Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to compile OpenVPN with with OpenSSL-FIPS #1009

Open
iamjohnnym opened this issue Jan 14, 2019 · 0 comments
Open

Unable to compile OpenVPN with with OpenSSL-FIPS #1009

iamjohnnym opened this issue Jan 14, 2019 · 0 comments

Comments

@iamjohnnym
Copy link

Description

When trying to compile OpenVPN-FIPS with OpenSSL-FIPS verification, it fails due to a missing flag that is required for OpenSSL <= 1.0.2. The current openssl is missing a single arg in the configure_args when fips_mode=true which is a required flag for OpenVPN and other potential packages that need OpenSSL-FIPS

Current:

https://github.com/chef/omnibus-software/blob/master/config/software/openssl.rb#L88

  configure_args += ["--with-fipsdir=#{install_dir}/embedded", "fips"] if fips_mode?

Recommended per the Openssl Docs.

# For OpenSSL <= 1.0.2, `--prefix` and `--openssldir` should be specified.
  # See https://wiki.openssl.org/index.php/Compilation_and_Installation#PREFIX_and_OPENSSLDIR
  configure_args += ["--with-fipsdir=#{install_dir}/embedded", "fips", "--openssldir=#{install_dir}/embedded"] if fips_mode?

Per the Openssl docs:

OpenSSL 1.0.2 and below

It is usually not necessary to specify --prefix. If --prefix is not specified, then --openssldir is used. However, specifying only --prefix may result in broken builds because the 1.0.2 build system attempts to build in a FIPS configuration.

You can omit If --prefix and use --openssldir. In this case, the paths for --openssldir will be used during configuration. If --openssldir is not specified, the the default /usr/local/ssl is used.

The takeaway is /usr/local/ssl is used by default, and it can be overridden with --openssldir. The rule of thumb applies for path overrides: specify both --prefix and --openssldir.

https://wiki.openssl.org/index.php/Compilation_and_Installation#PREFIX_and_OPENSSLDIR

Omnibus Version

$ omnibus --version
Omnibus v6.0.11

Platform Version

Ubuntu {14,16,18}.04

Replication Case

I haven't pushed the repo out yet as its a WIP:

#
# Copyright 2019 iamjohnnym
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

# These options are required for all software definitions
name "openvpn"
default_version "2.4.6"

dependency 'openssl'

# Sources may be URLs, git locations, or path locations
source url: "https://swupdate.openvpn.org/community/releases/openvpn-#{version}.tar.xz"

# A software can specify more than one version that is available for install
version("2.4.6") { source sha256: ENV['OPENVPN_SHA'] }

# This is the path, inside the tarball, where the source resides
relative_path "openvpn-#{version}"

# Whitelist files that are dependent on system libs
whitelist_file "/#{install_dir}/embedded/lib/openvpn/plugins/openvpn-plugin-auth-pam.so"
whitelist_file "/#{install_dir}/embedded/sbin/openvpn"

build do
  env = with_standard_compiler_flags(with_embedded_path)

  # Ensure OpenSSL-FIPS libraries are shared
  command "sudo sh -c \"echo \"/#{install_dir}/embedded/lib\" > /etc/ld.so.conf.d/openssl-1.0.2p.conf\""
  command "sudo ldconfig -v"

  # Copy openssl binaries to /usr/local/bin
  command "sudo ln -s /#{install_dir}/embedded/bin/openssl /usr/local/bin/openssl"
  command "sudo ln -s /#{install_dir}/embedded/bin/c_rehash /usr/local/bin/c_rehash"

  # Patch openvpn to allows for openssl-fips
  patch source: 'openvpn-fips.patch',
        plevel: 1,
        env: env

  # since the files have changed, we need to reconfigure our build files
  command "autoreconf -f -i"

  # "command" is part of the build DSL. There are a number of handy options
  # available, such as "copy", "sync", "ruby", etc. For a complete list, please
  # consult the Omnibus gem documentation.
  #
  # "install_dir" is exposed and refers to the top-level projects +install_dir+
  command [
    "./configure",
    "--enable-fips-mode",
    "--prefix=\"/#{install_dir}/embedded\"",
    "OPENSSL_CFLAGS=\"-I/#{install_dir}/embedded/include\"",
    "OPENSSL_LIBS=\"-ldl -L/#{install_dir}/embedded/lib -lssl -lcrypto\""
  ].join(' '), env: env

  # Make all of the things
  make "-j #{workers}", env: env
  make "-j #{workers} install", env: env

  mkdir "#{install_dir}/sbin"
  link "#{install_dir}/embedded/sbin/openvpn", "#{install_dir}/sbin/openvpn"
  command "sudo ln -s #{install_dir}/sbin/openvpn /usr/sbin/openvpn"
  project.extra_package_file '/usr/sbin/openvpn'

end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@iamjohnnym