[openssl.org #4115] [PATCH] Remove remaining FIPS code

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #4115] [PATCH] Remove remaining FIPS code

Rich Salz via RT
Hi,

I don't know what your intentions are with FIPS support in master, but after
the removal of most if the fips/ code, several bits and pieces of now broken
code have remained in the codebase. IMO it'd be better to just remove it for
now.

See the following GitHub pull request:
https://github.com/openssl/openssl/pull/449

Cheers

_______________________________________________
openssl-bugs-mod mailing list
[hidden email]
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4115] [PATCH] Remove remaining FIPS code

Steve Marquess-4
On 10/31/2015 08:26 AM, Alessandro Ghedini via RT wrote:
> Hi,
>
> I don't know what your intentions are with FIPS support in master, ...

We would like to continue to provide a FIPS validated module for the 1.1
(and subsequent) releases. Unfortunately the current module ("OpenSSL
FIPS Object Module 2.0") designed for compatibility with the 1.0
releases won't be compatible with 1.1. That means we need to obtain a
new validation for a new module, an endeavor fraught with many
difficulties (none of them technical).

I do expect the stars will align for that eventually, as they have for
the five previous open source based validations. In the interim, since
the FIPS module is shaped almost entirely by policy and metaphysical
considerations, we should not include any incomplete FIPS specific code
in 1.1 -- code that even if complete in some speculative sense would
also be unusable absent a matching FIPS 140-2 validation.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4115] [PATCH] Remove remaining FIPS code

Richard Levitte - VMS Whacker-2
Can't recall previous discussions on this, but would it be possible to have a FIPS engine?

Cheers
Richard

Steve Marquess <[hidden email]> skrev: (31 oktober 2015 13:34:33 CET)

>On 10/31/2015 08:26 AM, Alessandro Ghedini via RT wrote:
>> Hi,
>>
>> I don't know what your intentions are with FIPS support in master,
>...
>
>We would like to continue to provide a FIPS validated module for the
>1.1
>(and subsequent) releases. Unfortunately the current module ("OpenSSL
>FIPS Object Module 2.0") designed for compatibility with the 1.0
>releases won't be compatible with 1.1. That means we need to obtain a
>new validation for a new module, an endeavor fraught with many
>difficulties (none of them technical).
>
>I do expect the stars will align for that eventually, as they have for
>the five previous open source based validations. In the interim, since
>the FIPS module is shaped almost entirely by policy and metaphysical
>considerations, we should not include any incomplete FIPS specific code
>in 1.1 -- code that even if complete in some speculative sense would
>also be unusable absent a matching FIPS 140-2 validation.
>
>-Steve M.

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4115] [PATCH] Remove remaining FIPS code

Steve Marquess-4
On 10/31/2015 09:01 AM, Richard Levitte wrote:
> Can't recall previous discussions on this, but would it be possible to have a FIPS engine?

Of a sort, yes. I'll let Steve Henson speak to the details, but it is
his hope (and mine) that FIPS module support for 1.1 and beyond would be
modular so the FIPS module and OpenSSL releases would no longer be so
tightly coupled.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4115] [PATCH] Remove remaining FIPS code

Richard Levitte - VMS Whacker-2


On October 31, 2015 2:09:50 PM GMT+01:00, Steve Marquess <[hidden email]> wrote:

>On 10/31/2015 09:01 AM, Richard Levitte wrote:
>> Can't recall previous discussions on this, but would it be possible
>to have a FIPS engine?
>
>Of a sort, yes. I'll let Steve Henson speak to the details, but it is
>his hope (and mine) that FIPS module support for 1.1 and beyond would
>be
>modular so the FIPS module and OpenSSL releases would no longer be so
>tightly coupled.
>
>-Steve M.

I'm most certainly interested in such an effort.
--
[hidden email]
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4115] [PATCH] Remove remaining FIPS code

Alessandro Ghedini
In reply to this post by Steve Marquess-4
On Sat, Oct 31, 2015 at 08:34:33am -0400, Steve Marquess wrote:

> On 10/31/2015 08:26 AM, Alessandro Ghedini via RT wrote:
> > Hi,
> >
> > I don't know what your intentions are with FIPS support in master, ...
>
> We would like to continue to provide a FIPS validated module for the 1.1
> (and subsequent) releases. Unfortunately the current module ("OpenSSL
> FIPS Object Module 2.0") designed for compatibility with the 1.0
> releases won't be compatible with 1.1. That means we need to obtain a
> new validation for a new module, an endeavor fraught with many
> difficulties (none of them technical).
>
> I do expect the stars will align for that eventually, as they have for
> the five previous open source based validations. In the interim, since
> the FIPS module is shaped almost entirely by policy and metaphysical
> considerations, we should not include any incomplete FIPS specific code
> in 1.1 -- code that even if complete in some speculative sense would
> also be unusable absent a matching FIPS 140-2 validation.
So, does the above mean that my patch is not going to be merged?

Cheers

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4115] [PATCH] Remove remaining FIPS code

Salz, Rich

> So, does the above mean that my patch is not going to be merged?

No.  It will be.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev