Hi, In the recent release of OpenSSL-3.0.0 - users can configure and use various providers.(https://github.com/openssl/openssl/blob/master/README-PROVIDERS.md) FIPS is one of them and by default it's not installed. (See documentation: https://github.com/openssl/openssl/blob/master/README-FIPS.md) I'm wondering if we could introduce `fips` internal use flag to conditionally build FIPS module.
Because it's a module now I think we don't need to hide it behind a USE flag and can always build the module. However, OpenSSL 3.0 has no FIPS validation yet (review is pending and is estimated for Q3/2022). So it was intentional to not expose it yet like you are not "allowed" to make use of it, if you care about FIPS.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=895d71e3d1c76e283f09143480870a500a889233 commit 895d71e3d1c76e283f09143480870a500a889233 Author: Mathieu Tortuyaux <mtortuyaux@microsoft.com> AuthorDate: 2021-11-02 12:52:20 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-11-02 15:00:10 +0000 dev-libs/openssl: add `fips` support `FIPS` provider is not enabled by default with OpenSSL version 3. Let's make it optional by adding conditional `fips` internal useflag. See also: https://github.com/openssl/openssl/blob/master/README-FIPS.md Bug: https://bugs.gentoo.org/820173 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com> Closes: https://github.com/gentoo/gentoo/pull/22796 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/metadata.xml | 1 + dev-libs/openssl/openssl-3.0.0.ebuild | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-)
(In reply to Thomas Deutschmann from comment #1) > Because it's a module now I think we don't need to hide it behind a USE flag > and can always build the module. > > However, OpenSSL 3.0 has no FIPS validation yet (review is pending and is > estimated for Q3/2022). So it was intentional to not expose it yet like you > are not "allowed" to make use of it, if you care about FIPS. Gentoo doesn't have a legal department and upstream OpenSSL shouldn't expose it if it _actually_ shouldn't be used. A downstream consumer has requested it and I don't see a reason not to expose it. We can make it unconditional once it's been fully approved if it's not already.