Public bug reported: We have an open MR with a handful of FIPS compatibilty changes we wore hoping to get into 24.04. The main purpose of the changes is to detect whether the kernel is running in FIPS mode and adjust the behavior of the library accordingly by loading the correct provider backend and using defaults that are FIPS compliant (no md5, DES etc) instead trying to use non-compliant code paths and crashing.
The proposed patches were taken from the OpenSSL version shipped in the FIPS archive at esm.ubuntu.com for 22.04. Having them in the regular archive will reduce the maintenance work significantly. None of the changes should have any impact on running OpenSSL in regular (non-fips) mode. Below is a detailed list of the changes: - d/p/fips/crypto-Add-kernel-FIPS-mode-detection.patch: This adds a new internal API to determine whether the kernel has been booted in FIPS mode. This can be overridden with the OPENSSL_FORCE_FIPS_MODE environment variable. OPENSSL_FIPS_MODE_SWITCH_PATH can be used to specify an alternative path for the fips_enabled file and is used in tests. The FIPS_MODULE switch can be used to enable build of the the FIPS provider module specific parts which are not needed in the OpenSSL library itself. - d/p/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch: This automatically configures all library contexts to use the FIPS provider when the kernel is booted in FIPS mode by: - Setting "fips=yes" as the default property for algorithm fetches - Loading and activating the FIPS provider as the fallback provider. If applications load providers via a configuration either because the default configuration is modified or they override the default configuration, this disables loading of the fallback providers. In this case, the configuration must load the FIPS provider when FIPS mode is enabled, else algorithm fetches will fail Applications can choose to use non-FIPS approved algorithms by specifying the "-fips" or "fips=no" property for algorithm fetches and loading the default provider. - d/p/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch: Omit unavailable algorithms in FIPS mode - d/p/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch The -propquery argument might be used to define a preference for which provider an algorithm is fetched from. Set the query properties for the library context DRBG fetches as well so that they are fetched with the same properties. - d/p/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch: This test uses 2 library contexts - one context for creating initial test keys, and then another context (or the default context) for running tests. There is an issue that during the encoding tests, the OSSL_ENCODER_CTX is created from the created EVP_PKEYs, which are associated with the library context used to create the keys. This means that encoding tests run with the wrong library context, which always uses the default provider. The link for the MR is at https://code.launchpad.net/~tobhe/ubuntu/+source/openssl/+git/openssl/+merge/460953 Since OpenSSL just received another big update to 3.0.13 we had to rebase our changes and will have to rerun our install/upgrade tests. A test build is also available at https://launchpad.net/~tobhe/+archive/ubuntu/openssl-test/ ** Affects: openssl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2056593 Title: [FFE] FIPS compatibility patches Status in openssl package in Ubuntu: New Bug description: We have an open MR with a handful of FIPS compatibilty changes we wore hoping to get into 24.04. The main purpose of the changes is to detect whether the kernel is running in FIPS mode and adjust the behavior of the library accordingly by loading the correct provider backend and using defaults that are FIPS compliant (no md5, DES etc) instead trying to use non-compliant code paths and crashing. The proposed patches were taken from the OpenSSL version shipped in the FIPS archive at esm.ubuntu.com for 22.04. Having them in the regular archive will reduce the maintenance work significantly. None of the changes should have any impact on running OpenSSL in regular (non-fips) mode. Below is a detailed list of the changes: - d/p/fips/crypto-Add-kernel-FIPS-mode-detection.patch: This adds a new internal API to determine whether the kernel has been booted in FIPS mode. This can be overridden with the OPENSSL_FORCE_FIPS_MODE environment variable. OPENSSL_FIPS_MODE_SWITCH_PATH can be used to specify an alternative path for the fips_enabled file and is used in tests. The FIPS_MODULE switch can be used to enable build of the the FIPS provider module specific parts which are not needed in the OpenSSL library itself. - d/p/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch: This automatically configures all library contexts to use the FIPS provider when the kernel is booted in FIPS mode by: - Setting "fips=yes" as the default property for algorithm fetches - Loading and activating the FIPS provider as the fallback provider. If applications load providers via a configuration either because the default configuration is modified or they override the default configuration, this disables loading of the fallback providers. In this case, the configuration must load the FIPS provider when FIPS mode is enabled, else algorithm fetches will fail Applications can choose to use non-FIPS approved algorithms by specifying the "-fips" or "fips=no" property for algorithm fetches and loading the default provider. - d/p/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch: Omit unavailable algorithms in FIPS mode - d/p/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch The -propquery argument might be used to define a preference for which provider an algorithm is fetched from. Set the query properties for the library context DRBG fetches as well so that they are fetched with the same properties. - d/p/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch: This test uses 2 library contexts - one context for creating initial test keys, and then another context (or the default context) for running tests. There is an issue that during the encoding tests, the OSSL_ENCODER_CTX is created from the created EVP_PKEYs, which are associated with the library context used to create the keys. This means that encoding tests run with the wrong library context, which always uses the default provider. The link for the MR is at https://code.launchpad.net/~tobhe/ubuntu/+source/openssl/+git/openssl/+merge/460953 Since OpenSSL just received another big update to 3.0.13 we had to rebase our changes and will have to rerun our install/upgrade tests. A test build is also available at https://launchpad.net/~tobhe/+archive/ubuntu/openssl-test/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
