Package request: optional FIPS module support for openssl 3.x

Metadata

homepage URL: https://github.com/openssl/openssl/blob/16311dbf53c464726d73b76d77ecf6275c9f9d08/README-FIPS.md
source URL: https://github.com/openssl/openssl/
license: Apache License 2.0
platforms: unix, linux, darwin, ...

{openssl}:
openssl.overrideAttrs (orig: {
  # Compile the FIPS module:
  configureFlags =
    orig.configureFlags
    ++ [
      "enable-ec_nistp_64_gcc_128"
      "enable-fips"
    ];

  # Also install the FIPS module:
  installTargets = "install install_fips";

  # Enable FIPS in the configuration files:
  postInstall =
    (orig.postInstall or "")
    + ''
      # Modify the original OpenSSL configuration:
      sed -E \
        -e "s|^# \.include fipsmodule\.cnf|.include $etc/etc/ssl/fipsmodule.cnf|" \
        -e "s|^# fips =|fips =|" \
        -e "/^fips =/a base = base_sec\n[base_sec]\nactivate = 1\n" \
        < ${openssl.out}/etc/ssl/openssl.cnf > $etc/etc/ssl/openssl.cnf
    '';

  # Generate and patch the fipsmodule.cnf file.  It is done here
  # because the MAC need to be computed *after* stripping the .so
  # file.  Also need to use the original openssl binary because the
  # postInstall step above broke this one until postFixup runs.
  postFixup =
    (orig.postFixup or "")
    + ''
      # Replace FIPS configuration file with one specific to the module
      # we just built:
      ${openssl.bin}/bin/openssl fipsinstall \
        -out $etc/etc/ssl/fipsmodule.cnf \
        -module $out/lib/ossl-modules/fips.so

      # Then make it look more like Arch Linux:
      sed -i -E \
        -e '/^install-(mac|status)/d' \
        -e '/^security-checks/a tls1-prf-ems-check = 0\ndrbg-no-trunc-md = 0' \
        $etc/etc/ssl/fipsmodule.cnf
    '';
})

Add a :+1: reaction to issues you find important.

NixOS / nixpkgs

Package request: optional FIPS module support for openssl 3.x #324013