[Bug 2073991] [NEW] Add FIPS defines to Noble OpenSSL header files

Wed, 24 Jul 2024 08:15:34 -0700 

Public bug reported:

Release: Noble
OpenSSL version: 3.0.13-0ubuntu3.1

The Noble FIPS release only produces the FIPS provider library. In
previous versions, like Jammy, the FIPS release also produced a libssl-
dev that contained the FIPS changes to the header files needed for
compiling against the FIPS library. For Noble, it was planned to rely on
the standard libssl-dev release and to have all of the needed defines
already present in that standard release. In the Atsec review of the
Noble FIPS release, it was discovered that the FIPS patches make changes
to three header files which did not get included in the standard Noble
libssl-dev release. The request is to add these changes into the Noble
OpenSSL release:

From 0010-providers-Add-a-FIPS-status-indicator.patch:
include/openssl/fips_names.h
/*
 * The module status indicator for the FIPS provider. This is queried from
 * the provider.
 * Type: OSSL_PARAM_INTEGER
 */
# define UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE 
"ubuntu.fips-unapproved-usage"


From 0046-signature-Clamp-PSS-salt-len-to-MD-len.patch
include/openssl/core_names.h: 
#define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX "auto-digestmax"

include/openssl/rsa.h
/* Auto-detect on verify, set salt length to min(maximum possible, digest
 * length) on sign */
# define RSA_PSS_SALTLEN_AUTO_DIGEST_MAX  -4


From 0049-crypto-dh-perform-a-PCT-during-key-generation.patch
include/openssl/self_test.h
# define UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH  "DH"


Atsec is asking for the "UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE" define 
so that is the priority. The other defines were found by searching the FIPS 
openssl patches for changes to files in the include/openssl directory.

** Affects: openssl (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2073991

Title:
  Add FIPS defines to Noble OpenSSL header files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2073991/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to