Add OpenSSL-FIPS CMake flag

Usage of the deprecated 'SHA256_*' OpenSSL API in a FIPS compliant environment results in OpenSSL's assertion failure with the following description: "OpenSSL internal error, assertion failed: Low level API call to digest SHA256 forbidden in FIPS mode!" This commit adds a possibility to use the OpenSSL's 'EVP_MD*' API instead of the deprecated 'SHA256_*' API, by extending the optional CMake flag 'USE_SHA256' with the new option called 'OpenSSL-FIPS'. The new option is used to choose a hashing backend used by libgit2 to calculate SHA256 hashes, in a similar way that currently existing options like 'OpenSSL', 'OpenSSL-Dynamic', 'mbedTLS' etc do. 'OpenSSL-FIPS' is a fully opt-in option which is purposely not interfering with the existing options, because, after running some benchmarks, it's been discovered that using the 'EVP_MD*' API causes hashing to be a bit slower in comparison to using the deprecated 'SHA256_*' API. Another change introduced in this commit is the enhancement of the Nightly workflow (nightly.yml) which will cause libgit2 to be automatically built with '-DUSE_SHA256="OpenSSL-FIPS"' CMake flag, on Linux, macOS and Windows.
2026-01-25 02:56:17 +00:00 · 2024-10-09 14:51:42 +02:00
parent 0da8e725f1
commit 7f7dfe71cc
7 changed files with 116 additions and 3 deletions
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -373,6 +373,34 @@ jobs:
            CMAKE_OPTIONS: -A x64 -DWIN32_LEAKCHECK=ON -DDEPRECATE_HARD=ON -DEXPERIMENTAL_SHA256=ON
            SKIP_SSH_TESTS: true
            SKIP_NEGOTIATE_TESTS: true
+        - name: "Linux (SHA256-FIPS, Xenial, Clang, OpenSSL)"
+          id: linux-sha256-fips
+          container:
+            name: xenial
+          env:
+            CC: clang
+            CMAKE_GENERATOR: Ninja
+            CMAKE_OPTIONS: -DUSE_HTTPS=OpenSSL -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DUSE_GSSAPI=ON -DUSE_SSH=ON -DUSE_SHA256="OpenSSL-FIPS"
+          os: ubuntu-latest
+        - name: "macOS (SHA256-FIPS)"
+          id: macos-sha256-fips
+          os: macos-13
+          setup-script: osx
+          env:
+            CC: clang
+            CMAKE_OPTIONS: -DREGEX_BACKEND=regcomp_l -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=leaks -DUSE_GSSAPI=ON -DEXPERIMENTAL_SHA256=ON -DUSE_SHA256="OpenSSL-FIPS"
+            PKG_CONFIG_PATH: /usr/local/opt/openssl/lib/pkgconfig
+            SKIP_SSH_TESTS: true
+            SKIP_NEGOTIATE_TESTS: true
+        - name: "Windows (SHA256-FIPS, amd64, Visual Studio)"
+          id: windows-sha256-fips
+          os: windows-2022
+          env:
+            ARCH: amd64
+            CMAKE_GENERATOR: Visual Studio 17 2022
+            CMAKE_OPTIONS: -A x64 -DWIN32_LEAKCHECK=ON -DDEPRECATE_HARD=ON -DEXPERIMENTAL_SHA256=ON -DUSE_SHA256="OpenSSL-FIPS"
+            SKIP_SSH_TESTS: true
+            SKIP_NEGOTIATE_TESTS: true
      fail-fast: false
    env: ${{ matrix.platform.env }}
    runs-on: ${{ matrix.platform.os }}