[Bug 2073991] Re: Add FIPS defines to Noble OpenSSL header files

Benjamin Drung 2073991 at bugs.launchpad.net
Fri Sep 20 21:15:34 UTC 2024 

Sponsored upload to oracular.

** Changed in: openssl (Ubuntu Oracular)
       Status: Won't Fix => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2073991

Title:
  Add FIPS defines to Noble OpenSSL header files

Status in openssl package in Ubuntu:
  Confirmed
Status in openssl source package in Noble:
  Confirmed
Status in openssl source package in Oracular:
  Fix Committed

Bug description:
  Release: Noble
  OpenSSL version: 3.0.13-0ubuntu3.1

  The Noble FIPS release only produces the FIPS provider library. In
  previous versions, like Jammy, the FIPS release also produced a
  libssl-dev that contained the FIPS changes to the header files needed
  for compiling against the FIPS library. For Noble, it was planned to
  rely on the standard libssl-dev release and to have all of the needed
  defines already present in that standard release. In the Atsec review
  of the Noble FIPS release, it was discovered that the FIPS patches
  make changes to three header files which did not get included in the
  standard Noble libssl-dev release. The request is to add these changes
  into the Noble OpenSSL release:

  From 0010-providers-Add-a-FIPS-status-indicator.patch:
  include/openssl/fips_names.h
  /*
   * The module status indicator for the FIPS provider. This is queried from
   * the provider.
   * Type: OSSL_PARAM_INTEGER
   */
  # define UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE "ubuntu.fips-unapproved-usage"

  
  From 0046-signature-Clamp-PSS-salt-len-to-MD-len.patch
  include/openssl/core_names.h: 
  #define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX "auto-digestmax"

  include/openssl/rsa.h
  /* Auto-detect on verify, set salt length to min(maximum possible, digest
   * length) on sign */
  # define RSA_PSS_SALTLEN_AUTO_DIGEST_MAX  -4

  
  From 0049-crypto-dh-perform-a-PCT-during-key-generation.patch
  include/openssl/self_test.h
  # define UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH  "DH"

  
  Atsec is asking for the "UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE" define so that is the priority. The other defines were found by searching the FIPS openssl patches for changes to files in the include/openssl directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2073991/+subscriptions

More information about the foundations-bugs mailing list