Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIPS: remove algorithms that are not being validated. #11602

Closed
wants to merge 2 commits into from

Conversation

@paulidale
Copy link
Contributor

@paulidale paulidale commented Apr 22, 2020

Several MACs and one KDF are included in the FIPS provider with the property
"fips=yes" set but are not listed as being part of the OpenSSL validation.

This removes them from the FIPS provider.

Several MACs and one KDF are included in the FIPS provider with the property
"fips=yes" set but are not listed as being part of the OpenSSL validation.

This removes them from the FIPS provider.
@paulidale paulidale added this to the 3.0.0 milestone Apr 22, 2020
@levitte levitte added this to Reviewer approved in 3.0 New Core + FIPS via automation Apr 22, 2020
@paulidale
Copy link
Contributor Author

@paulidale paulidale commented Apr 22, 2020

I've amended this to also include KMAC.
Re-review required.

@paulidale paulidale dismissed levitte’s stale review Apr 22, 2020

Also removed KMAC

3.0 New Core + FIPS automation moved this from Reviewer approved to Needs review Apr 22, 2020
3.0 New Core + FIPS automation moved this from Needs review to Reviewer approved Apr 22, 2020
@slontis
Copy link
Contributor

@slontis slontis commented Apr 22, 2020

Hmm SSKDF supports hash, HMAC or KMAC.. (Guess it is ok to only do a subset)

@paulidale
Copy link
Contributor Author

@paulidale paulidale commented Apr 22, 2020

I don't see much point including KMAC for SSKDF in the FIPS provider unless it (KMAC) is validated.

@richsalz
Copy link
Contributor

@richsalz richsalz commented Apr 22, 2020

Can you explain why "fips=no" doesn't work? And how does just editing the table remove things from the provider? I'm not questioning that this is a way to do it, but I think that eventually we will need the kind of documentation that I am seeking here. Thanks.

@paulidale
Copy link
Contributor Author

@paulidale paulidale commented Apr 22, 2020

"fips=no" might work but it increases the size of the FIPS provider. The ecx are only in because the sponsors' expected and insisted it was.

Taking them out of the table removes them because of ld doing its job.

@openssl-machine
Copy link

@openssl-machine openssl-machine commented Apr 23, 2020

24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually.

openssl-machine pushed a commit that referenced this pull request Apr 23, 2020
Several MACs and one KDF are included in the FIPS provider with the property
"fips=yes" set but are not listed as being part of the OpenSSL validation.

This removes them from the FIPS provider.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from #11602)
@mattcaswell
Copy link
Member

@mattcaswell mattcaswell commented Apr 23, 2020

Pushed!

3.0 New Core + FIPS automation moved this from Reviewer approved to Done Apr 23, 2020
@paulidale paulidale deleted the paulidale:trim-non-fips branch Apr 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Linked issues

Successfully merging this pull request may close these issues.

None yet

6 participants