PR for OpenSSL FIPS

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

PR for OpenSSL FIPS

Misaki Miyashita
Hi,

I would like the same change as the following PR to be applied to the
OpenSSL FIPS module:
     https://github.com/openssl/openssl/pull/342

How should I proceed in this case?
Should I make a pull request for the openssl:OpenSSL-fips-2_0-dev branch?

Thank you,

-- misaki

--
Oracle Solaris Security - Austin, TX
Principal Software Engineer

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: PR for OpenSSL FIPS

Steve Marquess-4
On 07/28/2015 03:17 PM, Misaki.Miyashita wrote:
> Hi,
>
> I would like the same change as the following PR to be applied to the
> OpenSSL FIPS module:
>     https://github.com/openssl/openssl/pull/342
>
> How should I proceed in this case?
> Should I make a pull request for the openssl:OpenSSL-fips-2_0-dev branch?
>

The FIPS module is unfortunately a special case because we can't make
any changes to already validated code. Our only opportunity to introduce
course code changes is when we do "change letter" updates, and those we
have to pay for (and wait on for months). Only some kinds of source code
changes can be done even with that process. For example, we were unable
to fully mitigate "Lucky 13" for the FIPS-enabled OpenSSL because we
weren't allowed to make the necessary changes to the FIPS module.

So feel free to make changes yourself to your local copy of the code,
but you'll need to get that modified code validated to claim FIPS 140-2
validation. There is no reason to use the FIPS module code otherwise, so
the basic rule is you just have to live with whatever flaws or omissions
are present.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev