Enable ML-DSA support via hermetic OpenSSL 3.5.5 build

Integrates OpenSSL 3.5.5 to provide FIPS 204 (ML-DSA) support.

Signed-off-by: Willy Zhang <[email protected]>

Author: Willy Zhang

MODULE.bazel

@@ -324,6 +324,15 @@ http_archive(
     urls = ["https://github.com/inazarenko/protobuf-matchers/archive/7c8e15741bcea83db7819cc472c3e96301a95158.zip"],
 )
 
+# OpenSSL 3.5.5
+http_archive(
+    name = "openssl",
+    build_file = "//third_party/openssl:BUILD.openssl.bazel",
+    sha256 = "4ca7d770686ae621c88c78ee20a49c11aaa984c354ed038137ba87850e5386b8",
+    strip_prefix = "openssl-openssl-3.5.5",
+    urls = ["https://github.com/openssl/openssl/archive/refs/tags/openssl-3.5.5.tar.gz"],
+)
+
 # SoftHSM2
 http_archive(
     name = "softhsm2",

third_party/openssl/BUILD.bazel

@@ -0,0 +1,49 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+load("@rules_foreign_cc//foreign_cc:configure.bzl", "configure_make")
+
+package(default_visibility = ["//visibility:public"])
+
+filegroup(
+    name = "all_srcs",
+    srcs = glob(["**"]),
+)
+
+configure_make(
+    name = "openssl",
+    args = ["DESTDIR=$INSTALLDIR"],
+    configure_command = "Configure",
+    configure_options = [
+        "no-shared",
+        "no-tests",
+        "no-engine",
+        "no-dso",
+        "no-comp",
+        "no-idea",
+        "no-mdc2",
+        "no-rc5",
+        "no-ssl3",
+        "no-weak-ssl-ciphers",
+        "no-apps",
+        "-fPIC",
+        "--prefix=/",
+        "--openssldir=/ssl",
+        "--libdir=lib",
+    ],
+    env = select({
+        "@platforms//os:linux": {
+            "AR": "ar",
+        },
+        "//conditions:default": {},
+    }),
+    lib_source = ":all_srcs",
+    out_static_libs = [
+        "libssl.a",
+        "libcrypto.a",
+    ],
+    # OpenSSL's Configure script doesn't like some of the default flags
+    # passed by rules_foreign_cc, so we keep it simple.
+    targets = ["install_sw"],
+)

third_party/openssl/BUILD.openssl.bazel

@@ -20,33 +20,28 @@ cmake(
         "ENABLE_ECC": "ON",
         "ENABLE_MLDSA": "ON",
         "WITH_CRYPTO_BACKEND": "openssl",
-
-        # This build is for tests only.
-        # "CMAKE_BUILD_TYPE": "Debug",
+        "OPENSSL_USE_STATIC_LIBS": "ON",
 
         # SoftHSM wants to dump a bunch of nonsense into /etc, which is
         # not relevant to our use-case. To discard it, we set all of these
         # variables, which determine where all those files *would* land,
         # to the CMake build directory.
         "CMAKE_INSTALL_LOCALSTATEDIR": ".",
         "CMAKE_INSTALL_SYSCONFDIR": ".",
-        "PROJECT_BINARY_DIR": ".",
-        "CMAKE_CXX_FLAGS": "-DWITH_ML_DSA",
+        "CMAKE_CXX_FLAGS": "-DWITH_ML_DSA -DWITHOUT_OPENSSL_ENGINES",
     },
     # Set up SoftHSM to provide useful debug messages during testing.
     copts = [
         # Uncomment this for verbose logging from SoftHSM.
         # "-DDEBUG_LOG_STDERR",
         # "-DSOFTHSM_LOG_FUNCTION_NAME",
     ],
+    env = {
+        "OPENSSL_ROOT_DIR": "$$EXT_BUILD_DEPS/openssl",
+    },
     generate_args = ["-GNinja"],
     lib_source = ":all_srcs",
     out_binaries = ["softhsm2-util"],
     out_shared_libs = ["softhsm/libsofthsm2.so"],
-    # `install` is not smart enough to figure out that it needs to build
-    # everything, so we specify "" here explicitly.
-    targets = [
-        "",
-        "libsofthsm2.so",
-    ],
+    deps = ["@openssl"],
 )