openssl: Build OpenSSL FIPS provider

Following the OpenSSL instructions[1]. Enable the FIPS provider with the
enable-fips option. As suggested, we compile the latest OpenSSL version
(as today is 3.2.0) and then we compile the latest OpenSSL FIPS validated
version (as today is 3.0.8). Once everything is compiled we pick (via make
target install_fips) only the FIPS relevant files (namely fips.dll and
fipsmodule.cnf files) from the OpenSSL FIPS build and replace the ones
from the simple OpenSSL build.

By doing this we can have the latest OpenSSL release with all the security
fixes but with the approved FIPS provider, which for legal reasons its
codebase don't change unless strictly required.

This is what is suggested also in the Downloads page[2]:
"Please follow the Security Policy instructions to download, build and
install a validated OpenSSL FIPS provider. Other OpenSSL Releases MAY
use the validated FIPS provider, but MUST NOT build and use their own
FIPS provider. For example you can build OpenSSL 3.2 and use the
OpenSSL 3.0.8 FIPS provider with it."

Note: in order to be FIPS compliant, the fipsmodule.cnf files must be
generated on the target machine and shall not be copied. From the NIST
document[3]:
```
The Module shall have the self-tests run, and the Module config
file output generated on each platform where it is intended to
be used. The Module config file output data shall not be copied
from one machine to another.
```

The fipsmodule.cnf configuration file can be generated with:
```
openssl fipsinstall -module /path/to/fips.dll -out /path/to/fipsmodule.cnf
```

[1] https://github.com/openssl/openssl/blob/0ddcb55b602800d4a1bcf1e76ca32939ed4fdaa4/README-FIPS.md#installing-the-fips-provider-and-using->
[2] https://www.openssl.org/source/
[3] https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf

gvsbuild/projects/openssl.py

@@ -20,11 +20,11 @@
 
 
 @project_add
-class OpenSSL(Tarball, Project):
+class OpenSSLBase(Tarball, Project):
     def __init__(self):
         Project.__init__(
             self,
-            "openssl",
+            "openssl-base",
             version="3.2.0",
             archive_url="https://www.openssl.org/source/openssl-{version}.tar.gz",
             hash="14c826f07c7e433706fb5c69fa9e25dab95684844b4c962a2cf1bf183eb4690e",
@@ -36,7 +36,7 @@ def __init__(self):
         )
 
     def build(self):
-        common_options = r"no-comp no-docs no-ssl3 --openssldir=%(gtk_dir)s/etc/ssl --prefix=%(gtk_dir)s"
+        common_options = r"enable-fips no-comp no-docs no-ssl3 --openssldir=%(gtk_dir)s/etc/ssl --prefix=%(gtk_dir)s"
         debug_option = "debug-" if self.builder.opts.configuration == "debug" else ""
         target_option = "VC-WIN32 " if self.builder.x86 else "VC-WIN64A "
 
@@ -56,3 +56,34 @@ def build(self):
         self.install(r".\cert.pem bin")
         self.install(r".\LICENSE share\doc\openssl")
         self.install_pc_files()
+
+@project_add
+class OpenSSL(Tarball, Project):
+    def __init__(self):
+        Project.__init__(
+            self,
+            "openssl",
+            version="3.0.8",
+            archive_url="https://www.openssl.org/source/openssl-{version}.tar.gz",
+            hash="6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e",
+            dependencies=[
+                "openssl-base",
+            ],
+        )
+
+    def build(self):
+        common_options = "enable-fips no-ssl3 no-comp --openssldir=%(gtk_dir)s/etc/ssl --prefix=%(gtk_dir)s"
+        debug_option = "debug-" if self.builder.opts.configuration == "debug" else ""
+        target_option = "VC-WIN32 " if self.builder.x86 else "VC-WIN64A "
+
+        self.exec_vs(
+            r"%(perl_dir)s\bin\perl.exe Configure "
+            + debug_option
+            + target_option
+            + common_options
+        )
+
+        with contextlib.suppress(Exception):
+            self.exec_vs(r"nmake /nologo clean")
+        self.exec_vs(r"nmake /nologo")
+        self.exec_vs(r"nmake /nologo install_fips")