quilt add apps/speed.c
Add the following in
apps/speed.c right before the
#ifndef OPENSSL_NO_SPEED line. So it looks like this:
#include <openssl/opensslconf.h> #ifndef OPENSSL_NO_SPEED
Update the patch:
To update the changelog use the following (the values are examples, i.e. what we currently use):
export DEBFULLNAME="strongSwan Testing" export DEBEMAILemail@example.com dch --local strongswan --distribution <release>
The version number doesn't really matter as the local repository is pinned in the testing environment so even if there is a newer version in the main repository our version should get installed. But it could still get set to a value that is always higher than minor revisions of the packages (e.g. instead of
Now a new source package may be built:
debuild --no-lintian -S -sa -us -uc -I -i cd ..
Based on that the binary packages can be built using sbuild:
sudo sbuild -d <release> openssl_xxx-strongswan1-xxx.dsc
Our custom repository is currently managed with
reprepro. To add the new binary packages something like the following may be used:
reprepro -b /path/to/debian/repo includedeb <release> <debfile>