From 945a17be82aa9da4ea7ac0745d8e24b38fbd2baa Mon Sep 17 00:00:00 2001 From: David Kirov Date: Tue, 3 Dec 2024 16:02:41 +0100 Subject: [PATCH] Revert to building openssl --- .github/workflows/test-fips.yml | 107 ++++++++++++++++++++++++-------- 1 file changed, 81 insertions(+), 26 deletions(-) diff --git a/.github/workflows/test-fips.yml b/.github/workflows/test-fips.yml index 657902aab8435..32395c5f0ddc9 100644 --- a/.github/workflows/test-fips.yml +++ b/.github/workflows/test-fips.yml @@ -26,6 +26,9 @@ jobs: OPENSSL_CONF: /usr/local/ssl/openssl.cnf OPENSSL_FIPS: 1 PYTHON_VERSION: "3.12" + OPENSSL_VERSION: "3.0.15" + FIPS_MODULE_VERSION: "3.0.9" + steps: @@ -61,37 +64,85 @@ jobs: && make \ && sudo make install - - name: Download and Extract OpenSSL and FIPS Module + - name: Install NASM (Required for OpenSSL) if: runner.os == 'Windows' shell: powershell run: | - # Define URLs for OpenSSL and FIPS module - $OpenSSLUrl = "https://agent-ints-python-build-sandbox.s3.eu-north-1.amazonaws.com/openssl-windows-openssl-3.0.15-amd64-5BD585.zip" - $FIPSModuleUrl = "https://agent-ints-python-build-sandbox.s3.eu-north-1.amazonaws.com/fips-windows-openssl-3.0.9-amd64-118D97.zip" - - # Download OpenSSL - Invoke-WebRequest -Uri $OpenSSLUrl -OutFile openssl.zip - Expand-Archive -Path openssl.zip -DestinationPath "C:\Program Files\OpenSSL" -Force - Remove-Item -Path openssl.zip - - # Download FIPS Module - Invoke-WebRequest -Uri $FIPSModuleUrl -OutFile fipsmodule.zip - if (-Not (Test-Path "C:\Program Files\OpenSSL\lib\ossl-modules")) { - New-Item -ItemType Directory -Path "C:\Program Files\OpenSSL\lib\ossl-modules" + # Install NASM if not already available + if (-Not (Get-Command nasm -ErrorAction SilentlyContinue)) { + choco install nasm -y } - Expand-Archive -Path fipsmodule.zip -DestinationPath "C:\Program Files\OpenSSL\lib\ossl-modules" -Force - Remove-Item -Path fipsmodule.zip + $env:PATH += ";C:\Program Files\NASM" + Add-Content -Path $env:GITHUB_ENV -Value "PATH=$($env:PATH)" - if (-Not (Test-Path "C:\Program Files\OpenSSL\ssl")) { - New-Item -ItemType Directory -Path "C:\Program Files\OpenSSL\ssl" - } - Move-Item -Path "C:\Program Files\OpenSSL\lib\ossl-modules\fipsmodule.cnf" -Destination "C:\Program Files\OpenSSL\ssl\fipsmodule.cnf" -Force + - name: Download OpenSSL and FIPS Provider + if: runner.os == 'Windows' + shell: powershell + run: | + Invoke-WebRequest -Uri "https://github.com/openssl/openssl/releases/download/openssl-${{ env.OPENSSL_VERSION }}/openssl-${{ env.OPENSSL_VERSION }}.tar.gz" -OutFile openssl.tar.gz + Invoke-WebRequest -Uri "https://github.com/openssl/openssl/releases/download/openssl-${{ env.FIPS_MODULE_VERSION }}/openssl-${{ env.FIPS_MODULE_VERSION }}.tar.gz" -OutFile fipsmodule.tar.gz + tar -xzf openssl.tar.gz + tar -xzf fipsmodule.tar.gz + + - name: Cache FIPS Module Build + uses: actions/cache@v3 + with: + path: openssl-${{ env.FIPS_MODULE_VERSION }} + key: ${{ runner.os }}-openssl-${{ env.FIPS_MODULE_VERSION }}-${{ hashFiles('**/Configure') }} + restore-keys: | + ${{ runner.os }}-openssl-${{ env.FIPS_MODULE_VERSION }}- + + - name: Cache OpenSSL Build + uses: actions/cache@v3 + with: + path: openssl-${{ env.OPENSSL_VERSION }} + key: ${{ runner.os }}-openssl-${{ env.OPENSSL_VERSION }}-${{ hashFiles('**/Configure') }} + restore-keys: | + ${{ runner.os }}-openssl-${{ env.OPENSSL_VERSION }}- - - name: Configure OpenSSL FIPS + - name: Configure Environment and Build FIPS Module + shell: cmd + run: | + if not exist "openssl-${{ env.FIPS_MODULE_VERSION }}" ( + REM Locate Visual Studio installation path + FOR /F "tokens=*" %%I IN ('"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe" -latest -products * -requires Microsoft.Component.MSBuild -property installationPath') DO SET VSINSTALLPATH=%%I + + REM Run vcvarsall.bat for the amd64 architecture + CALL "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" amd64 + + REM Build OpenSSL + cd openssl-${{ env.FIPS_MODULE_VERSION }} + perl Configure VC-WIN64A enable-fips + nmake + nmake install + ) else ( + echo "Using cached FIPS module." + ) + + - name: Configure Environment and Build OpenSSL + shell: cmd + run: | + if not exist "openssl-${{ env.OPENSSL_VERSION }}" ( + REM Locate Visual Studio installation path + FOR /F "tokens=*" %%I IN ('"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe" -latest -products * -requires Microsoft.Component.MSBuild -property installationPath') DO SET VSINSTALLPATH=%%I + + REM Run vcvarsall.bat for the amd64 architecture + CALL "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" amd64 + + REM Build OpenSSL + cd openssl-${{ env.OPENSSL_VERSION }} + perl Configure VC-WIN64A enable-fips + nmake + nmake install + ) else ( + echo "Using cached FIPS module." + ) + + - name: Configure OpenSSL for FIPS if: runner.os == 'Windows' shell: powershell run: | - # Create openssl.cnf file + # Create openssl.cnf to enable FIPS mode $OpenSSLConf = @" config_diagnostics = 1 openssl_conf = openssl_init @@ -114,14 +165,18 @@ jobs: "@ $OpenSSLConf | Set-Content -Path "C:\Program Files\OpenSSL\ssl\openssl.cnf" - - name: Verify OpenSSL and FIPS + - name: Verify OpenSSL with FIPS if: runner.os == 'Windows' shell: powershell run: | + # Set environment variables [Environment]::SetEnvironmentVariable("OPENSSL_CONF", "C:\Program Files\OpenSSL\ssl\openssl.cnf", "Process") - - & "C:\Program Files\OpenSSL\openssl.exe" version -a - & "C:\Program Files\OpenSSL\openssl.exe" list -providers + [Environment]::SetEnvironmentVariable("OPENSSL_FIPS", "1", "Process") + + # Verify OpenSSL installation and FIPS mode + & "C:\Program Files\OpenSSL\bin\openssl.exe" version -a + & "C:\Program Files\OpenSSL\bin\openssl.exe" list -providers + & "C:\Program Files\OpenSSL\bin\openssl.exe" list -properties - name: Install Cryptography run: pip install cryptography