Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

[Salz, Rich]

> What about to remove declaration of FIPS_mode and FIPS_mode_set?
> Those functions could be used by external packages at configure time to
> detect that fips is not supported at all.
> Note 1.0.0 does not declare both functions.

For various reasons, the team wants them there.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

[Salz, Rich via RT]

> What about to remove declaration of FIPS_mode and FIPS_mode_set?
> Those functions could be used by external packages at configure time to
> detect that fips is not supported at all.
> Note 1.0.0 does not declare both functions.

For various reasons, the team wants them there.


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

[Alessandro Ghedini via RT]

This has been (partially) fixed, so it can probably be closed.


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

[Rich Salz via RT]

we did everything we want to do, closing this.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

[Salz, Rich]

> So, does the above mean that my patch is not going to be merged?

No.  It will be.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

[Alessandro Ghedini]

On Sat, Oct 31, 2015 at 08:34:33am -0400, Steve Marquess wrote:
> On 10/31/2015 08:26 AM, Alessandro Ghedini via RT wrote:
> > Hi,
> > 
> > I don't know what your intentions are with FIPS support in master, ...
> 
> We would like to continue to provide a FIPS validated module for the 1.1
> (and subsequent) releases. Unfortunately the current module ("OpenSSL
> FIPS Object Module 2.0") designed for compatibility with the 1.0
> releases won't be compatible with 1.1. That means we need to obtain a
> new validation for a new module, an endeavor fraught with many
> difficulties (none of them technical).
> 
> I do expect the stars will align for that eventually, as they have for
> the five previous open source based validations. In the interim, since
> the FIPS module is shaped almost entirely by policy and metaphysical
> considerations, we should not include any incomplete FIPS specific code
> in 1.1 -- code that even if complete in some speculative sense would
> also be unusable absent a matching FIPS 140-2 validation.

So, does the above mean that my patch is not going to be merged?

Cheers


signature.asc
Description: PGP signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

[Steve Marquess]

On 10/31/2015 08:26 AM, Alessandro Ghedini via RT wrote:
> Hi,
> 
> I don't know what your intentions are with FIPS support in master, ...

We would like to continue to provide a FIPS validated module for the 1.1
(and subsequent) releases. Unfortunately the current module ("OpenSSL
FIPS Object Module 2.0") designed for compatibility with the 1.0
releases won't be compatible with 1.1. That means we need to obtain a
new validation for a new module, an endeavor fraught with many
difficulties (none of them technical).

I do expect the stars will align for that eventually, as they have for
the five previous open source based validations. In the interim, since
the FIPS module is shaped almost entirely by policy and metaphysical
considerations, we should not include any incomplete FIPS specific code
in 1.1 -- code that even if complete in some speculative sense would
also be unusable absent a matching FIPS 140-2 validation.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

[Alessandro Ghedini via RT]

Hi,

I don't know what your intentions are with FIPS support in master, but after
the removal of most if the fips/ code, several bits and pieces of now broken
code have remained in the codebase. IMO it'd be better to just remove it for
now.

See the following GitHub pull request:
https://github.com/openssl/openssl/pull/449

Cheers

___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

[Richard Levitte]

Can't recall previous discussions on this, but would it be possible to have a 
FIPS engine? 

Cheers 
Richard 

Steve Marquess  skrev: (31 oktober 2015 13:34:33 CET)
>On 10/31/2015 08:26 AM, Alessandro Ghedini via RT wrote:
>> Hi,
>> 
>> I don't know what your intentions are with FIPS support in master,
>...
>
>We would like to continue to provide a FIPS validated module for the
>1.1
>(and subsequent) releases. Unfortunately the current module ("OpenSSL
>FIPS Object Module 2.0") designed for compatibility with the 1.0
>releases won't be compatible with 1.1. That means we need to obtain a
>new validation for a new module, an endeavor fraught with many
>difficulties (none of them technical).
>
>I do expect the stars will align for that eventually, as they have for
>the five previous open source based validations. In the interim, since
>the FIPS module is shaped almost entirely by policy and metaphysical
>considerations, we should not include any incomplete FIPS specific code
>in 1.1 -- code that even if complete in some speculative sense would
>also be unusable absent a matching FIPS 140-2 validation.
>
>-Steve M.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

[Richard Levitte]

On October 31, 2015 2:09:50 PM GMT+01:00, Steve Marquess  
wrote:
>On 10/31/2015 09:01 AM, Richard Levitte wrote:
>> Can't recall previous discussions on this, but would it be possible
>to have a FIPS engine? 
>
>Of a sort, yes. I'll let Steve Henson speak to the details, but it is
>his hope (and mine) that FIPS module support for 1.1 and beyond would
>be
>modular so the FIPS module and OpenSSL releases would no longer be so
>tightly coupled.
>
>-Steve M.

I'm most certainly interested in such an effort. 
-- 
levi...@openssl.org 
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

[Steve Marquess]

On 10/31/2015 09:01 AM, Richard Levitte wrote:
> Can't recall previous discussions on this, but would it be possible to have a 
> FIPS engine? 

Of a sort, yes. I'll let Steve Henson speak to the details, but it is
his hope (and mine) that FIPS module support for 1.1 and beyond would be
modular so the FIPS module and OpenSSL releases would no longer be so
tightly coupled.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev