[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Joy Latten joy.latten at canonical.com
Wed Apr 13 14:38:20 UTC 2016 

Hi Martin,

I will fix the Origin today. I was not sure of the naming convention for
the patches, so I kept the same name as in fedora but used the version of
openssl that we were patching. If you prefer, I can instead use exact same
name as fedora. I actually pulled my patches from Fedora Rawhide's source
tree,
https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/source/tree/Packages/o/
directory. I downloaded openssl source rpm and the fips patches were in the
SOURCES directory. The SRPM is openssl-1.0.2g-3.fc25.src.rpm. I used this
because it seem to be the most recent at the time.

I just did a diff with my ctor patch and the one in fedora's SRPM I used
and is pretty much the same.
Please advice if I should indicate above URL in Origin for DEP3 header and
use the exact same patch names.

Also, thanks so much Martin for helping me with all this!! :-)



On Wed, Apr 13, 2016 at 1:48 AM, Martin Pitt <martin.pitt at ubuntu.com> wrote:

> > Dividing up the patch proved to be a challenge but was the right thing
> to do.
>
> Many thanks for doing this!
>
> Can you please fix the "Origin:
> http://dl.fedoraproject.org/pub/fedora/linux/development" fields still?
> They should point to a particular patch in a place like
> http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/, but that does
> not have "openssl-1.0.2g-fips-ctor.patch", only "openssl-1.0.2a-fips-
> ctor.patch". Although the patch there is almost identical, except for
> some patch header noise. So I suppose pointing to those is fine (bonus
> points if you just add the DEP-3 patch header but otherwise leave the
> patch intact, but that's not a biggie).
>
> But e. g. your openssl-1.0.2g-fips-ec.patch has quite a lot of changes
> compared to
> http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/plain/openssl-1.0
> .2a-fips-ec.patch (Note, Ubuntu modifications should go into openssl-1.0
> .2g-ubuntu-fips-cleanup.patch). Same for
> http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/plain/openssl-1.0
> .2f-new-fips-reqs.patch.
>
> Current Fedora rawhide's package is openssl1.0.2g as well, just like
> our's, so these patches ought to be identical?
>
> Maybe you took them from a different branch, but the Fedora 24 version
> http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/plain/openssl-1.0
> .2f-new-fips-reqs.patch?h=f24 is also different than  your's.
>
> > Weird, but the fedora patches were not independent of each other.
>
> That's quite normal, and it would actually be a surprise if patches that
> are this big were  independent.
>
> I'll upload this now so that we can see the autopkgtests against this
> version, and we have at least a few days of testing this in the wild
> before the final release. But please still clean up the patches as above
> (Origin: and patches differing from Fedora) with a follow-up upload.
>
> Thanks for bearing with me!
>
> ** Changed in: openssl (Ubuntu)
>        Status: Incomplete => In Progress
>
> ** Changed in: openssl (Ubuntu)
>      Assignee: (unassigned) => Joy Latten (j-latten)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1553309
>
> Title:
>   [FFe]: Include FIPS 140-2 into openssl  package
>
> Status in openssl package in Ubuntu:
>   In Progress
>
> Bug description:
>   This is a request for a Feature Freeze Exception to include FIPS 140-2
> selftest into the openssl package in preparation for the FIPS 140-2
> compliance for 16.0.4.
>   This patchset will :
>    - add ability to config, compile, run with fips option enabled
>    - add the selftest files to crypto/fips directory.
>    - minor changes to several algorithms in crypto directory to ensure the
> selftest compile successfully when fips is enabled.
>
>   The selftest will be initiated externally at this point and not
> internally.
>   Hope to have a test package ready early next week.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions
>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1553309

Title:
  [FFe]: Include FIPS 140-2 into openssl  package

Status in openssl package in Ubuntu:
  In Progress

Bug description:
  This is a request for a Feature Freeze Exception to include FIPS 140-2 selftest into the openssl package in preparation for the FIPS 140-2 compliance for 16.0.4. 
  This patchset will :
   - add ability to config, compile, run with fips option enabled
   - add the selftest files to crypto/fips directory. 
   - minor changes to several algorithms in crypto directory to ensure the selftest compile successfully when fips is enabled. 
   
  The selftest will be initiated externally at this point and not internally.
  Hope to have a test package ready early next week.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions

More information about the foundations-bugs mailing list