Skip to content

feat(openssl): split FIPS provider into separate package#17698

Draft
tobiasb-ms wants to merge 1 commit into
4.0from
tobiasb-ms/openssl-fips-provider
Draft

feat(openssl): split FIPS provider into separate package#17698
tobiasb-ms wants to merge 1 commit into
4.0from
tobiasb-ms/openssl-fips-provider

Conversation

@tobiasb-ms

@tobiasb-ms tobiasb-ms commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Extract the FIPS provider module (fips.so) from the openssl package into a new openssl-fips-provider package, using the upstream fipsinstall approach for integrity verification instead of embedded HMAC.

AB#21687

New package: openssl-fips-provider

Built from the same openssl source with enable-fips. Ships:

  • /usr/lib64/ossl-modules/fips.so
  • /etc/pki/tls/fipsmodule.cnf (generated by fipsinstall post-strip)
  • /etc/pki/tls/openssl.d/openssl-fips-provider.cnf (drop-in config)

The drop-in registers the fips provider in [provider_sect] and includes fipsmodule.cnf, making the provider loadable via openssl ... -provider fips without requiring kernel FIPS mode.

Changes to openssl

  • Remove enable-fips from ./Configure (fips.so no longer built here)
  • Drop patch 0018 (re-enables fipsinstall subcommand)
  • Replace patch 0019 with simplified version: kernel FIPS mode just activates fips+base providers and sets FIPS properties, relying on the drop-in for config rather than loading fips_local.cnf directly
  • Replace patch 0037 with rebased version (context conflict with 0018 removal in doc/man5/fips_config.pod)
  • Remove fips_local.cnf (no longer needed; drop-in provides config)
  • Remove hmac-ify call in %check (no fips.so to process)
  • Keep Requires: openssl-fips-provider on openssl-libs

Config model

  • openssl.d drop-in: makes provider loadable (registers fips_sect, includes MAC data from fipsmodule.cnf)
  • Patch 0019: auto-activates fips+base in kernel FIPS mode
  • Crypto-policies: NOT included in drop-in (activation via update-crypto-policies is a separate concern)

Patch differences between openssl and openssl-fips-provider

Both packages share the same upstream source and nearly all patches.

Dropped from both:

  • 0018 (FIPS-disable-fipsinstall): fipsinstall must work in both

Dropped only from openssl-fips-provider:

  • 0020 (FIPS-INTEG-CHECK-Embed-hmac-in-fips.so): embedded HMAC integrity check, replaced by fipsinstall/fipsmodule.cnf approach
  • 0022 (FIPS-INTEG-CHECK-Execute-KATS-before-HMAC): KAT reordering for embedded HMAC verification, irrelevant without 0020
  • 0053 (Allow-hybrid-MLKEM-in-FIPS-mode): touches defltprov.c and libcrypto internals only — not compiled into fips.so

Patches 0020/0022 remain in openssl because the patched files (providers/fips/self_test.c) exist in the source tree but are not compiled without enable-fips — they are inert and removing them would add overlay complexity for no functional benefit. Patch 0053 is guarded by a %{defined azurelinux} conditional in openssl only.

Identical in both (same file content):

  • 0019 (FIPS-Force-fips-provider-on): simplified to just activate providers in kernel FIPS mode, drop fips_local.cnf loading
  • 0037 (FIPS-TLS-Enforce-EMS): rebased fips_config.pod hunk against full upstream file (old version depended on 0018's gutting)

These patches modify code in libcrypto/libssl (not fips.so), so their content is functionally irrelevant to the fips-provider build — they just need to apply cleanly. Unified to reduce maintenance surface.

@tobiasb-ms tobiasb-ms force-pushed the tobiasb-ms/openssl-fips-provider branch 2 times, most recently from 2262b0a to 59cc7f8 Compare June 14, 2026 18:45
@tobiasb-ms
feat(openssl): split FIPS provider into separate package
3988b08 
Extract the FIPS provider module (fips.so) from the openssl package into
a new openssl-fips-provider package, using the upstream fipsinstall
approach for integrity verification instead of embedded HMAC.

== New package: openssl-fips-provider ==

Built from the same openssl source with enable-fips. Ships:
- /usr/lib64/ossl-modules/fips.so
- /etc/pki/tls/fipsmodule.cnf (generated by fipsinstall post-strip)
- /etc/pki/tls/openssl.d/openssl-fips-provider.cnf (drop-in config)

The drop-in registers the fips provider in [provider_sect] and includes
fipsmodule.cnf, making the provider loadable via 'openssl ... -provider
fips' without requiring kernel FIPS mode.

== Changes to openssl ==

- Remove enable-fips from ./Configure (fips.so no longer built here)
- Drop patch 0018 (re-enables fipsinstall subcommand)
- Replace patch 0019 with simplified version: kernel FIPS mode just
  activates fips+base providers and sets FIPS properties, relying on
  the drop-in for config rather than loading fips_local.cnf directly
- Replace patch 0037 with rebased version (context conflict with 0018
  removal in doc/man5/fips_config.pod)
- Remove fips_local.cnf (no longer needed; drop-in provides config)
- Remove %{SOURCE1} hmac-ify call in %check (no fips.so to process)
- Keep Requires: openssl-fips-provider on openssl-libs

All other FIPS patches remain — they modify libcrypto/libssl runtime
behavior for loading and activating an external FIPS provider.

== Patch differences between openssl and openssl-fips-provider ==

Both packages share the same upstream source and nearly all patches.
Differences:

Dropped from both:
- 0018 (FIPS-disable-fipsinstall): re-enable fipsinstall subcommand

Dropped only from openssl-fips-provider:
- 0020 (FIPS-INTEG-CHECK-Embed-hmac-in-fips.so): embedded HMAC
  integrity check, replaced by fipsinstall/fipsmodule.cnf approach
- 0022 (FIPS-INTEG-CHECK-Execute-KATS-before-HMAC): KAT reordering
  for embedded HMAC verification, irrelevant without 0020
- 0053 (Allow-hybrid-MLKEM-in-FIPS-mode): touches defltprov.c and
  libcrypto internals only — not compiled into fips.so

Patches 0020/0022 remain in openssl because the patched files
(providers/fips/self_test.c) exist in the source tree but are not
compiled without enable-fips — they are inert and removing them would
add overlay complexity for no functional benefit. Patch 0053 is
guarded by a %{defined azurelinux} conditional in openssl only.

Identical in both (same file content):
- 0019 (FIPS-Force-fips-provider-on): simplified to just activate
  providers in kernel FIPS mode, drop fips_local.cnf loading
- 0037 (FIPS-TLS-Enforce-EMS): rebased fips_config.pod hunk against
  full upstream file (old version depended on 0018's gutting)

These patches modify code in libcrypto/libssl (not fips.so), so their
content is functionally irrelevant to the fips-provider build — they
just need to apply cleanly. Unified to reduce maintenance surface.

== Config model ==

- openssl.d drop-in: makes provider loadable (registers fips_sect,
  includes MAC data from fipsmodule.cnf)
- Patch 0019: auto-activates fips+base in kernel FIPS mode
- Crypto-policies: NOT included in drop-in (activation via
  update-crypto-policies is a separate concern)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@tobiasb-ms tobiasb-ms force-pushed the tobiasb-ms/openssl-fips-provider branch from 59cc7f8 to 3988b08 Compare June 14, 2026 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tobiasb-ms