[Bug 2056593] Re: [FFE] FIPS compatibility patches
Adrien Nader
2056593 at bugs.launchpad.net
Fri Mar 15 11:19:16 UTC 2024
** Description changed:
We have an open MR with a handful of FIPS compatibilty changes we wore hoping
to get into 24.04. The main purpose of the changes is to detect whether the
kernel is running in FIPS mode and adjust the behavior of the library
accordingly by loading the correct provider backend and using defaults that
are FIPS compliant (no md5, DES etc) instead trying to use non-compliant code
paths and crashing.
The proposed patches were taken from the OpenSSL version shipped in the FIPS
archive at esm.ubuntu.com for 22.04. Having them in the regular archive will
reduce the maintenance work significantly. None of the changes should have any
impact on running OpenSSL in regular (non-fips) mode.
Below is a detailed list of the changes:
- d/p/fips/crypto-Add-kernel-FIPS-mode-detection.patch:
- This adds a new internal API to determine whether the kernel has been booted
- in FIPS mode. This can be overridden with the OPENSSL_FORCE_FIPS_MODE
- environment variable. OPENSSL_FIPS_MODE_SWITCH_PATH can be used to specify an
- alternative path for the fips_enabled file and is used in tests.
- The FIPS_MODULE switch can be used to enable build of the the FIPS provider
- module specific parts which are not needed in the OpenSSL library itself.
+ This adds a new internal API to determine whether the kernel has been booted
+ in FIPS mode. This can be overridden with the OPENSSL_FORCE_FIPS_MODE
+ environment variable. OPENSSL_FIPS_MODE_SWITCH_PATH can be used to specify an
+ alternative path for the fips_enabled file and is used in tests.
+ The FIPS_MODULE switch can be used to enable build of the the FIPS provider
+ module specific parts which are not needed in the OpenSSL library itself.
- d/p/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch:
- This automatically configures all library contexts to use the FIPS provider when
- the kernel is booted in FIPS mode by:
- - Setting "fips=yes" as the default property for algorithm fetches
- - Loading and activating the FIPS provider as the fallback provider.
+ This automatically configures all library contexts to use the FIPS provider when
+ the kernel is booted in FIPS mode by:
+ - Setting "fips=yes" as the default property for algorithm fetches
+ - Loading and activating the FIPS provider as the fallback provider.
- If applications load providers via a configuration either because the default
- configuration is modified or they override the default configuration, this
- disables loading of the fallback providers. In this case, the configuration
- must load the FIPS provider when FIPS mode is enabled, else algorithm fetches
- will fail
+ If applications load providers via a configuration either because the default
+ configuration is modified or they override the default configuration, this
+ disables loading of the fallback providers. In this case, the configuration
+ must load the FIPS provider when FIPS mode is enabled, else algorithm fetches
+ will fail
- Applications can choose to use non-FIPS approved algorithms by specifying the
- "-fips" or "fips=no" property for algorithm fetches and loading the default
- provider.
+ Applications can choose to use non-FIPS approved algorithms by specifying the
+ "-fips" or "fips=no" property for algorithm fetches and loading the default
+ provider.
- d/p/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch:
- Omit unavailable algorithms in FIPS mode
+ Omit unavailable algorithms in FIPS mode
- d/p/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch
- The -propquery argument might be used to define a preference for which provider
- an algorithm is fetched from. Set the query properties for the library context
- DRBG fetches as well so that they are fetched with the same properties.
+ The -propquery argument might be used to define a preference for which provider
+ an algorithm is fetched from. Set the query properties for the library context
+ DRBG fetches as well so that they are fetched with the same properties.
- d/p/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch:
- This test uses 2 library contexts - one context for creating initial test keys,
- and then another context (or the default context) for running tests. There is an
- issue that during the encoding tests, the OSSL_ENCODER_CTX is created from the
- created EVP_PKEYs, which are associated with the library context used to create
- the keys. This means that encoding tests run with the wrong library context,
- which always uses the default provider.
+ This test uses 2 library contexts - one context for creating initial test keys,
+ and then another context (or the default context) for running tests. There is an
+ issue that during the encoding tests, the OSSL_ENCODER_CTX is created from the
+ created EVP_PKEYs, which are associated with the library context used to create
+ the keys. This means that encoding tests run with the wrong library context,
+ which always uses the default provider.
- The link for the MR is at
+ These changes are now included in a larger MR with other changes in the
+ same package version:
+ https://code.launchpad.net/~adrien-n/ubuntu/+source/openssl/+git/openssl/+merge/462486
+
+ The now-superseded MR is at
https://code.launchpad.net/~tobhe/ubuntu/+source/openssl/+git/openssl/+merge/460953
Since OpenSSL just received another big update to 3.0.13 we had to rebase our changes
and will have to rerun our install/upgrade tests.
A test build is also available at
https://launchpad.net/~tobhe/+archive/ubuntu/openssl-test/
** Changed in: openssl (Ubuntu)
Milestone: None => ubuntu-24.03
** Changed in: openssl (Ubuntu)
Milestone: ubuntu-24.03 => ubuntu-24.04
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2056593
Title:
[FFE] FIPS compatibility patches
Status in openssl package in Ubuntu:
New
Bug description:
We have an open MR with a handful of FIPS compatibilty changes we wore hoping
to get into 24.04. The main purpose of the changes is to detect whether the
kernel is running in FIPS mode and adjust the behavior of the library
accordingly by loading the correct provider backend and using defaults that
are FIPS compliant (no md5, DES etc) instead trying to use non-compliant code
paths and crashing.
The proposed patches were taken from the OpenSSL version shipped in the FIPS
archive at esm.ubuntu.com for 22.04. Having them in the regular archive will
reduce the maintenance work significantly. None of the changes should have any
impact on running OpenSSL in regular (non-fips) mode.
Below is a detailed list of the changes:
- d/p/fips/crypto-Add-kernel-FIPS-mode-detection.patch:
This adds a new internal API to determine whether the kernel has been booted
in FIPS mode. This can be overridden with the OPENSSL_FORCE_FIPS_MODE
environment variable. OPENSSL_FIPS_MODE_SWITCH_PATH can be used to specify an
alternative path for the fips_enabled file and is used in tests.
The FIPS_MODULE switch can be used to enable build of the the FIPS provider
module specific parts which are not needed in the OpenSSL library itself.
- d/p/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch:
This automatically configures all library contexts to use the FIPS provider when
the kernel is booted in FIPS mode by:
- Setting "fips=yes" as the default property for algorithm fetches
- Loading and activating the FIPS provider as the fallback provider.
If applications load providers via a configuration either because the default
configuration is modified or they override the default configuration, this
disables loading of the fallback providers. In this case, the configuration
must load the FIPS provider when FIPS mode is enabled, else algorithm fetches
will fail
Applications can choose to use non-FIPS approved algorithms by specifying the
"-fips" or "fips=no" property for algorithm fetches and loading the default
provider.
- d/p/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch:
Omit unavailable algorithms in FIPS mode
- d/p/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch
The -propquery argument might be used to define a preference for which provider
an algorithm is fetched from. Set the query properties for the library context
DRBG fetches as well so that they are fetched with the same properties.
- d/p/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch:
This test uses 2 library contexts - one context for creating initial test keys,
and then another context (or the default context) for running tests. There is an
issue that during the encoding tests, the OSSL_ENCODER_CTX is created from the
created EVP_PKEYs, which are associated with the library context used to create
the keys. This means that encoding tests run with the wrong library context,
which always uses the default provider.
These changes are now included in a larger MR with other changes in
the same package version:
https://code.launchpad.net/~adrien-n/ubuntu/+source/openssl/+git/openssl/+merge/462486
The now-superseded MR is at
https://code.launchpad.net/~tobhe/ubuntu/+source/openssl/+git/openssl/+merge/460953
Since OpenSSL just received another big update to 3.0.13 we had to rebase our changes
and will have to rerun our install/upgrade tests.
A test build is also available at
https://launchpad.net/~tobhe/+archive/ubuntu/openssl-test/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593/+subscriptions
More information about the foundations-bugs
mailing list