[openssl] support fips build feature

[lbermes]

I only implemented and tested it for windows as I have no option to do this under linux.
I'm new with changes here but I like to learn and to support this project

• Changes comply with the maintainer guide
• SHA512s are updated for each updated download
  (no checksum changes)
• The "supports" clause reflects platforms that may be fixed by this new version
  (I would like to mark the feature as only available for Windows but did not found or understood the syntax how todo this)
• Any fixed CI baseline entries are removed from that file.
  (nothing changed)
• Any patches that are no longer applied are deleted from the port's directory.
  (nothing changed)
• The version database is fixed by rerunning ./vcpkg x-add-version --all and committing the result.
• Only one version is added to each modified port's versions file.

[lbermes]

Added "supports" to the feature as I only tested it for windows

[lbermes]

@lbermes please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree

[dg0yt]

This PR shouldn't be merged with a windows-only change, now that windows and !windows finally share most of the openssl setup. But I will need a few more days to look into a general solution.

[dg0yt]

supports is to match upstream's position. We should help you to have all platforms supported.

[lbermes]

I think this can also work under linux so removing "supports" would already fit but I had no option to test this

[Adela0814]

You can remove supports field, I have tested fips on linux and osx.

[Adela0814]

You can remove supports field, I have tested fips on linux and osx.

[dg0yt]

I tested the PR.
AFAIU fips support is only available with dynamic linkage. (There is no build error, but the feature will simply not be installed.) The feature should be declared with:

"supports": "!static"

[BillyONeal]

Thanks!

[lbermes]

Thank you for your support

[lbermes]

I had the time to rebuild all based on the merge and see now an issue under windows
warning: The following files are placed in C:\GitHub\vcpkg\packages\openssl_x64-windows:

C:\GitHub\vcpkg\packages\openssl_x64-windows\fipsmodule.cnf

warning: Files cannot be present in those directories.
error: Found 1 post-build check problem(s). To submit these ports to curated catalogs, please first correct the portfile: C:\GitHub\vcpkg\ports\openssl\portfile.cmake

What would be the right/best way to merge a fix.
Should I simply create a new pull request with the fix?

[BillyONeal]

Should I simply create a new pull request with the fix?

Yes please

[dg0yt]

While we are at fips: Should it become a default feature? (Is it a default feature upstream?)

[BillyONeal]

While we are at fips: Should it become a default feature? (Is it a default feature upstream?)

I don't think so; normally FIPS only certifies distribution in binary forms, not in source forms. Moreover, I don't know about OpenSSL specifically, but elsewhere I've seen a FIPS mode that usually implies turning things off (that have not been certified) rather than on.

[guenterbe]

After getting the latest updates from github and rebuilding openssl, I can't find any fips.dll on Windows or fips.so on Linux.
Isn't a "vcpkg install openssl" sufficient? Are there some undocumented (or not found by me) command line switches?

[lbermes]

Hi, please use the feature fips.
I added this first only for windows but the see the comment of [Adela0814]
It was requested that I remove this and so it now is a feature for all platforms.

[lbermes]

"vcpkg install openssl[fips]" or with the tools "vcpkg install openssl[tools,fips]"

[lbermes]

But I wonder how this influenced the linux build. I did not adjusted the linux port file.

[guenterbe]

@lbermes I have never needed the [features] in the past and was therefore not aware of them (must have missed them in the docs). Thanks very much!