T8529: Add configuration CLI to enable OpenSSL FIPS

[sever-sever]

Change summary

Add the new configuration CLI to enable OpenSSL FIPS-140 (Federal Information Processing Standard) cryptographic modules
https://docs.openssl.org/master/man7/fips_module/#making-all-applications-use-the-fips-module-by-default

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T8529

Related PR(s)

This PR relies on a specific OpenSSL version (with built FIPS) vyos/vyos-build#1161

How to test / Smoketest result

set system option fips
commit

Check (expected OpenSSL FIPS):

vyos@r14# sudo openssl fipsinstall \
>    -module /usr/lib/x86_64-linux-gnu/ossl-modules/fips.so \
>    -out /usr/lib/ssl/fipsmodule.cnf
	name:     	OpenSSL FIPS Provider
	version:  	3.1.2
	build:    	3.1.2
INSTALL PASSED
[edit]
vyos@r14# 
[edit]
vyos@r14# sudo openssl list -providers
Providers:
  fips
    name: OpenSSL FIPS Provider
    version: 3.1.2
    status: active
[edit]
vyos@r14# 

Remove FIPS

delete system option fips 
commit

Expected the Default provider

vyos@r14# openssl list -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.1.2
    status: active
[edit]
vyos@r14# 

Smoketest will pass after the required OpenSSL version:

vyos@r14:~$ show version all | match openssl
ii  openssl                          3.1.2-1                                  amd64        Secure Sockets Layer toolkit - cryptographic utility
ii  openssl-dbgsym                   3.1.2-1                                  amd64        debug symbols for openssl
...

vyos@r14:~$ /usr/libexec/vyos/tests/smoke/cli/test_system_option.py -k test_fips
test_fips (__main__.TestSystemOption.test_fips) ... ok

----------------------------------------------------------------------
Ran 1 test in 2.810s

OK
vyos@r14:~$ 

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

👍
No issues in PR Title / Commit Title

[github-actions]

❌ Typos detected in PR (1 found)

File	Typo	Suggestion
data/templates/openssl/openssl.cnf.j2:193	Widgits	Widgets

[Copilot]

Pull request overview

Adds a new system option fips configuration knob intended to enable OpenSSL FIPS provider usage on VyOS systems, and validates it via a new smoketest.

Changes:

• Add system option fips CLI node to the interface definition.
• Generate /etc/ssl/openssl.cnf from a new Jinja template and run openssl fipsinstall when FIPS is enabled.
• Add a smoketest that enables/disables FIPS and checks provider activation.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

File	Description
src/conf_mode/system_option.py	Adds OpenSSL config rendering + runs openssl fipsinstall when fips is configured, plus a runtime warning.
data/templates/openssl/openssl.cnf.j2	New OpenSSL configuration template with conditional FIPS provider include/activation.
interface-definitions/system_option.xml.in	Adds the fips leaf under system option.
smoketest/scripts/cli/test_system_option.py	Adds a smoketest validating config changes and provider activation/deactivation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sever-sever]

Converted to the draft state until the companion PR (vyos/vyos-build#1161) is merged
But OK for review.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The openssl fipsinstall ... invocation uses cmd(...) without raising=ConfigError / a helpful message=.... If fipsinstall fails (e.g., provider integrity check fails, permissions, unsupported OpenSSL build), this will raise an OSError and may surface as an unhandled exception during commit instead of a clean config error. Use cmd(..., raising=ConfigError, message='...') so the user gets an actionable CLI error and the commit fails gracefully.

Suggested change

	f'openssl fipsinstall -module /usr/lib/{arch}/ossl-modules/fips.so -out {openssl_fipsmodule_config}'
	f'openssl fipsinstall -module /usr/lib/{arch}/ossl-modules/fips.so -out {openssl_fipsmodule_config}',
	raising=ConfigError,
	message='Failed to generate OpenSSL FIPS module configuration'

[github-actions]

CI integration ❌ failed!

Details

CI logs

• CLI Smoketests ❌ failed
• CLI Smoketests (interfaces only) 👍 passed
• Config tests 👍 passed
• RAID1 tests 👍 passed
• CLI Smoketests VPP 👍 passed
• Config tests VPP 👍 passed
• TPM tests ❌ failed

[alexandr-san4ez]

Basic functionality test looks good. I don't see any problems with this new feature.

vyos@vyos1:~$ conf
vyos@vyos1# set system option fips
vyos@vyos1# commit
[ system option ]

WARNING: FIPS 140-3 support is incomplete and may behave unexpectedly!

vyos@vyos1:~$ openssl list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.1.2
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.1.2
    status: active
vyos@vyos1:~$ python3
>>> import ssl
>>> import hashlib
>>> print(ssl.OPENSSL_VERSION)
OpenSSL 3.1.2 1 Aug 2023
>>> h = hashlib.sha256(b"test")
>>> print("SHA-256 OK:", h.hexdigest())
SHA-256 OK: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
>>> hashlib.algorithms_available
{'blake2s', 'shake_256', 'blake2b', 'sha224', 'sha3_384', 'sha512_256', 'sha256', 'sha512', 'md5', 'sha3_224', 'sha512_224', 'shake_128', 'sha3_256', 'sha1', 'sha3_512', 'sha384'}
>>> hashlib.algorithms_guaranteed
{'blake2s', 'sha3_224', 'shake_256', 'blake2b', 'sha224', 'sha3_384', 'shake_128', 'sha3_256', 'sha256', 'sha512', 'md5', 'sha1', 'sha3_512', 'sha384'}
>>> exit()
[edit]
vyos@vyos1# del system option fips
[edit]
vyos@vyos1# commit
[edit]
vyos@vyos1# python3
>>> import hashlib
>>> hashlib.algorithms_available
{'blake2b', 'sha1', 'sha224', 'sha256', 'sha3_224', 'sha512', 'md5', 'sha3_384', 'shake_256', 'sha3_512', 'md5-sha1', 'sha512_224', 'shake_128', 'ripemd160', 'sha3_256', 'sha512_256', 'sm3', 'sha384', 'blake2s'}
>>> hashlib.algorithms_guaranteed
{'blake2b', 'shake_128', 'sha1', 'sha3_224', 'sha3_256', 'sha224', 'sha512', 'sha3_384', 'sha384', 'sha3_512', 'shake_256', 'blake2s', 'sha256', 'md5'}