[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

I have subscribed to openssl bug reports. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to:

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Hey Joy, Joy Latten [2016-04-19 23:18 -]: > I have a newbie question, what else should I do for this feature freeze? Formally, nothing. The latest package is in xenial, so now it's "lean back and enjoy", err, I mean "continue testing it" :-) It would really be good and adequate if you

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Hi Martin, I have a newbie question, what else should I do for this feature freeze? Thanks! :-) regards, Joy On Fri, Apr 15, 2016 at 12:14 AM, Martin Pitt wrote: > Thanks! There's still an awful amount of patch noise, but indeed some of > it is unavoidable as you say.

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Thanks! There's still an awful amount of patch noise, but indeed some of it is unavoidable as you say. But this is incrementally better than before, thanks for the cleanup! I uploaded this now: https://launchpad.net/ubuntu/+source/openssl/1.0 .2g-1ubuntu4 -- You received this bug notification

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Also, ran same testing on latest ppa version (ppa7) and they all passed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Hi Martin, I also ran an interdiff when I re-factored to ensure alignment with original fedora patches. 2 or 3 of them did not apply cleanly, for various reasons, so I had to make very small changes. I also named each patch in debian/patches to be same as in fedora. For interdiff of

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Hi Martin, my ppa has a debdiff that is against my prior version. You may find this more useful than the ppa I just attached above. here is a pointer, https://launchpadlibrarian.net/253756858/openssl_1.0.2g- 1ubuntu3~ppa6_1.0.2g-1ubuntu3~ppa7.diff.gz -- You received this bug notification because

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

New debdiff with fixed Origin and cleaner fedora patches. ** Attachment added: "New debdiff against openssl-1.0.2g-1ubuntu2" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+attachment/4636880/+files/debdiff-openssl_1.0.2g-1ubuntu3~ppa7 -- You received this bug notification

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Ok, I will get to work on these changes now. I will keep the first 5 patches original to fedora. And then in my cleanup patch do the stuff to get rid of undefined symbols, etc... And that way I can point my Origin to the git.fedora. Thanks!! regards, Joy On Wed, Apr 13, 2016 at 3:32 PM, Martin

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

This bug was fixed in the package openssl - 1.0.2g-1ubuntu3 --- openssl (1.0.2g-1ubuntu3) xenial; urgency=medium * Add fips support to openssl, LP: #1553309 - debian/patches/openssl-1.0.2g-fips.patch: [PATCH 1/6] Add selftest, fips support, crypto compliance and define

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

** Tags removed: block-proposed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to:

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Joy Latten [2016-04-13 18:08 -]: > Started looking into those patch diffs... > for the openssl-1.0.2a-fips-ec.patch one, I had a bunch of undefined > symbols and so cleaned these up, causing my diff to be slightly off... my > bad. Ah, that makes sense. > Oh, and also, that patch installed

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Hi Martin, Cool! Started looking into those patch diffs... for the openssl-1.0.2a-fips-ec.patch one, I had a bunch of undefined symbols and so cleaned these up, causing my diff to be slightly off... my bad. Should have saved that for the last patch that was for my cleanup... sorry, I hated not

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

For the record: http://people.canonical.com/~ubuntu-archive/proposed- migration/update_excuses.html#openssl looks good (linux/armhf still running, but that should not be relevant), but I blocked this to -proposed for now. I'll let this into xenial later tonight for testing, but we still need a

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

> I was not sure of the naming convention for the patches, so I kept the same name as in fedora but used the version of openssl that we were patching. The patch name is not that important. But it's very important to give the precise URL where you took it from, and that the patch actually matches

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Hi Martin, I will fix the Origin today. I was not sure of the naming convention for the patches, so I kept the same name as in fedora but used the version of openssl that we were patching. If you prefer, I can instead use exact same name as fedora. I actually pulled my patches from Fedora

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

** Tags added: block-proposed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to:

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

> Dividing up the patch proved to be a challenge but was the right thing to do. Many thanks for doing this! Can you please fix the "Origin: http://dl.fedoraproject.org/pub/fedora/linux/development; fields still? They should point to a particular patch in a place like

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

New test package and debdiff. All the same testing completed successfully. New test package, https://launchpad.net/~j-latten/+archive/ubuntu/myppa ** Attachment added: "debdiff: latest patch series (6 patches) to add fips support to openssl"

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Hi Martin, Dividing up the patch proved to be a challenge but was the right thing to do. I divided it up into a patch series of 6, with the first 5 patches being those from fedora. The 6th patch was all my corrections and updates. I ran all the prior testcases successfully. Weird, but the fedora

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Code Review Resolutions: 1. Original one patch divided up into a patch-series of 6 patches. The first 5 patches are the original patches from fedora. The 6th patch authored by me to fix compiler warnings and use updated fips compliant algorithms and tests from upstream openssl and openssl fips

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

** Attachment added: "debdiff: latest patch series (6 patches) to add fips support to openssl" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+attachment/4634739/+files/debdiff.openssl_1.0.2g-1ubuntu3~ppa5 -- You received this bug notification because you are a member of

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Hi Martin, I will get to work on all the resolutions we mentioned. Thanks! I will send you email when completed and list them. regards, Joy On Fri, Apr 8, 2016 at 2:07 AM, Martin Pitt wrote: > Joy Latten [2016-04-08 5:07 -]: > > > -# define SHA1_Init

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Joy Latten [2016-04-08 5:07 -]: > > -# define SHA1_Init private_SHA1_Init > Those defines are within an OPENSSL_FIPS so were never used in regular > openssl. Ah, I see that this doesn't actually get shipped in libssl-dev, so sorry for the noise. > > The changes in crypto/evp/p_sign.c

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Joy Latten [2016-04-08 5:17 -]: > Ok, I agree. But I am afraid will still be big. The fedora patch had > already incorporated almost all the stuff needed from the openssl-fips > module. Right, the split patches will of course not be any smaller, but it'll be a magnitude easier (or even make

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Hi Martin, Responses below. Thanks! regards, Joy On Thu, Apr 7, 2016 at 5:27 AM, Martin Pitt wrote: > Hello Joy, > > thanks for your answers. I'll cut out the ones that are resolved now > from my POV. > > Joy Latten [2016-04-06 19:48 -]: > > crypto in regular

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Hi Martin, My responses below. Thanks! regards, Joy On Thu, Apr 7, 2016 at 6:29 AM, Martin Pitt wrote: > I reviewed the remainder of the patch: > > crypto/evp/evp_locl.h > -# define SHA1_Init private_SHA1_Init > -# define SHA224_Init private_SHA224_Init > -#

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

I reviewed the remainder of the patch: crypto/evp/evp_locl.h -# define SHA1_Init private_SHA1_Init -# define SHA224_Init private_SHA224_Init -# define SHA256_Init private_SHA256_Init -# define SHA384_Init private_SHA384_Init -# define SHA512_Init private_SHA512_Init -#

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Hello Joy, thanks for your answers. I'll cut out the ones that are resolved now from my POV. Joy Latten [2016-04-06 19:48 -]: > crypto in regular openssl when in fips mode. The openssl-fips module is not > only bigger than this patch, but is separate and a bit more complex. > Since it is

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Hi Martin, This email addresses the second half, below. regards, Joy On Wed, Apr 6, 2016 at 4:33 AM, Martin Pitt wrote: > The patch changes behaviour even in !fips mode, e. g. in apps/speed.c: > > for (i = 0; i < DSA_NUM; i++) > -dsa_doit[i] = 1;

Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Hi Martin, My apology for the delay. I had a morning full of meetings and I needed to look at the code to answer. I have addressed the first half of your email and will continue with the second half next. Will send another email regards, Joy On Wed, Apr 6, 2016 at 4:33 AM, Martin Pitt

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

The patch changes behaviour even in !fips mode, e. g. in apps/speed.c: for (i = 0; i < DSA_NUM; i++) -dsa_doit[i] = 1; +if (!FIPS_mode() || i != R_DSA_512) +dsa_doit[i] = 1; (additional check for R_DSA_512), and it even modifies code that doesn't

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

New debdiff. Added a few more sentences to describe the patch to the patch header. Also corrected a compiler warning. ** Attachment added: "Patch to include fips selftest and fips support to openssl"

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Short summary of above comments: - FIPs 140-2 is a U.S. government security standard for crypto. it involves receiving accreditation for the crypto. - This patch contains, - selftest required by FIPs - defines OPENSSL_FIPS - a few crypto additions/changes that are constrained by

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

** Changed in: openssl (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Overview - FIPS 140-2 is a U.S. Government computer security standard to accredit cryptographic modules. The certification process validates and certifies the crypto within the module or used by the module. Canonical is pursuing FIPS 140-2 certification for several modules in

[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

The bug title is misleading -- judging by the patch this is by far more than just adding a new selftest. This patch changes the runtime behaviour in multiple places too. Can you please describe what FIPS is, where the patch comes from, how this got tested, how can we be sure that this does not