Project

General

Profile

OpenSSL packages for the Testing Environment

The testing environment uses FIPS-enabled OpenSSL packages based on the original Debian packages. These packages are automatically installed in the root image when the environment is built.

The following steps may be used to rebuild the packages. This how-to uses Ubuntu 14.04, but it's similar on Debian or other Ubuntu releases.

Note: This how-to does not exactly follow the instructions provided by the OpenSSL project. For FIPS compliance these have to be followed to the letter, but we ignore that for our test environment.

sbuild

The packages are built using sbuild in chroot environments managed with schroot. This build environment can be installed as follows.

sudo apt-get install sbuild debian-archive-keyring
sudo sbuild-createchroot <release> /path/to/chroot http://httpredir.debian.org/debian --keyring=/usr/share/keyrings/debian-archive-keyring.gpg

<release> is e.g. jessie. On Ubuntu 14.04 the line profile=sbuild has to get removed from the file /etc/schroot/chroot.d/<release>-amd64-sbuild-XXXX, otherwise entering the chroot won't work correctly.

The following command provides a list of all schroot environments:

sudo schroot -l

A schroot environment may be entered with:

sudo schroot -c <release>-amd64-sbuild

Only required with versions of sbuild < 0.67.0

To self-sign the binary packages a key pair has to be generated with:

sudo sbuild-update --keygen

OpenSSL FIPS canister

Before the package can be built the sources for the FIPS canister have to be prepared:

mkdir -p ~/openssl-fips/canister
cd ~/openssl-fips/canister
wget https://www.openssl.org/source/openssl-fips-x.x.x.tar.gz
tar xf openssl-fips-x.x.x.tar.gz
cd openssl-fips-x.x.x/

and built and installed in the schroot environment created above (note that in newer versions the source: prefix is required to make persistent changes):

sudo schroot -c source:<release>-amd64-sbuild

Then in the schroot:

# ./config
# make install
# logout

FIPS-enabled OpenSSL

Note: The current FIPS module (2.0) is not compatible with OpenSSL 1.1.0 and newer

The sources for the current packages can easily be obtained using the corresponding .dsc file from Debian's package tracker.

mkdir -p ~/openssl-fips/openssl
cd ~/openssl-fips/openssl
dget -u http://http.debian.net/debian/pool/main/o/openssl/openssl_xxx.dsc
cd openssl-xxx/

To build the packages with FIPS support the debian/rules file has to be modified:

  • Add fips and no-speed to CONFARGS. no-speed is required because the speed utility somehow does not link to the FIPS-enabled library and then does not find some symbols during the package build. Unfortunately, the speed.c source file is not actually able to follow the OPENSSL_NO_SPEED option, so a patch is required. In order to build a proper source package this has to be done with quilt (see below).
  • Remove all make test calls (or build* test in newer releases) as these test stuff that is disabled in FIPS mode. It might also be possible to add nocheck to DEB_BUILD_OPTIONS.

To patch the speed utility quilt is required:

sudo apt-get install quilt
export QUILT_PATCHES=debian/patches
export QUILT_REFRESH_ARGS="-p ab --no-timestamps --no-index" 
quilt new speed-opensslconf.patch
quilt add apps/speed.c

Add the following in apps/speed.c right before the #ifndef OPENSSL_NO_SPEED line. So it looks like this:

#include <openssl/opensslconf.h>
#ifndef OPENSSL_NO_SPEED

Update the patch:

quilt refresh

To update the changelog use the following (the values are examples, i.e. what we currently use):

export DEBFULLNAME="strongSwan Testing" 
export DEBEMAIL=debian@strongswan.org
dch --local strongswan --distribution <release>

The version number doesn't really matter as the local repository is pinned in the testing environment so even if there is a newer version in the main repository our version should get installed. But it could still get set to a value that is always higher than minor revisions of the packages (e.g. instead of 1.0.1e-2+deb7u17 use 1.0.1e-strongswan1~2+deb7u17).

Now a new source package may be built:

debuild --no-lintian -S -sa -us -uc -I -i
cd ..

Based on that the binary packages can be built using sbuild:

sudo sbuild -d <release> openssl_xxx-strongswan1-xxx.dsc

APT Repository

Our custom repository is currently managed with reprepro. To add the new binary packages something like the following may be used:

reprepro -b /path/to/debian/repo includedeb <release> <debfile>