[Touch-packages] [Bug 2073991] Re: Add FIPS defines to Noble OpenSSL header files

Tue, 30 Jul 2024 06:52:03 -0700 

** Changed in: openssl (Ubuntu)
    Milestone: None => ubuntu-24.10

** Also affects: openssl (Ubuntu Oracular)
   Importance: Undecided
       Status: New

** Also affects: openssl (Ubuntu Noble)
   Importance: Undecided
       Status: New

** Changed in: openssl (Ubuntu Noble)
    Milestone: None => noble-updates

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2073991

Title:
  Add FIPS defines to Noble OpenSSL header files

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Noble:
  New
Status in openssl source package in Oracular:
  New

Bug description:
  Release: Noble
  OpenSSL version: 3.0.13-0ubuntu3.1

  The Noble FIPS release only produces the FIPS provider library. In
  previous versions, like Jammy, the FIPS release also produced a
  libssl-dev that contained the FIPS changes to the header files needed
  for compiling against the FIPS library. For Noble, it was planned to
  rely on the standard libssl-dev release and to have all of the needed
  defines already present in that standard release. In the Atsec review
  of the Noble FIPS release, it was discovered that the FIPS patches
  make changes to three header files which did not get included in the
  standard Noble libssl-dev release. The request is to add these changes
  into the Noble OpenSSL release:

  From 0010-providers-Add-a-FIPS-status-indicator.patch:
  include/openssl/fips_names.h
  /*
   * The module status indicator for the FIPS provider. This is queried from
   * the provider.
   * Type: OSSL_PARAM_INTEGER
   */
  # define UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE 
"ubuntu.fips-unapproved-usage"

  
  From 0046-signature-Clamp-PSS-salt-len-to-MD-len.patch
  include/openssl/core_names.h: 
  #define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX "auto-digestmax"

  include/openssl/rsa.h
  /* Auto-detect on verify, set salt length to min(maximum possible, digest
   * length) on sign */
  # define RSA_PSS_SALTLEN_AUTO_DIGEST_MAX  -4

  
  From 0049-crypto-dh-perform-a-PCT-during-key-generation.patch
  include/openssl/self_test.h
  # define UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH  "DH"

  
  Atsec is asking for the "UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE" define 
so that is the priority. The other defines were found by searching the FIPS 
openssl patches for changes to files in the include/openssl directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2073991/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to