modified steps to install the FIPS provider for OpenSSL

Signed-off-by: poorndm <poorndm@progress.com>
chef · Apr 22, 2024 · 660e354 · 660e354
1 parent 240d7f6
commit 660e354
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/config/software/openssl.rb b/config/software/openssl.rb
@@ -110,7 +110,7 @@
   if version.satisfies?("< 3.0.0")
     configure_args += ["--with-fipsdir=#{install_dir}/embedded", "fips"] if fips_mode?
   else
-    configure_args += ["-enable-fips"] if fips_mode?
+    configure_args += ["enable-fips"] if fips_mode?
   end
 
   configure_cmd =
@@ -205,4 +205,21 @@
     command "sudo /usr/sbin/slibclean", env: env
   end
   make "install", env: env
+
+  if fips_mode?
+    # running the make install_fips step to install the FIPS provider
+    # make "install_fips", env: env
+
+    fips_cnf_file = "#{install_dir}/embedded/ssl/fipsmodule.cnf"
+    fips_module_file = "#{install_dir}/embedded/lib/ossl-modules/fips.#{windows? ? "dll" : "so"}"
+
+    # Running the `openssl fipsinstall -out fipsmodule.cnf -module fips.so` command
+    command "#{install_dir}/embedded/bin/openssl fipsinstall -out #{fips_cnf_file} -module #{fips_module_file}"
+
+    # Updating the openssl.cnf file to enable the fips provider
+    command "sed -i -e 's|# .include fipsmodule.cnf|.include #{fips_cnf_file}|g' #{install_dir}/embedded/ssl/openssl.cnf"
+    command "sed -i -e 's|# fips = fips_sect|fips = fips_sect|g' #{install_dir}/embedded/ssl/openssl.cnf"
+  end
+
+  command "#{install_dir}/embedded/bin/openssl list -providers"
 end