MINIFICPP-2524 Add FIPS compliancy support

CMakeLists.txt

@@ -431,6 +431,7 @@ if(WIN32)
     set(CPACK_WIX_UI_DIALOG "${CMAKE_CURRENT_SOURCE_DIR}/msi/bgr.png")
 
     file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/conf/" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}/conf/")
+    file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/fips/" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}/fips/")
     file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/LICENSE" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}")
     file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/NOTICE" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}")
     file(GLOB markdown_docs "${CMAKE_CURRENT_SOURCE_DIR}/*.md")
@@ -552,6 +553,10 @@ if (NOT WIN32)
         DESTINATION conf
         COMPONENT bin)
 
+    install(FILES fips/openssl.cnf
+        DESTINATION fips
+        COMPONENT bin)
+
     install(DIRECTORY extensions/python/pythonprocessors/
         DESTINATION minifi-python
         COMPONENT bin)

CONFIGURE.md

@@ -805,6 +805,23 @@ To notify the agent which extensions it should load see [Loading extensions](Ext
 ### Python processors
 Please see the [Python Processors Readme](extensions/python/PYTHON.md).
 
+### Enabling FIPS support
+
+To enable FIPS support, and use MiNiFi C++ in FIPS compliant mode, there are a few steps that need to be taken before the application startup. First the following property needs to be set in the minifi.properties file:
+
+    # in minifi.properties
+    nifi.openssl.fips.support.enable=true
+
+Before first starting the application, the fipsmodule.cnf needs to be generated. To do this run the following command with the openssl binary (openssl on Unix and openssl.exe on windows) with the following parameters provided in the $MINIFI_HOME/fips directory:
+
+    # on Unix platform
+    ./openssl fipsinstall -out fipsmodule.cnf -module $MINIFI_HOME/fips/fips.so
+
+    # on Windows platform
+    openssl.exe fipsinstall -out fipsmodule.cnf -module $MINIFI_HOME\fips\fips.dll
+
+If the command finishes successfully, the fipsmodule.cnf file will be generated in the $MINIFI_HOME/fips directory. After this the application can be started and it will configure OpenSSL to start in FIPS mode.
+
 ## Log configuration
 By default the application logs for Apache MiNiFi C++ can be found in the ${MINIFI_HOME}/logs/minifi-app.log file with default INFO level logging. The logger can be reconfigured in the ${MINIFI_HOME}/conf/minifi-log.properties file to use different output streams, log level, and output format.
 

cmake/BundledOpenSSL.cmake

@@ -38,6 +38,12 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
         set(BYPRODUCT_SUFFIX ".a" CACHE STRING "" FORCE)
     endif()
 
+    if (WIN32)
+        set(EXECUTABLE_SUFFIX ".exe" CACHE STRING "" FORCE)
+    else()
+        set(EXECUTABLE_SUFFIX "" CACHE STRING "" FORCE)
+    endif()
+
     set(BYPRODUCTS
             "${LIBDIR}/${BYPRODUCT_PREFIX}ssl${BYPRODUCT_SUFFIX}"
             "${LIBDIR}/${BYPRODUCT_PREFIX}crypto${BYPRODUCT_SUFFIX}"
@@ -51,15 +57,12 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
 
     set(OPENSSL_EXTRA_FLAGS
             no-tests            # Disable tests
-            no-apps             # disable executables
             no-capieng          # disable CAPI engine (legacy)
-            no-dso              # disable dynamic libraries
             no-docs             # disable docs and manpages
             no-legacy           # disable legacy modules
-            no-module           # disable dynamically loadable engines
-            no-pinshared        # don't pin shared libraries in the process memory
             enable-tfo          # Enable TCP Fast Open
-            no-ssl)             # disable SSLv3
+            no-ssl              # disable SSLv3
+            no-engine)          # disable Engine API as it is deprecated since OpenSSL 3.0 and not FIPS compatible
 
     set(OPENSSL_BIN_DIR "${BINARY_DIR}/thirdparty/openssl-install" CACHE STRING "" FORCE)
 
@@ -132,6 +135,7 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
     set(OPENSSL_LIBRARIES "${OPENSSL_LIBRARIES_LIST};${CMAKE_DL_LIBS}"  CACHE STRING "" FORCE)
     set(OPENSSL_CRYPTO_LIBRARY "${OPENSSL_BIN_DIR}/${LIBDIR}/${BYPRODUCT_PREFIX}crypto${BYPRODUCT_SUFFIX}" CACHE STRING "" FORCE)
     set(OPENSSL_SSL_LIBRARY "${OPENSSL_BIN_DIR}/${LIBDIR}/${BYPRODUCT_PREFIX}ssl${BYPRODUCT_SUFFIX}" CACHE STRING "" FORCE)
+    set(OPENSSL_VERSION "3.3.2" CACHE STRING "" FORCE)
 
     # Set exported variables for FindPackage.cmake
     set(PASSTHROUGH_VARIABLES ${PASSTHROUGH_VARIABLES} "-DEXPORTED_OPENSSL_INCLUDE_DIR=${OPENSSL_INCLUDE_DIR}" CACHE STRING "" FORCE)
@@ -165,4 +169,77 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
         set_property(TARGET OpenSSL::SSL APPEND PROPERTY INTERFACE_LINK_LIBRARIES crypt32.lib)
     endif()
 
+    if (WIN32)
+        set(BYPRODUCT_DYN_SUFFIX ".dll" CACHE STRING "" FORCE)
+    elseif(APPLE)
+        set(BYPRODUCT_DYN_SUFFIX ".dylib" CACHE STRING "" FORCE)
+    else()
+        set(BYPRODUCT_DYN_SUFFIX ".so" CACHE STRING "" FORCE)
+    endif()
+
+    set(FIPS_BYPRODUCTS
+            "${LIBDIR}/ossl-modules/fips${BYPRODUCT_DYN_SUFFIX}"
+            )
+
+    set(OPENSSL_FIPS_BIN_DIR "${BINARY_DIR}/thirdparty/openssl-fips-install" CACHE STRING "" FORCE)
+
+    FOREACH(BYPRODUCT ${FIPS_BYPRODUCTS})
+        LIST(APPEND OPENSSL_FIPS_FILE_LIST "${OPENSSL_FIPS_BIN_DIR}/${BYPRODUCT}")
+    ENDFOREACH(BYPRODUCT)
+
+    install(FILES ${OPENSSL_FIPS_FILE_LIST} DESTINATION fips COMPONENT bin)
+    install(FILES "${OPENSSL_BIN_DIR}/bin/openssl${EXECUTABLE_SUFFIX}" DESTINATION fips COMPONENT bin
+            PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_EXECUTE GROUP_READ WORLD_READ WORLD_EXECUTE)
+
+    set(OPENSSL_FIPS_EXTRA_FLAGS
+            no-tests            # Disable tests
+            no-capieng          # disable CAPI engine (legacy)
+            no-legacy           # disable legacy modules
+            no-ssl              # disable SSLv3
+            no-engine           # disable Engine API as it is deprecated since OpenSSL 3.0 and not FIPS compatible
+            enable-fips)        # enable FIPS module
+
+    if (WIN32)
+        find_program(JOM_EXECUTABLE_PATH
+            NAMES jom.exe
+            PATHS ENV PATH
+            NO_DEFAULT_PATH)
+        if(JOM_EXECUTABLE_PATH)
+            include(ProcessorCount)
+            processorcount(jobs)
+            set(OPENSSL_BUILD_COMMAND ${JOM_EXECUTABLE_PATH} -j${jobs})
+            set(OPENSSL_WINDOWS_COMPILE_FLAGS /FS)
+        else()
+            message("Using nmake for OpenSSL build")
+            set(OPENSSL_BUILD_COMMAND nmake)
+            set(OPENSSL_WINDOWS_COMPILE_FLAGS "")
+        endif()
+        ExternalProject_Add(
+                openssl-fips-external
+                URL https://github.com/openssl/openssl/releases/download/openssl-3.0.9/openssl-3.0.9.tar.gz
+                URL_HASH "SHA256=eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
+                SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-fips-src"
+                BUILD_IN_SOURCE true
+                CONFIGURE_COMMAND perl Configure "CFLAGS=${PASSTHROUGH_CMAKE_C_FLAGS} ${OPENSSL_WINDOWS_COMPILE_FLAGS}" "CXXFLAGS=${PASSTHROUGH_CMAKE_CXX_FLAGS} ${OPENSSL_WINDOWS_COMPILE_FLAGS}" ${OPENSSL_SHARED_FLAG} ${OPENSSL_FIPS_EXTRA_FLAGS} enable-fips "--prefix=${OPENSSL_FIPS_BIN_DIR}" "--openssldir=${OPENSSL_FIPS_BIN_DIR}"
+                BUILD_BYPRODUCTS ${OPENSSL_FIPS_FILE_LIST}
+                EXCLUDE_FROM_ALL TRUE
+                BUILD_COMMAND ${OPENSSL_BUILD_COMMAND}
+                INSTALL_COMMAND nmake install_fips
+            )
+    else()
+        ExternalProject_Add(
+            openssl-fips-external
+                URL https://github.com/openssl/openssl/releases/download/openssl-3.0.9/openssl-3.0.9.tar.gz
+                URL_HASH "SHA256=eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
+                SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-fips-src"
+                BUILD_IN_SOURCE true
+                CONFIGURE_COMMAND ./Configure "CFLAGS=${PASSTHROUGH_CMAKE_C_FLAGS} -fPIC" "CXXFLAGS=${PASSTHROUGH_CMAKE_CXX_FLAGS} -fPIC" ${OPENSSL_SHARED_FLAG} ${OPENSSL_FIPS_EXTRA_FLAGS}  "--prefix=${OPENSSL_FIPS_BIN_DIR}" "--openssldir=${OPENSSL_FIPS_BIN_DIR}"
+                BUILD_BYPRODUCTS ${OPENSSL_FIPS_FILE_LIST}
+                EXCLUDE_FROM_ALL TRUE
+                INSTALL_COMMAND make install_fips
+        )
+    endif()
+
+    add_dependencies(OpenSSL::Crypto openssl-fips-external)
+
 endfunction(use_openssl)

cmake/Fetchlibrdkafka.cmake

@@ -34,8 +34,8 @@ set(PATCH_FILE "${CMAKE_SOURCE_DIR}/thirdparty/librdkafka/0001-remove-findLZ4-an
 set(PC "${Patch_EXECUTABLE}" -p1 -i "${PATCH_FILE}")
 
 FetchContent_Declare(libkafka
-        URL https://github.com/confluentinc/librdkafka/archive/refs/tags/v2.6.0.tar.gz
-        URL_HASH SHA256=abe0212ecd3e7ed3c4818a4f2baf7bf916e845e902bb15ae48834ca2d36ac745
+        URL https://github.com/confluentinc/librdkafka/archive/refs/tags/v2.8.0.tar.gz
+        URL_HASH SHA256=5bd1c46f63265f31c6bfcedcde78703f77d28238eadf23821c2b43fc30be3e25
         PATCH_COMMAND "${PC}"
 )
 

cmake/PahoMqttC.cmake

@@ -29,8 +29,8 @@ set(PC ${Bash_EXECUTABLE}  -c "set -x &&\
 
 FetchContent_Declare(
     paho.mqtt.c-external
-    URL "https://github.com/eclipse/paho.mqtt.c/archive/refs/tags/v1.3.9.tar.gz"
-    URL_HASH "SHA256=386c9b5fa1cf6d0d516db12d57fd8f6a410dd0fdc5e9a2da870aae437a2535ed"
+    URL "https://github.com/eclipse/paho.mqtt.c/archive/refs/tags/v1.3.14.tar.gz"
+    URL_HASH "SHA256=7af7d906e60a696a80f1b7c2bd7d6eb164aaad908ff4c40c3332ac2006d07346"
     PATCH_COMMAND "${PC}"
 )
 

cmake/ssl/FindOpenSSL.cmake

@@ -23,7 +23,7 @@ if(NOT OPENSSL_FOUND)
     set(OPENSSL_CRYPTO_LIBRARY "${EXPORTED_OPENSSL_CRYPTO_LIBRARY}" CACHE STRING "" FORCE)
     set(OPENSSL_SSL_LIBRARY "${EXPORTED_OPENSSL_SSL_LIBRARY}" CACHE STRING "" FORCE)
     set(OPENSSL_LIBRARIES "${EXPORTED_OPENSSL_LIBRARIES}" CACHE STRING "" FORCE)
-    set(OPENSSL_VERSION "3.1.0" CACHE STRING "" FORCE)
+    set(OPENSSL_VERSION "3.3.2" CACHE STRING "" FORCE)
 endif()
 
 if(NOT TARGET OpenSSL::Crypto)

conf/minifi.properties

@@ -142,3 +142,6 @@ nifi.python.processor.dir=${MINIFI_HOME}/minifi-python/
 nifi.python.virtualenv.directory=${MINIFI_HOME}/minifi-python-env
 nifi.python.install.packages.automatically=true
 # nifi.python.env.setup.binary=python3
+
+# FIPS
+# nifi.openssl.fips.support.enable=false

docker/test/integration/cluster/ContainerStore.py

@@ -397,6 +397,9 @@ def enable_log_metrics_publisher_in_minifi(self):
     def enable_example_minifi_python_processors(self):
         self.minifi_options.enable_example_minifi_python_processors = True
 
+    def enable_openssl_fips_mode_in_minifi(self):
+        self.minifi_options.enable_openssl_fips_mode = True
+
     def get_startup_finished_log_entry(self, container_name):
         container_name = self.get_container_name_with_postfix(container_name)
         return self.containers[container_name].get_startup_finished_log_entry()

docker/test/integration/cluster/DockerTestCluster.py

@@ -138,6 +138,9 @@ def enable_log_metrics_publisher_in_minifi(self):
     def enable_example_minifi_python_processors(self):
         self.container_store.enable_example_minifi_python_processors()
 
+    def enable_openssl_fips_mode_in_minifi(self):
+        self.container_store.enable_openssl_fips_mode_in_minifi()
+
     def get_app_log(self, container_name):
         container_name = self.container_store.get_container_name_with_postfix(container_name)
         log_source = self.container_store.log_source(container_name)

docker/test/integration/cluster/containers/MinifiContainer.py

@@ -43,6 +43,7 @@ def __init__(self):
         self.enable_controller_socket = False
         self.enable_log_metrics_publisher = False
         self.enable_example_minifi_python_processors = False
+        self.enable_openssl_fips_mode = False
 
 
 class MinifiContainer(FlowContainer):
@@ -52,6 +53,13 @@ class MinifiContainer(FlowContainer):
 
     def __init__(self, feature_context, config_dir, options, name, vols, network, image_store, command=None):
         self.options = options
+        if options.enable_openssl_fips_mode:
+            if command is not None:
+                command = ["/bin/sh", "-c", MinifiContainer.MINIFI_ROOT + "/fips/openssl fipsinstall -out " + MinifiContainer.MINIFI_ROOT + "/fips/fipsmodule.cnf -module "
+                           + MinifiContainer.MINIFI_ROOT + "/fips/fips.so && " + command]
+            else:
+                command = ["/bin/sh", "-c", MinifiContainer.MINIFI_ROOT + "/fips/openssl fipsinstall -out " + MinifiContainer.MINIFI_ROOT + "/fips/fipsmodule.cnf -module "
+                           + MinifiContainer.MINIFI_ROOT + "/fips/fips.so && " + MinifiContainer.MINIFI_ROOT + "/bin/minifi.sh run"]
 
         super().__init__(feature_context=feature_context,
                          config_dir=config_dir,
@@ -159,6 +167,9 @@ def _create_properties(self):
             if self.options.use_nifi_python_processors_with_virtualenv or self.options.remove_python_requirements_txt:
                 f.write("nifi.python.install.packages.automatically=true\n")
 
+            if self.options.enable_openssl_fips_mode:
+                f.write("nifi.openssl.fips.support.enable=true\n")
+
     def _setup_config(self):
         self._create_properties()
         if not self.options.use_flow_config_from_url:

docker/test/integration/features/MiNiFi_integration_test_driver.py

@@ -437,6 +437,9 @@ def enable_log_metrics_publisher_in_minifi(self):
     def enable_example_minifi_python_processors(self):
         self.cluster.enable_example_minifi_python_processors()
 
+    def enable_openssl_fips_mode_in_minifi(self):
+        self.cluster.enable_openssl_fips_mode_in_minifi()
+
     def debug_bundle_can_be_retrieved_through_minifi_controller(self, container_name: str):
         assert self.cluster.debug_bundle_can_be_retrieved_through_minifi_controller(container_name) or self.cluster.log_app_output()
 

docker/test/integration/features/https.feature

@@ -131,7 +131,8 @@ Feature: Transfer data from and to MiNiFi using HTTPS
 
 
   Scenario: InvokeHTTP to ListenHTTP with mutual TLS, using the system certificate store, requires a server cert signed by a CA
-    Given a GenerateFlowFile processor with the "Data Format" property set to "Text"
+    Given OpenSSL FIPS mode is enabled in MiNiFi
+    And a GenerateFlowFile processor with the "Data Format" property set to "Text"
     And the "Unique FlowFiles" property of the GenerateFlowFile processor is set to "false"
     And the "Custom Text" property of the GenerateFlowFile processor is set to "Duis aute irure dolor in reprehenderit in voluptate"
     And a InvokeHTTP processor with the "Remote URL" property set to "https://server-${feature_id}:4430/contentListener"

docker/test/integration/features/kafka.feature

@@ -83,7 +83,8 @@ Feature: Sending data to using Kafka streaming platform using PublishKafka
     Then a flowfile with the content "no broker" is placed in the monitored directory in less than 60 seconds
 
   Scenario: PublishKafka sends can use SSL connect with security properties
-    Given a GetFile processor with the "Input Directory" property set to "/tmp/input"
+    Given OpenSSL FIPS mode is enabled in MiNiFi
+    And a GetFile processor with the "Input Directory" property set to "/tmp/input"
     And a file with the content "test" is present in "/tmp/input"
     And a PublishKafka processor set up to communicate with a kafka broker instance
     And these processor properties are set:
@@ -139,7 +140,8 @@ Feature: Sending data to using Kafka streaming platform using PublishKafka
     Then a flowfile with the content "test" is placed in the monitored directory in less than 60 seconds
 
   Scenario: PublishKafka sends can use SASL SSL connect with security properties
-    Given a GetFile processor with the "Input Directory" property set to "/tmp/input"
+    Given OpenSSL FIPS mode is enabled in MiNiFi
+    And a GetFile processor with the "Input Directory" property set to "/tmp/input"
     And a file with the content "test" is present in "/tmp/input"
     And a PublishKafka processor set up to communicate with a kafka broker instance
     And these processor properties are set:
@@ -170,7 +172,8 @@ Feature: Sending data to using Kafka streaming platform using PublishKafka
     Then a flowfile with the content "test" is placed in the monitored directory in less than 60 seconds
 
   Scenario: PublishKafka sends can use SASL SSL connect with SSL Context
-    Given a GetFile processor with the "Input Directory" property set to "/tmp/input"
+    Given OpenSSL FIPS mode is enabled in MiNiFi
+    And a GetFile processor with the "Input Directory" property set to "/tmp/input"
     And a file with the content "test" is present in "/tmp/input"
     And a PublishKafka processor set up to communicate with a kafka broker instance
     And these processor properties are set:
@@ -199,7 +202,8 @@ Feature: Sending data to using Kafka streaming platform using PublishKafka
     Then a flowfile with the content "test" is placed in the monitored directory in less than 60 seconds
 
   Scenario: PublishKafka sends can use SSL connect with SSL Context Service
-    Given a GetFile processor with the "Input Directory" property set to "/tmp/input"
+    Given OpenSSL FIPS mode is enabled in MiNiFi
+    And a GetFile processor with the "Input Directory" property set to "/tmp/input"
     And a file with the content "test" is present in "/tmp/input"
     And a PublishKafka processor set up to communicate with a kafka broker instance
     And these processor properties are set:
@@ -423,7 +427,8 @@ Feature: Sending data to using Kafka streaming platform using PublishKafka
       | Shogun           | James Clavell  | Message Header Encoding | UTF-32         |
 
   Scenario: ConsumeKafka receives data via SSL
-    Given a ConsumeKafka processor set up in a "kafka-consumer-flow" flow
+    Given OpenSSL FIPS mode is enabled in MiNiFi
+    And a ConsumeKafka processor set up in a "kafka-consumer-flow" flow
     And these processor properties are set:
       | processor name | property name     | property value                  |
       | ConsumeKafka   | Kafka Brokers     | kafka-broker-${feature_id}:9093 |
@@ -441,7 +446,8 @@ Feature: Sending data to using Kafka streaming platform using PublishKafka
     Then two flowfiles with the contents "Alice's Adventures in Wonderland" and "Lewis Carroll" are placed in the monitored directory in less than 60 seconds
 
   Scenario: ConsumeKafka receives data via SASL SSL
-    Given a ConsumeKafka processor set up in a "kafka-consumer-flow" flow
+    Given OpenSSL FIPS mode is enabled in MiNiFi
+    And a ConsumeKafka processor set up in a "kafka-consumer-flow" flow
     And these processor properties are set:
       | processor name | property name     | property value                  |
       | ConsumeKafka   | Kafka Brokers     | kafka-broker-${feature_id}:9095 |

docker/test/integration/features/minifi_c2_server.feature

@@ -30,7 +30,8 @@ Feature: MiNiFi can communicate with Apache NiFi MiNiFi C2 server
     And the Minifi logs do not contain the following message: "Failed to parse json response: The document is empty. at 0" after 0 seconds
 
   Scenario: MiNiFi flow config is updated from MiNiFi C2 server through SSL with SSL controller service
-    Given a file with the content "test" is present in "/tmp/input"
+    Given OpenSSL FIPS mode is enabled in MiNiFi
+    And a file with the content "test" is present in "/tmp/input"
     And a ssl context service is set up for MiNiFi C2 server
     And a MiNiFi C2 server is set up with SSL
     When all instances start up
@@ -47,7 +48,8 @@ Feature: MiNiFi can communicate with Apache NiFi MiNiFi C2 server
     And a flowfile with the content "test" is placed in the monitored directory in less than 10 seconds
 
   Scenario: MiNiFi flow config is updated from MiNiFi C2 server through SSL with SSL properties
-    Given a file with the content "test" is present in "/tmp/input"
+    Given OpenSSL FIPS mode is enabled in MiNiFi
+    And a file with the content "test" is present in "/tmp/input"
     And a GenerateFlowFile processor
     And ssl properties are set up for MiNiFi C2 server
     And a MiNiFi C2 server is set up with SSL