I have subscribed to openssl bug reports.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1553309
Title:
[FFe]: Include FIPS 140-2 into openssl package
To manage notifications about this bug go to:
Hey Joy,
Joy Latten [2016-04-19 23:18 -]:
> I have a newbie question, what else should I do for this feature freeze?
Formally, nothing. The latest package is in xenial, so now it's "lean
back and enjoy", err, I mean "continue testing it" :-)
It would really be good and adequate if you subscr
Hi Martin,
I have a newbie question, what else should I do for this feature freeze?
Thanks! :-)
regards,
Joy
On Fri, Apr 15, 2016 at 12:14 AM, Martin Pitt
wrote:
> Thanks! There's still an awful amount of patch noise, but indeed some of
> it is unavoidable as you say. But this is incrementally
Thanks! There's still an awful amount of patch noise, but indeed some of
it is unavoidable as you say. But this is incrementally better than
before, thanks for the cleanup!
I uploaded this now: https://launchpad.net/ubuntu/+source/openssl/1.0
.2g-1ubuntu4
--
You received this bug notification be
Also, ran same testing on latest ppa version (ppa7) and they all passed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1553309
Title:
[FFe]: Include FIPS 140-2 into openssl package
To manage notif
Hi Martin,
I also ran an interdiff when I re-factored to ensure alignment with original
fedora patches. 2 or 3 of them did not apply cleanly, for various reasons, so
I had to make very small changes. I also named each patch in debian/patches to
be same as in fedora.
For interdiff of
openss
Hi Martin, my ppa has a debdiff that is against my prior version. You
may find this more useful than the ppa I just attached above. here is a
pointer, https://launchpadlibrarian.net/253756858/openssl_1.0.2g-
1ubuntu3~ppa6_1.0.2g-1ubuntu3~ppa7.diff.gz
--
You received this bug notification because
New debdiff with fixed Origin and cleaner fedora patches.
** Attachment added: "New debdiff against openssl-1.0.2g-1ubuntu2"
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+attachment/4636880/+files/debdiff-openssl_1.0.2g-1ubuntu3~ppa7
--
You received this bug notification be
Ok, I will get to work on these changes now.
I will keep the first 5 patches original to fedora. And then in my cleanup
patch do the stuff to get rid of undefined symbols, etc...
And that way I can point my Origin to the git.fedora.
Thanks!!
regards,
Joy
On Wed, Apr 13, 2016 at 3:32 PM, Martin
This bug was fixed in the package openssl - 1.0.2g-1ubuntu3
---
openssl (1.0.2g-1ubuntu3) xenial; urgency=medium
* Add fips support to openssl, LP: #1553309
- debian/patches/openssl-1.0.2g-fips.patch: [PATCH 1/6] Add selftest, fips
support, crypto compliance and define OPE
** Tags removed: block-proposed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1553309
Title:
[FFe]: Include FIPS 140-2 into openssl package
To manage notifications about this bug go to:
https://bu
Joy Latten [2016-04-13 18:08 -]:
> Started looking into those patch diffs...
> for the openssl-1.0.2a-fips-ec.patch one, I had a bunch of undefined
> symbols and so cleaned these up, causing my diff to be slightly off... my
> bad.
Ah, that makes sense.
> Oh, and also, that patch installed "fi
Hi Martin,
Cool!
Started looking into those patch diffs...
for the openssl-1.0.2a-fips-ec.patch one, I had a bunch of undefined
symbols and so cleaned these up, causing my diff to be slightly off... my
bad.
Should have saved that for the last patch that was for my cleanup... sorry,
I hated not bei
For the record: http://people.canonical.com/~ubuntu-archive/proposed-
migration/update_excuses.html#openssl looks good (linux/armhf still
running, but that should not be relevant), but I blocked this to
-proposed for now. I'll let this into xenial later tonight for testing,
but we still need a foll
> I was not sure of the naming convention for the patches, so I kept the
same name as in fedora but used the version of openssl that we were
patching.
The patch name is not that important. But it's very important to give
the precise URL where you took it from, and that the patch actually
matches t
Hi Martin,
I will fix the Origin today. I was not sure of the naming convention for
the patches, so I kept the same name as in fedora but used the version of
openssl that we were patching. If you prefer, I can instead use exact same
name as fedora. I actually pulled my patches from Fedora Rawhide'
** Tags added: block-proposed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1553309
Title:
[FFe]: Include FIPS 140-2 into openssl package
To manage notifications about this bug go to:
https://bugs
> Dividing up the patch proved to be a challenge but was the right thing
to do.
Many thanks for doing this!
Can you please fix the "Origin:
http://dl.fedoraproject.org/pub/fedora/linux/development"; fields still?
They should point to a particular patch in a place like
http://pkgs.fedoraproject.or
New test package and debdiff. All the same testing completed successfully.
New test package, https://launchpad.net/~j-latten/+archive/ubuntu/myppa
** Attachment added: "debdiff: latest patch series (6 patches) to add fips
support to openssl"
https://bugs.launchpad.net/ubuntu/+source/openssl/+
Hi Martin,
Dividing up the patch proved to be a challenge but was the right thing to
do.
I divided it up into a patch series of 6, with the first 5 patches being
those from fedora. The 6th patch was all my corrections and updates.
I ran all the prior testcases successfully.
Weird, but the fedora
Code Review Resolutions:
1. Original one patch divided up into a patch-series of 6 patches. The first 5
patches are the original patches from fedora. The 6th patch authored by me to
fix compiler warnings and use updated fips compliant algorithms and tests from
upstream openssl and openssl fips m
** Attachment added: "debdiff: latest patch series (6 patches) to add fips
support to openssl"
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+attachment/4634739/+files/debdiff.openssl_1.0.2g-1ubuntu3~ppa5
--
You received this bug notification because you are a member of Ubun
Hi Martin,
I will get to work on all the resolutions we mentioned. Thanks!
I will send you email when completed and list them.
regards,
Joy
On Fri, Apr 8, 2016 at 2:07 AM, Martin Pitt
wrote:
> Joy Latten [2016-04-08 5:07 -]:
> > > -# define SHA1_Init private_SHA1_Init
> > Those defi
Joy Latten [2016-04-08 5:07 -]:
> > -# define SHA1_Init private_SHA1_Init
> Those defines are within an OPENSSL_FIPS so were never used in regular
> openssl.
Ah, I see that this doesn't actually get shipped in libssl-dev, so
sorry for the noise.
> > The changes in crypto/evp/p_sign.c a
Joy Latten [2016-04-08 5:17 -]:
> Ok, I agree. But I am afraid will still be big. The fedora patch had
> already incorporated almost all the stuff needed from the openssl-fips
> module.
Right, the split patches will of course not be any smaller, but it'll
be a magnitude easier (or even make i
Hi Martin,
Responses below. Thanks!
regards,
Joy
On Thu, Apr 7, 2016 at 5:27 AM, Martin Pitt
wrote:
> Hello Joy,
>
> thanks for your answers. I'll cut out the ones that are resolved now
> from my POV.
>
> Joy Latten [2016-04-06 19:48 -]:
> > crypto in regular openssl when in fips mode. The
Hi Martin,
My responses below. Thanks!
regards,
Joy
On Thu, Apr 7, 2016 at 6:29 AM, Martin Pitt
wrote:
> I reviewed the remainder of the patch:
>
> crypto/evp/evp_locl.h
> -# define SHA1_Init private_SHA1_Init
> -# define SHA224_Init private_SHA224_Init
> -# define SHA256_Init pr
I reviewed the remainder of the patch:
crypto/evp/evp_locl.h
-# define SHA1_Init private_SHA1_Init
-# define SHA224_Init private_SHA224_Init
-# define SHA256_Init private_SHA256_Init
-# define SHA384_Init private_SHA384_Init
-# define SHA512_Init private_SHA512_Init
-# define
Hello Joy,
thanks for your answers. I'll cut out the ones that are resolved now
from my POV.
Joy Latten [2016-04-06 19:48 -]:
> crypto in regular openssl when in fips mode. The openssl-fips module is not
> only bigger than this patch, but is separate and a bit more complex.
> Since it is sepa
Hi Martin,
This email addresses the second half, below.
regards,
Joy
On Wed, Apr 6, 2016 at 4:33 AM, Martin Pitt wrote:
> The patch changes behaviour even in !fips mode, e. g. in apps/speed.c:
>
> for (i = 0; i < DSA_NUM; i++)
> -dsa_doit[i] = 1;
> +if (!FIPS_
Hi Martin,
My apology for the delay. I had a morning full of meetings and I needed to
look at the code to answer.
I have addressed the first half of your email and will continue with the
second half next. Will send another email
regards,
Joy
On Wed, Apr 6, 2016 at 4:33 AM, Martin Pitt
wrote:
>
The patch changes behaviour even in !fips mode, e. g. in apps/speed.c:
for (i = 0; i < DSA_NUM; i++)
-dsa_doit[i] = 1;
+if (!FIPS_mode() || i != R_DSA_512)
+dsa_doit[i] = 1;
(additional check for R_DSA_512), and it even modifies code that doesn't
t
New debdiff.
Added a few more sentences to describe the patch to the patch header.
Also corrected a compiler warning.
** Attachment added: "Patch to include fips selftest and fips support to
openssl"
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+attachment/4625642/+files/de
Short summary of above comments:
- FIPs 140-2 is a U.S. government security standard for crypto. it
involves receiving accreditation for the crypto.
- This patch contains,
- selftest required by FIPs
- defines OPENSSL_FIPS
- a few crypto additions/changes that are constrained by OPENS
** Changed in: openssl (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1553309
Title:
[FFe]: Include FIPS 140-2 into openssl package
To manage notific
Overview
-
FIPS 140-2 is a U.S. Government computer security standard to accredit
cryptographic modules. The certification process validates and certifies the
crypto within the module or used by the module.
Canonical is pursuing FIPS 140-2 certification for several modules in
1
The bug title is misleading -- judging by the patch this is by far more
than just adding a new selftest. This patch changes the runtime
behaviour in multiple places too.
Can you please describe what FIPS is, where the patch comes from, how
this got tested, how can we be sure that this does not bre
37 matches
Mail list logo
