On 07/28/2015 03:17 PM, Misaki.Miyashita wrote:
> I would like the same change as the following PR to be applied to the
> OpenSSL FIPS module:
> https://github.com/openssl/openssl/pull/342 >
> How should I proceed in this case?
> Should I make a pull request for the openssl:OpenSSL-fips-2_0-dev branch?
The FIPS module is unfortunately a special case because we can't make
any changes to already validated code. Our only opportunity to introduce
course code changes is when we do "change letter" updates, and those we
have to pay for (and wait on for months). Only some kinds of source code
changes can be done even with that process. For example, we were unable
to fully mitigate "Lucky 13" for the FIPS-enabled OpenSSL because we
weren't allowed to make the necessary changes to the FIPS module.
So feel free to make changes yourself to your local copy of the code,
but you'll need to get that modified code validated to claim FIPS 140-2
validation. There is no reason to use the FIPS module code otherwise, so
the basic rule is you just have to live with whatever flaws or omissions