Skip to content

Commit

Permalink
Revert to building openssl
Browse files Browse the repository at this point in the history
  • Loading branch information
@dkirov-dd
dkirov-dd committed Dec 3, 2024
1 parent f7d5b4e commit 945a17b
Showing 1 changed file with 81 additions and 26 deletions.
107 changes: 81 additions & 26 deletions .github/workflows/test-fips.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ jobs:
OPENSSL_CONF: /usr/local/ssl/openssl.cnf
OPENSSL_FIPS: 1
PYTHON_VERSION: "3.12"
OPENSSL_VERSION: "3.0.15"
FIPS_MODULE_VERSION: "3.0.9"


steps:

Expand Down Expand Up @@ -61,37 +64,85 @@ jobs:
&& make \
&& sudo make install
- name: Download and Extract OpenSSL and FIPS Module
- name: Install NASM (Required for OpenSSL)
if: runner.os == 'Windows'
shell: powershell
run: |
# Define URLs for OpenSSL and FIPS module
$OpenSSLUrl = "https://agent-ints-python-build-sandbox.s3.eu-north-1.amazonaws.com/openssl-windows-openssl-3.0.15-amd64-5BD585.zip"
$FIPSModuleUrl = "https://agent-ints-python-build-sandbox.s3.eu-north-1.amazonaws.com/fips-windows-openssl-3.0.9-amd64-118D97.zip"
# Download OpenSSL
Invoke-WebRequest -Uri $OpenSSLUrl -OutFile openssl.zip
Expand-Archive -Path openssl.zip -DestinationPath "C:\Program Files\OpenSSL" -Force
Remove-Item -Path openssl.zip
# Download FIPS Module
Invoke-WebRequest -Uri $FIPSModuleUrl -OutFile fipsmodule.zip
if (-Not (Test-Path "C:\Program Files\OpenSSL\lib\ossl-modules")) {
New-Item -ItemType Directory -Path "C:\Program Files\OpenSSL\lib\ossl-modules"
# Install NASM if not already available
if (-Not (Get-Command nasm -ErrorAction SilentlyContinue)) {
choco install nasm -y
}
Expand-Archive -Path fipsmodule.zip -DestinationPath "C:\Program Files\OpenSSL\lib\ossl-modules" -Force
Remove-Item -Path fipsmodule.zip
$env:PATH += ";C:\Program Files\NASM"
Add-Content -Path $env:GITHUB_ENV -Value "PATH=$($env:PATH)"
if (-Not (Test-Path "C:\Program Files\OpenSSL\ssl")) {
New-Item -ItemType Directory -Path "C:\Program Files\OpenSSL\ssl"
}
Move-Item -Path "C:\Program Files\OpenSSL\lib\ossl-modules\fipsmodule.cnf" -Destination "C:\Program Files\OpenSSL\ssl\fipsmodule.cnf" -Force
- name: Download OpenSSL and FIPS Provider
if: runner.os == 'Windows'
shell: powershell
run: |
Invoke-WebRequest -Uri "https://github.com/openssl/openssl/releases/download/openssl-${{ env.OPENSSL_VERSION }}/openssl-${{ env.OPENSSL_VERSION }}.tar.gz" -OutFile openssl.tar.gz
Invoke-WebRequest -Uri "https://github.com/openssl/openssl/releases/download/openssl-${{ env.FIPS_MODULE_VERSION }}/openssl-${{ env.FIPS_MODULE_VERSION }}.tar.gz" -OutFile fipsmodule.tar.gz
tar -xzf openssl.tar.gz
tar -xzf fipsmodule.tar.gz
- name: Cache FIPS Module Build
uses: actions/cache@v3
with:
path: openssl-${{ env.FIPS_MODULE_VERSION }}
key: ${{ runner.os }}-openssl-${{ env.FIPS_MODULE_VERSION }}-${{ hashFiles('**/Configure') }}
restore-keys: |
${{ runner.os }}-openssl-${{ env.FIPS_MODULE_VERSION }}-
- name: Cache OpenSSL Build
uses: actions/cache@v3
with:
path: openssl-${{ env.OPENSSL_VERSION }}
key: ${{ runner.os }}-openssl-${{ env.OPENSSL_VERSION }}-${{ hashFiles('**/Configure') }}
restore-keys: |
${{ runner.os }}-openssl-${{ env.OPENSSL_VERSION }}-
- name: Configure OpenSSL FIPS
- name: Configure Environment and Build FIPS Module
shell: cmd
run: |
if not exist "openssl-${{ env.FIPS_MODULE_VERSION }}" (
REM Locate Visual Studio installation path
FOR /F "tokens=*" %%I IN ('"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe" -latest -products * -requires Microsoft.Component.MSBuild -property installationPath') DO SET VSINSTALLPATH=%%I
REM Run vcvarsall.bat for the amd64 architecture
CALL "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" amd64
REM Build OpenSSL
cd openssl-${{ env.FIPS_MODULE_VERSION }}
perl Configure VC-WIN64A enable-fips
nmake
nmake install
) else (
echo "Using cached FIPS module."
)
- name: Configure Environment and Build OpenSSL
shell: cmd
run: |
if not exist "openssl-${{ env.OPENSSL_VERSION }}" (
REM Locate Visual Studio installation path
FOR /F "tokens=*" %%I IN ('"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe" -latest -products * -requires Microsoft.Component.MSBuild -property installationPath') DO SET VSINSTALLPATH=%%I
REM Run vcvarsall.bat for the amd64 architecture
CALL "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" amd64
REM Build OpenSSL
cd openssl-${{ env.OPENSSL_VERSION }}
perl Configure VC-WIN64A enable-fips
nmake
nmake install
) else (
echo "Using cached FIPS module."
)
- name: Configure OpenSSL for FIPS
if: runner.os == 'Windows'
shell: powershell
run: |
# Create openssl.cnf file
# Create openssl.cnf to enable FIPS mode
$OpenSSLConf = @"
config_diagnostics = 1
openssl_conf = openssl_init
Expand All @@ -114,14 +165,18 @@ jobs:
"@
$OpenSSLConf | Set-Content -Path "C:\Program Files\OpenSSL\ssl\openssl.cnf"
- name: Verify OpenSSL and FIPS
- name: Verify OpenSSL with FIPS
if: runner.os == 'Windows'
shell: powershell
run: |
# Set environment variables
[Environment]::SetEnvironmentVariable("OPENSSL_CONF", "C:\Program Files\OpenSSL\ssl\openssl.cnf", "Process")
& "C:\Program Files\OpenSSL\openssl.exe" version -a
& "C:\Program Files\OpenSSL\openssl.exe" list -providers
[Environment]::SetEnvironmentVariable("OPENSSL_FIPS", "1", "Process")
# Verify OpenSSL installation and FIPS mode
& "C:\Program Files\OpenSSL\bin\openssl.exe" version -a
& "C:\Program Files\OpenSSL\bin\openssl.exe" list -providers
& "C:\Program Files\OpenSSL\bin\openssl.exe" list -properties
- name: Install Cryptography
run: pip install cryptography
Expand Down

0 comments on commit 945a17b

Please sign in to comment.