Skip to content

Upgrade to OpenSSL 3.0.17 #265

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jbdelcuv merged 17 commits into from
Oct 9, 2025
Merged

Upgrade to OpenSSL 3.0.17 #265

jbdelcuv merged 17 commits into from
Oct 9, 2025

Conversation

@jbdelcuv
Copy link
Contributor

@jbdelcuv jbdelcuv commented Oct 7, 2025

Upgrade the SGX-SSL library to utilize OpenSSL 3.0.17 while leaving OpenSSL 3.1.6 to provide FIPS provider support.

jbdelcuv added 14 commits October 1, 2025 10:46
@jbdelcuv
Revert back to commit f9e87b9 to support OpenSSL 3.0.17.
172e6bf 
There aren't any differences between OpenSSL 3.0.12 and 3.0.17.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Support for the FIPS provider was added as an experimental feature.
7286b37 
It is explicitly disabled by default.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Temporarily disable the build of the FIPS provider.
60b9bff 
Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
By default, the SGX-SSL library depends on the OpenSSL 3.0 series, while
07a896f 
the FIPS provider requires OpenSSL 3.1.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Fix issue #264: Forcing installing the FIPS library while not building
2650e69 
FIPS causes the Makefile to prematurely show error.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
The FIPS provider inside an SGX enclave should seed the DRBG with the…
2caa7b7 
… RDSEED

or RDRAND instruction rather than an OS-specific source of entropy.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Re-enable the FIPS provider build.
f080511 
Confirm that issue #264 has been resolved.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Revert back commit 07a896f.
cd3b042 
We only this script to build the SGX-SSL library, which depends on
OpenSSL 3.0 series, not the OpenSSL FIPS provider.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Update to support building with OpenSSL 3.0.17.
4055f76 
Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Clarify that we don't build the test app in FIPS mode by default because
37460fc 
the FIPS provider has not yet been built.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Add a section about the FIPS provider and revise the structure.
9f277ac 
Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Minor formatting fix.
d5f8d08 
Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Suppress compiler warning.
86a5a1d 
Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Fix Makefile rule target. The Edger8r with --header-only produces only a
df0956c 
header file.
Fix typo.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv jbdelcuv self-assigned this Oct 7, 2025
@jbdelcuv jbdelcuv linked an issue Oct 7, 2025 that may be closed by this pull request
Forcing installing the FIPS library while not building FIPS causes the Makefile to prematurely show error #264
Closed
@jbdelcuv
Download the SGX SDK 2.26 and OpenSSL 3.0.17 for testing.
67bce2b 
Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Fix SGX SDK release number.
8093ce1 
Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Download OpenSSL 3.1.6 to avoid error building sgxssl_no_mitigation.
4891a8f 
Proper fix to the Makefile needed.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv jbdelcuv requested review from andyzyb and binxing October 8, 2025 17:30
@jbdelcuv jbdelcuv merged commit 070657f into main Oct 9, 2025
3 checks passed
@jbdelcuv jbdelcuv requested a review from bgotowal October 15, 2025 19:42
@jbdelcuv jbdelcuv deleted the dev/jbdelcuv/support_openssl_3.0.17 branch October 23, 2025 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fchinchilla fchinchilla fchinchilla approved these changes

@lzha101 lzha101 Awaiting requested review from lzha101

@binxing binxing Awaiting requested review from binxing

@andyzyb andyzyb Awaiting requested review from andyzyb

@bgotowal bgotowal Awaiting requested review from bgotowal

Assignees

@jbdelcuv jbdelcuv

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Forcing installing the FIPS library while not building FIPS causes the Makefile to prematurely show error

3 participants

@jbdelcuv @fchinchilla