Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
> What about to remove declaration of FIPS_mode and FIPS_mode_set? > Those functions could be used by external packages at configure time to > detect that fips is not supported at all. > Note 1.0.0 does not declare both functions. For various reasons, the team wants them there. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
> What about to remove declaration of FIPS_mode and FIPS_mode_set? > Those functions could be used by external packages at configure time to > detect that fips is not supported at all. > Note 1.0.0 does not declare both functions. For various reasons, the team wants them there. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
Rich Salz via RT wrote: > we did everything we want to do, closing this. What about to remove declaration of FIPS_mode and FIPS_mode_set? Those functions could be used by external packages at configure time to detect that fips is not supported at all. Note 1.0.0 does not declare both functions. Regards Roumen Petrov ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
we did everything we want to do, closing this. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
This has been (partially) fixed, so it can probably be closed. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
> So, does the above mean that my patch is not going to be merged? No. It will be. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
On Sat, Oct 31, 2015 at 08:34:33am -0400, Steve Marquess wrote: > On 10/31/2015 08:26 AM, Alessandro Ghedini via RT wrote: > > Hi, > > > > I don't know what your intentions are with FIPS support in master, ... > > We would like to continue to provide a FIPS validated module for the 1.1 > (and subsequent) releases. Unfortunately the current module ("OpenSSL > FIPS Object Module 2.0") designed for compatibility with the 1.0 > releases won't be compatible with 1.1. That means we need to obtain a > new validation for a new module, an endeavor fraught with many > difficulties (none of them technical). > > I do expect the stars will align for that eventually, as they have for > the five previous open source based validations. In the interim, since > the FIPS module is shaped almost entirely by policy and metaphysical > considerations, we should not include any incomplete FIPS specific code > in 1.1 -- code that even if complete in some speculative sense would > also be unusable absent a matching FIPS 140-2 validation. So, does the above mean that my patch is not going to be merged? Cheers signature.asc Description: PGP signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
On October 31, 2015 2:09:50 PM GMT+01:00, Steve Marquess wrote: >On 10/31/2015 09:01 AM, Richard Levitte wrote: >> Can't recall previous discussions on this, but would it be possible >to have a FIPS engine? > >Of a sort, yes. I'll let Steve Henson speak to the details, but it is >his hope (and mine) that FIPS module support for 1.1 and beyond would >be >modular so the FIPS module and OpenSSL releases would no longer be so >tightly coupled. > >-Steve M. I'm most certainly interested in such an effort. -- levi...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
On 10/31/2015 09:01 AM, Richard Levitte wrote: > Can't recall previous discussions on this, but would it be possible to have a > FIPS engine? Of a sort, yes. I'll let Steve Henson speak to the details, but it is his hope (and mine) that FIPS module support for 1.1 and beyond would be modular so the FIPS module and OpenSSL releases would no longer be so tightly coupled. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
Can't recall previous discussions on this, but would it be possible to have a FIPS engine? Cheers Richard Steve Marquess skrev: (31 oktober 2015 13:34:33 CET) >On 10/31/2015 08:26 AM, Alessandro Ghedini via RT wrote: >> Hi, >> >> I don't know what your intentions are with FIPS support in master, >... > >We would like to continue to provide a FIPS validated module for the >1.1 >(and subsequent) releases. Unfortunately the current module ("OpenSSL >FIPS Object Module 2.0") designed for compatibility with the 1.0 >releases won't be compatible with 1.1. That means we need to obtain a >new validation for a new module, an endeavor fraught with many >difficulties (none of them technical). > >I do expect the stars will align for that eventually, as they have for >the five previous open source based validations. In the interim, since >the FIPS module is shaped almost entirely by policy and metaphysical >considerations, we should not include any incomplete FIPS specific code >in 1.1 -- code that even if complete in some speculative sense would >also be unusable absent a matching FIPS 140-2 validation. > >-Steve M. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
On 10/31/2015 08:26 AM, Alessandro Ghedini via RT wrote: > Hi, > > I don't know what your intentions are with FIPS support in master, ... We would like to continue to provide a FIPS validated module for the 1.1 (and subsequent) releases. Unfortunately the current module ("OpenSSL FIPS Object Module 2.0") designed for compatibility with the 1.0 releases won't be compatible with 1.1. That means we need to obtain a new validation for a new module, an endeavor fraught with many difficulties (none of them technical). I do expect the stars will align for that eventually, as they have for the five previous open source based validations. In the interim, since the FIPS module is shaped almost entirely by policy and metaphysical considerations, we should not include any incomplete FIPS specific code in 1.1 -- code that even if complete in some speculative sense would also be unusable absent a matching FIPS 140-2 validation. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
Hi, I don't know what your intentions are with FIPS support in master, but after the removal of most if the fips/ code, several bits and pieces of now broken code have remained in the codebase. IMO it'd be better to just remove it for now. See the following GitHub pull request: https://github.com/openssl/openssl/pull/449 Cheers ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev