Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 820173 - dev-libs/openssl-3.0.0: missing `enable-fips` configuration flag
Summary: dev-libs/openssl-3.0.0: missing `enable-fips` configuration flag
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-10-25 10:00 UTC by Mathieu Tortuyaux
Modified: 2023-03-11 22:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mathieu Tortuyaux 2021-10-25 10:00:48 UTC
Hi,

In the recent release of OpenSSL-3.0.0 - users can configure and use various providers.(https://github.com/openssl/openssl/blob/master/README-PROVIDERS.md)

FIPS is one of them and by default it's not installed. (See documentation: https://github.com/openssl/openssl/blob/master/README-FIPS.md)

I'm wondering if we could introduce `fips` internal use flag to conditionally build FIPS module.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2021-11-02 14:57:05 UTC
Because it's a module now I think we don't need to hide it behind a USE flag and can always build the module.

However, OpenSSL 3.0 has no FIPS validation yet (review is pending and is estimated for Q3/2022). So it was intentional to not expose it yet like you are not "allowed" to make use of it, if you care about FIPS.
Comment 2 Larry the Git Cow gentoo-dev 2021-11-02 15:01:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=895d71e3d1c76e283f09143480870a500a889233

commit 895d71e3d1c76e283f09143480870a500a889233
Author:     Mathieu Tortuyaux <mtortuyaux@microsoft.com>
AuthorDate: 2021-11-02 12:52:20 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-02 15:00:10 +0000

    dev-libs/openssl: add `fips` support
    
    `FIPS` provider is not enabled by default with OpenSSL version 3. Let's
    make it optional by adding conditional `fips` internal useflag.
    
    See also: https://github.com/openssl/openssl/blob/master/README-FIPS.md
    
    Bug: https://bugs.gentoo.org/820173
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
    Closes: https://github.com/gentoo/gentoo/pull/22796
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/openssl/metadata.xml         | 1 +
 dev-libs/openssl/openssl-3.0.0.ebuild | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-02 15:16:06 UTC
(In reply to Thomas Deutschmann from comment #1)
> Because it's a module now I think we don't need to hide it behind a USE flag
> and can always build the module.
> 
> However, OpenSSL 3.0 has no FIPS validation yet (review is pending and is
> estimated for Q3/2022). So it was intentional to not expose it yet like you
> are not "allowed" to make use of it, if you care about FIPS.

Gentoo doesn't have a legal department and upstream OpenSSL shouldn't expose it if it _actually_ shouldn't be used.

A downstream consumer has requested it and I don't see a reason not to expose it. We can make it unconditional once it's been fully approved if it's not already.