-
Notifications
You must be signed in to change notification settings - Fork 287
/
Copy pathopenssl.yaml
322 lines (304 loc) · 10.5 KB
/
openssl.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
#nolint:forbidden-repository-used,forbidden-keyring-used
package:
name: openssl
version: 3.4.0
epoch: 6
description: "the OpenSSL cryptography suite"
copyright:
- license: Apache-2.0
dependencies:
# For apk upgrades
replaces:
- openssl-config<3.4.0
replaces-priority: 5
resources:
cpu: 16
memory: 16Gi
environment:
contents:
# NB! accessing historic, but certified build of
# jitterentropy-library-dev=3.5.0-r0. In a fresh bootstrap build
# any version of jitternetropy-library and get an ESV certificate
# for it.
build_repositories:
- https://packages.wolfi.dev/os
packages:
- build-base
- busybox
- ca-certificates-bundle
# NB! pinned to version https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropy-validations/certificate/191
- jitterentropy-library-dev=3.5.0-r0
- jitterentropy-library=3.5.0-r0
- perl
environment:
# To support automatic discovery of source code in debug symbols
# packaged in openssl-dbg, build with debug symbols &
# file-prefix-map. Also see "Create dbg sourcecode" and
# split/debug.
CFLAGS: "-g -ffile-prefix-map=/home/build=/usr/src/${{package.name}}"
pipeline:
- uses: git-checkout
with:
repository: https://github.com/openssl/openssl
tag: openssl-${{package.version}}
expected-commit: 98acb6b02839c609ef5b837794e08d906d965335
cherry-picks: |
openssl-3.4/77c608f4c8857e63e98e66444e2e761c9627916f: Fix timing side-channel in ECDSA signature computation (fix for CVE-2024-13176)
- uses: patch
with:
patches: fix-jitter-old-providers.patch
- name: Create dbg sourcecode
runs: |
SRCDIR=$(mktemp -d)
cp -r . $SRCDIR/
mkdir -p ${{targets.destdir}}-dbg/usr/src/
mv $SRCDIR ${{targets.destdir}}-dbg/usr/src/${{package.name}}
# Note that mktemp -d created it as 700, whilst the contents
# inside is 644 for files and 755 for dirs, without this gdb
# doesn't work for non-root user, fix this up.
chmod 755 ${{targets.destdir}}-dbg/usr/src/${{package.name}}
- name: Configure and build
runs: |
perl ./Configure \
linux-${{build.arch}} \
--prefix=/usr \
--libdir=lib \
--openssldir=/etc/ssl \
enable-ktls \
enable-jitter \
shared \
enable-pie \
no-zlib \
no-async \
no-comp \
no-idea \
no-mdc2 \
no-rc5 \
no-ec2m \
no-sm2 \
no-sm4 \
no-ssl3 \
no-seed \
no-weak-ssl-ciphers \
-Wa,--noexecstack
perl configdata.pm --dump
make -j$(nproc)
make tests HARNESS_JOBS=10
- uses: autoconf/make-install
- runs: |
rm ${{targets.destdir}}/usr/bin/c_rehash
# Effectively no-op config file, which matches fallback behaviour
# The CA cert generation options are not fit for any certs
rm ${{targets.destdir}}/etc/ssl/openssl.cnf
# Second identical copy of the above
rm ${{targets.destdir}}/etc/ssl/openssl.cnf.dist
# Provide our hardened configuration for ca & req apps, note
# ca.cnf is shipped with libraries to be reusable without
# openssl tool
cp openssl.cnf ${{targets.destdir}}/etc/ssl/
# Empty CT log
rm ${{targets.destdir}}/etc/ssl/ct_log_list.cnf
# Second copy of CT log
rm ${{targets.destdir}}/etc/ssl/ct_log_list.cnf.dist
# Keeping etc/ssl/misc CA.pl & tsget perl scripts
# without depending on perl, here in openssl package
# This now makes openssl-config empty package, remove it
# This also removes the need to have things coupled with
# openssl-config-fipshardened going forward.
data:
- name: engines
items:
afalg: Linux AF_ALG engine
capi: CAPI engine
padlock: VIA Padlock engine
subpackages:
- name: "openssl-dbg"
description: "OpenSSL debug symbols"
pipeline:
- uses: split/debug
- name: "openssl-doc"
description: "OpenSSL documentation"
pipeline:
- uses: split/manpages
- runs: |
mv "${{targets.destdir}}"/usr/share/doc "${{targets.subpkgdir}}"/usr/share
- name: "libcrypto3"
description: "OpenSSL libcrypto library"
pipeline:
- runs: |
mkdir -p "${{targets.subpkgdir}}"/usr/lib
mv "${{targets.destdir}}"/usr/lib/libcrypto.so.3 "${{targets.subpkgdir}}"/usr/lib
# Provide our hardened configuration for ca & req apps, note
# ca.cnf is shipped here to be reusable without the openssl tool
mkdir -p "${{targets.subpkgdir}}"/etc/ssl
cp ca.cnf ${{targets.subpkgdir}}/etc/ssl/
- name: "libssl3"
description: "OpenSSL libssl library"
pipeline:
- runs: |
mkdir -p "${{targets.subpkgdir}}"/usr/lib
mv "${{targets.destdir}}"/usr/lib/libssl.so.3 "${{targets.subpkgdir}}"/usr/lib
- name: "openssl-dev"
description: "OpenSSL headers"
dependencies:
runtime:
# TODO: for static linking only, split into openssl-static, or
# fix upstream (note .so actually links 3.5.0-r0 but melange
# hates that here)
- jitterentropy-library-dev
- jitterentropy-library
pipeline:
- uses: split/dev
test:
pipeline:
- uses: test/pkgconf
- range: engines
name: "openssl-engine-${{range.key}}"
description: "OpenSSL ${{range.value}}"
pipeline:
- runs: |
mkdir -p "${{targets.subpkgdir}}"/usr/lib/engines-3
mv "${{targets.destdir}}"/usr/lib/engines-3/${{range.key}}.so "${{targets.subpkgdir}}"/usr/lib/engines-3/
- name: "openssl-engine-loader-attic"
description: "OpenSSL Loader Attic internal test engine"
pipeline:
- runs: |
mkdir -p "${{targets.subpkgdir}}"/usr/lib/engines-3
mv "${{targets.destdir}}"/usr/lib/engines-3/loader_attic.so "${{targets.subpkgdir}}"/usr/lib/engines-3/
- name: "openssl-provider-legacy"
description: "OpenSSL legacy provider"
pipeline:
- runs: |
mkdir -p "${{targets.subpkgdir}}"/usr/lib/ossl-modules
mv "${{targets.destdir}}"/usr/lib/ossl-modules/legacy.so "${{targets.subpkgdir}}"/usr/lib/ossl-modules/
test:
environment:
contents:
packages:
- curl
- gdb
- git
- openssl-dbg
- wget
pipeline:
- uses: test/hardening-check
with:
package-match: "^openssl$\\|libssl3"
- uses: test/hardening-check
with:
# jitterentropy is without CF protection so far
args: "--nocfprotection"
package-match: "^libcrypto3$"
- runs: |
openssl --version
openssl --help
- name: Verify curl still works
runs: |
curl -I https://github.com/openssl/openssl
! curl https://expired.badssl.com/
- name: Verify git still works
runs: |
git ls-remote --exit-code https://github.com/openssl/openssl refs/tags/openssl-${{package.version}}
- name: Verify wget still works
runs: |
wget -O /dev/null https://github.com/openssl/openssl
! wget https://expired.badssl.com/
- name: Verify jitter cherry-pick has no effect by default
runs: |
# Possibly python gdb would be easier to read
cat <<EOF >openssl.gdb
set pagination off
set logging file gdb.log
set logging on
set width 0
set height 0
set verbose off
set breakpoint pending on
break get_jitter_random_value
commands 1
continue
end
break syscall_random
commands 2
continue
end
run genrsa -out /dev/null
EOF
gdb --batch --command ./openssl.gdb openssl
# Assert that jitter entropy was not used
grep -q 'Breakpoint 1,' gdb.log && exit 1
# Assert that getrandom syscall wrapper was used
grep -q 'Breakpoint 2,' gdb.log || exit 1
- name: Verify jitter entropy source opt-in works
runs: |
cat <<EOF >openssl.cnf
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
random = random
[random]
seed = JITTER
[provider_sect]
default = default_sect
[default_sect]
activate = 1
EOF
export OPENSSL_CONF=openssl.cnf
# Possibly python gdb would be easier to read
cat <<EOF >openssl.gdb
set pagination off
set logging file jitter.log
set logging on
set width 0
set height 0
set verbose off
set breakpoint pending on
break get_jitter_random_value
commands 1
continue
end
break syscall_random
commands 2
continue
end
run genrsa -out /dev/null
EOF
gdb --batch --command ./openssl.gdb openssl
# Assert that jitter entropy was not used
grep -q 'Breakpoint 1,' jitter.log || exit 1
# Assert that getrandom syscall wrapper was used
grep -q 'Breakpoint 2,' jitter.log && exit 1
- name: docker-dind certificate generation
runs: |
# Distilled from dockerd-entrypoint.sh
set -x
tmpdir="$(mktemp -d)"
trap "rm -rf "$tmpdir"" EXIT
rm -rf "$tmpdir/certs/"
mkdir -p "$tmpdir/certs/ca"
openssl genrsa -out "$tmpdir/certs/ca/key.pem" 4096
openssl req -new -key "$tmpdir/certs/ca/key.pem" \
-out "$tmpdir/certs/ca/cert.pem" -subj '/CN=docker:dind CA' \
-x509 -days 825
mkdir -p "$tmpdir/certs/server"
openssl genrsa -out "$tmpdir/certs/server/key.pem" 4096
openssl req -new -key "$tmpdir/certs/server/key.pem" \
-out "$tmpdir/certs/server/csr.pem" -subj '/CN=docker:dind server'
cat << EOF >"$tmpdir/certs/server/openssl.cnf"
[ x509_exts ]
subjectAltName = DNS:b51ddd7b8dcd,DNS:docker,DNS:localhost,IP:127.0.0.1,IP:172.17.0.4,IP:::1
EOF
openssl x509 -req -in "$tmpdir/certs/server/csr.pem"\
-CA "$tmpdir/certs/ca/cert.pem" -CAkey "$tmpdir/certs/ca/key.pem" \
-CAcreateserial -out "$tmpdir/certs/server/cert.pem" \
-days 825 -extfile "$tmpdir/certs/server/openssl.cnf" \
-extensions x509_exts
cp "$tmpdir/certs/ca/cert.pem" "$tmpdir/certs/server/ca.pem"
openssl verify -CAfile "$tmpdir/certs/server/ca.pem" \
"$tmpdir/certs/server/cert.pem"
update:
enabled: true
github:
identifier: openssl/openssl
strip-prefix: openssl-
tag-filter-prefix: openssl-