feat(openssl): split FIPS provider into separate package#17698
Open
tobiasb-ms wants to merge 1 commit into
Open
feat(openssl): split FIPS provider into separate package#17698tobiasb-ms wants to merge 1 commit into
tobiasb-ms wants to merge 1 commit into
Conversation
tobiasb-ms
force-pushed
the
tobiasb-ms/openssl-fips-provider
branch
4 times, most recently
from
3988b08 to
b19b22e
Compare
Extract the FIPS provider module (fips.so) from the openssl package into
a new openssl-fips-provider package, using the upstream fipsinstall
approach for integrity verification instead of embedded HMAC.
== New package: openssl-fips-provider ==
Built from the same openssl source with enable-fips. Ships:
- /usr/lib64/ossl-modules/fips.so
- /etc/pki/tls/fipsmodule.cnf (generated by fipsinstall post-strip)
- /etc/pki/tls/openssl.d/openssl-fips-provider.cnf (drop-in config)
The drop-in registers the fips provider in [provider_sect] and includes
fipsmodule.cnf, making the provider loadable via 'openssl ... -provider
fips' without requiring kernel FIPS mode.
== Changes to openssl ==
- Remove enable-fips from ./Configure (fips.so no longer built here)
- Drop patch 0018 (re-enables fipsinstall subcommand)
- Replace patch 0019 with simplified version: kernel FIPS mode just
activates fips+base providers and sets FIPS properties, relying on
the drop-in for config rather than loading fips_local.cnf directly
- Replace patch 0037 with rebased version (context conflict with 0018
removal in doc/man5/fips_config.pod)
- Remove fips_local.cnf (no longer needed; drop-in provides config)
- Remove %{SOURCE1} hmac-ify call in %check (no fips.so to process)
- Keep Requires: openssl-fips-provider on openssl-libs
All other FIPS patches remain — they modify libcrypto/libssl runtime
behavior for loading and activating an external FIPS provider.
== Patch differences between openssl and openssl-fips-provider ==
Both packages share the same upstream source and nearly all patches.
Differences:
Dropped from both:
- 0018 (FIPS-disable-fipsinstall): re-enable fipsinstall subcommand
Dropped only from openssl-fips-provider:
- 0020 (FIPS-INTEG-CHECK-Embed-hmac-in-fips.so): embedded HMAC
integrity check, replaced by fipsinstall/fipsmodule.cnf approach
- 0022 (FIPS-INTEG-CHECK-Execute-KATS-before-HMAC): KAT reordering
for embedded HMAC verification, irrelevant without 0020
- 0053 (Allow-hybrid-MLKEM-in-FIPS-mode): touches defltprov.c and
libcrypto internals only — not compiled into fips.so
Patches 0020/0022 remain in openssl because the patched files
(providers/fips/self_test.c) exist in the source tree but are not
compiled without enable-fips — they are inert and removing them would
add overlay complexity for no functional benefit. Patch 0053 is
guarded by a %{defined azurelinux} conditional in openssl only.
Identical in both (same file content):
- 0019 (FIPS-Force-fips-provider-on): simplified to just activate
providers in kernel FIPS mode, drop fips_local.cnf loading
- 0037 (FIPS-TLS-Enforce-EMS): rebased fips_config.pod hunk against
full upstream file (old version depended on 0018's gutting)
These patches modify code in libcrypto/libssl (not fips.so), so their
content is functionally irrelevant to the fips-provider build — they
just need to apply cleanly. Unified to reduce maintenance surface.
== Config model ==
- openssl.d drop-in: makes provider loadable (registers fips_sect,
includes MAC data from fipsmodule.cnf)
- Patch 0019: auto-activates fips+base in kernel FIPS mode
- Crypto-policies: NOT included in drop-in (activation via
update-crypto-policies is a separate concern)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
tobiasb-ms
force-pushed
the
tobiasb-ms/openssl-fips-provider
branch
from
b19b22e to
21f44d7
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR splits the OpenSSL FIPS provider module (fips.so) into a new openssl-fips-provider package and updates the main openssl package to stop building/shipping the provider, switching integrity handling to the upstream fipsinstall → fipsmodule.cnf model and relying on an openssl.d drop-in for configuration.
Changes:
- Add new
openssl-fips-providercomponent/spec that buildsfips.so, generates/etc/pki/tls/fipsmodule.cnfviafipsinstall, and installs anopenssl.ddrop-in config. - Update
opensslto stop buildingfips.so, removefips_local.cnf, and keepopenssl-libsrequiringopenssl-fips-provider. - Rework/rebase downstream FIPS-related patches (notably 0019 and 0037) to align with the new config model.
Reviewed changes
Copilot reviewed 95 out of 97 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| base/comps/components-publish-channels.toml | Publishes the new openssl-fips-provider component. |
| base/comps/openssl/openssl.comp.toml | Removes enable-fips, drops fips_local.cnf, and swaps in rebased patches for openssl. |
| base/comps/openssl/0019-FIPS-Force-fips-provider-on.patch | Rebases kernel-FIPS-mode activation logic used by openssl. |
| base/comps/openssl-fips-provider/openssl-fips-provider.comp.toml | New component definition: renames spec outputs, prunes subpackages/files, runs fipsinstall, installs drop-in config. |
| base/comps/openssl-fips-provider/0019-FIPS-Force-fips-provider-on.patch | Same rebased 0019 patch for the provider build (kept in sync with openssl). |
| base/comps/openssl-fips-provider/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch | Rebases patch 0037 for the provider build. |
| base/comps/openssl-fips-provider/openssl-fips-provider.cnf | Adds the openssl.d drop-in which registers the provider and includes fipsmodule.cnf. |
| locks/openssl.lock | Updates input fingerprint after component changes. |
| locks/openssl-fips-provider.lock | Adds lock file for the new component. |
| specs/o/openssl/openssl.spec | Stops building/packaging fips.so, removes fips_local.cnf, and requires openssl-fips-provider for openssl-libs. |
| specs/o/openssl/0019-FIPS-Force-fips-provider-on.patch | Updated rendered patch 0019 for openssl. |
| specs/o/openssl/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch | Updated rendered patch 0037 for openssl. |
| specs/o/openssl-fips-provider/openssl-fips-provider.spec | New rendered spec for the provider-only package. |
| specs/o/openssl-fips-provider/sources | Adds source hash for the provider build. |
| specs/o/openssl-fips-provider/openssl.rpmlintrc | New rpmlint filters for the provider package. |
| specs/o/openssl-fips-provider/openssl-fips-provider.cnf | Rendered copy of the openssl.d drop-in config. |
| specs/o/openssl-fips-provider/genpatches | Helper script checked in with the new spec set. |
| specs/o/openssl-fips-provider/fips-hmacify.sh | Helper script still present alongside the spec (currently unused by the new workflow). |
| specs/o/openssl-fips-provider/configuration-switch.h | Carries multilib configuration header handling from upstream packaging. |
| specs/o/openssl-fips-provider/configuration-prefix.h | Carries multilib configuration header handling from upstream packaging. |
| specs/o/openssl-fips-provider/0001-RH-Aarch64-and-ppc64le-use-lib64.patch | Provider spec patch set (imported). |
| specs/o/openssl-fips-provider/0003-RH-Do-not-install-html-docs.patch | Provider spec patch set (imported). |
| specs/o/openssl-fips-provider/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch | Provider spec patch set (imported). |
| specs/o/openssl-fips-provider/0005-RH-Disable-signature-verification-with-bad-digests-R.patch | Provider spec patch set (imported). |
| specs/o/openssl-fips-provider/0007-RH-Add-FIPS_mode-compatibility-macro.patch | Provider spec patch set (imported). |
| specs/o/openssl-fips-provider/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch | Provider spec patch set (imported). |
| specs/o/openssl-fips-provider/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch | Provider spec patch set (imported). |
| specs/o/openssl-fips-provider/0019-FIPS-Force-fips-provider-on.patch | Provider spec patch set (rebased/unified). |
| specs/o/openssl-fips-provider/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch | Provider spec patch set (now likely dead with fipsinstall). |
| specs/o/openssl-fips-provider/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch | Provider spec patch set (imported). |
| specs/o/openssl-fips-provider/0044-FIPS-NO-DES-support.patch | Provider spec patch set (imported). |
| specs/o/openssl-fips-provider/0058-Add-targets-to-skip-build-of-non-installable-program.patch | Provider spec patch set (imported). |
| specs/o/openssl-fips-provider/0061-CVE-2025-15468.patch | Provider spec CVE backport (imported). |
| specs/o/openssl-fips-provider/0063-CVE-2025-66199.patch | Provider spec CVE backport (imported). |
| specs/o/openssl-fips-provider/0064-CVE-2025-68160.patch | Provider spec CVE backport (imported). |
| specs/o/openssl-fips-provider/0065-CVE-2025-69418.patch | Provider spec CVE backport (imported). |
| specs/o/openssl-fips-provider/0066-CVE-2025-69420.patch | Provider spec CVE backport (imported). |
| specs/o/openssl-fips-provider/0067-CVE-2025-69421.patch | Provider spec CVE backport (imported). |
| specs/o/openssl-fips-provider/0068-CVE-2025-69419.patch | Provider spec CVE backport (imported). |
| specs/o/openssl-fips-provider/0069-CVE-2026-22795.patch | Provider spec CVE backport (imported). |
| specs/o/openssl-fips-provider/0071-Do-not-make-key-share-choice-in-tls1_set_groups.patch | Provider spec patch set (imported). |
| specs/o/openssl-fips-provider/0074-CVE-2026-28387.patch | Provider spec CVE backport (imported). |
| specs/o/openssl-fips-provider/0075-CVE-2026-28388.patch | Provider spec CVE backport (imported). |
| specs/o/openssl-fips-provider/0076-CVE-2026-28389.patch | Provider spec CVE backport (imported). |
| specs/o/openssl-fips-provider/0077-CVE-2026-28390.patch | Provider spec CVE backport (imported). |
| specs/o/openssl-fips-provider/0078-CVE-2026-31789.patch | Provider spec CVE backport (imported). |
| specs/o/openssl-fips-provider/0079-CVE-2026-31790.patch | Provider spec CVE backport (imported). |
Comment on lines
+262
to
+266
| [[components.openssl-fips-provider.overlays]] | ||
| type = "spec-search-replace" | ||
| description = "Replace %files openssl binary with fips.so" | ||
| regex = '%\{_bindir\}/openssl' | ||
| replacement = "%{_libdir}/ossl-modules/fips.so\n%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf" |
Comment on lines
+263
to
+267
| type = "spec-search-replace" | ||
| description = "Replace %files openssl binary with fips.so" | ||
| regex = '%\{_bindir\}/openssl' | ||
| replacement = "%{_libdir}/ossl-modules/fips.so\n%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf" | ||
|
|
Comment on lines
+60
to
+66
| # Remove main package dependencies — fips-provider doesn't need coreutils | ||
| # and the openssl-fips-provider-libs subpackage won't exist. | ||
| [[components.openssl-fips-provider.overlays]] | ||
| type = "spec-search-replace" | ||
| description = "Replace standalone Requires: coreutils with openssl-libs" | ||
| regex = '^Requires: coreutils$' | ||
| replacement = "Requires: openssl-libs%{?_isa}" |
Comment on lines
+41
to
+43
| Source0: openssl-%{version}.tar.gz | ||
| Source1: fips-hmacify.sh | ||
| Source3: genpatches |
Comment on lines
+66
to
+68
| Patch0019: 0019-FIPS-Force-fips-provider-on.patch | ||
| Patch0021: 0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch | ||
| Patch0023: 0023-FIPS-RSA-encrypt-limits-REVIEW.patch |
Comment on lines
+7
to
+9
| # Technically this warning is correct, but in the case of the openssl binary we | ||
| # want to allow SSL_CTX_set_cipher_list | ||
| addFilter("W: crypto-policy-non-compliance-openssl /usr/bin/openssl SSL_CTX_set_cipher_list") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Extract the FIPS provider module (fips.so) from the openssl package into a new openssl-fips-provider package, using the upstream fipsinstall approach for integrity verification instead of embedded HMAC.
AB#21687
New package: openssl-fips-provider
Built from the same openssl source with
enable-fips. Ships:/usr/lib64/ossl-modules/fips.so/etc/pki/tls/fipsmodule.cnf(generated by fipsinstall post-strip)/etc/pki/tls/openssl.d/openssl-fips-provider.cnf(drop-in config)The drop-in registers the fips provider in
[provider_sect]and includesfipsmodule.cnf, making the provider loadable viaopenssl ... -provider fipswithout requiring kernel FIPS mode.Changes to openssl
enable-fipsfrom./Configure(fips.so no longer built here)fipsinstallsubcommand)fips_local.cnfdirectlydoc/man5/fips_config.pod)fips_local.cnf(no longer needed; drop-in provides config)%check(no fips.so to process)Requires: openssl-fips-provideronopenssl-libsConfig model
fips_sect, includes MAC data fromfipsmodule.cnf)update-crypto-policiesis a separate concern)Patch differences between openssl and openssl-fips-provider
Both packages share the same upstream source and nearly all patches.
Dropped from both:
Dropped only from openssl-fips-provider:
defltprov.cand libcrypto internals only — not compiled into fips.soPatches 0020/0022 remain in openssl because the patched files (
providers/fips/self_test.c) exist in the source tree but are not compiled withoutenable-fips— they are inert and removing them would add overlay complexity for no functional benefit. Patch 0053 is guarded by a%{defined azurelinux}conditional in openssl only.Identical in both (same file content):
fips_local.cnfloadingfips_config.podhunk against full upstream file (old version depended on 0018's gutting)These patches modify code in libcrypto/libssl (not fips.so), so their content is functionally irrelevant to the fips-provider build — they just need to apply cleanly. Unified to reduce maintenance surface.