Hi Jorge,
While doing some research on OpenSSL and FIPS for this SRU,
apparently it is not a good idea to have the FIPS provider
loaded with providers other than 'base' (which provide only
non-crypto functions that can be used in FIPS mode).
For example, the 'default' and 'legacy' providers do provide
algorithms that are *not* FIPS certified -- therefore if the
application uses any algorithm from these providers, it is no
longer FIPS compliant.
"... you will have both the FIPS and the default provider loaded at the
same time.
It is unspecified which implementation of an algorithm will be used if
multiple
implementations are available and you have not explicitly specified via
a property query ..." [0]
Now, the proposed patch seems to (IIUIC) allow the algorithms
in the FIPS provider to continue to be available _after_ the
'default' and 'legacy' providers are loaded. *This* seems to
be a problem, if my understanding above is correct.
"OSSL_PROVIDER_try_load() functions like OSSL_PROVIDER_load(),
except that it does not disable the fallback providers if ...
or if retain_fallbacks is nonzero." [2]
So, if that is correct _and_ the FIPS provider is automatically
loaded in FIPS mode, perhaps the fix for FIPS mode instead may
be _not_ loading the 'default' and 'legacy' providers at all?
(since this would not disable the fallback provider, and it
seems the FIPS provider [3] is used as a fallback provider?)
That is, to make such loads conditional on `fips_enabled` as
several packages have done? Some examples in [4].
I'd recommend you check this with Tobias Heider and/or Henry
Coggill, which have provided help with FIPS & Ubuntu Archive
multiple times.
Can you please discuss both approaches with them, before we
progress with this SRU? The reason is we want to make sure
there is no risk that openvpn in FIPS mode fails to select
only FIPS compliant algorithms.
(I'll mark the bug task as Incomplete for that, this time.)
Thanks!
Mauricio
[0] https://github.com/openssl/openssl/blob/master/README-PROVIDERS.md
[1]
https://docs.openssl.org/master/man7/fips_module/#programmatically-loading-the-fips-module-default-library-context
[2] https://docs.openssl.org/3.0/man3/OSSL_PROVIDER/#functions
[3] https://docs.openssl.org/master/man7/OSSL_PROVIDER-FIPS/
[4]
https://codesearch.debian.net/search?q=%2Fproc%2Fsys%2Fcrypto%2Ffips_enabled&literal=1
** Changed in: openvpn (Ubuntu Jammy)
Status: In Progress => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2077769
Title:
fips-preview break openvpn ciphers
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2077769/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
