fips: allow to customize provider vendor name #24368
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FIPS providers need to specify identifiable names and versions. Allow
to customize the fips provider name prefix, via VERSION.dat which
already allows to customize version & buildinfo. With this patch
in-place it removes the need of patching code to set customized
provider name.
E.g. echo FIPSVENDOR=ACME >> VERSION.dat, results in
```
$ OPENSSL_CONF=fips-and-base.cnf ../util/wrap.pl ../apps/openssl list -providers --verbose
Providers:
base
name: OpenSSL Base Provider
version: 3.4.0
status: active
build info: 3.4.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
fips
name: ACME OpenSSL FIPS Provider
version: 3.4.0
status: active
build info: 3.4.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
security-checks: integer (arbitrary size)
tls1-prf-ems-check: integer (arbitrary size)
drbg-no-trunc-md: integer (arbitrary size)
```
github-actions
bot
added
the
severity: fips change
t8m
added
branch: master
t8m
reviewed
May 13, 2024
|
Does this intersect the trademark discussions? |
I'm not aware or part of any discussions. So either this question is not addressed to me, or please make me aware of the context. I am assuming the 37 and 21 submissions mentioning OpenSSL are all in compliance with the trademark policy and/or requested permission to use it. This patch simplifies achieving unique naming of individual builds/submissions. If you prefer this to be "fipsname=" override, rather than prefix-prepend, I can change the patch to do that. |
xnox
force-pushed
the
fips-vendor-name
branch
2 times, most recently
from
54a5c15
to
d4f1e00
Compare
Add workflow test that verifies custom FIPSVENDOR name.
|
It was a note for the @openssl/omc ... |
t8m
added
tests: present
mattcaswell
reviewed
May 14, 2024
| @@ -360,6 +360,8 @@ $config{release_date} = $version{RELEASE_DATE} // 'xx XXX xxxx'; | |||
|
|
|||
| $config{version} = "$config{major}.$config{minor}.$config{patch}"; | |||
| $config{full_version} = "$config{version}$config{prerelease}$config{build_metadata}"; | |||
| $config{FIPSVENDOR} = | |||
| (defined $version{FIPSVENDOR} ? "$version{FIPSVENDOR} " : "") . "OpenSSL FIPS Provider"; | |||
There was a problem hiding this comment.
The exact form of this wording needs internal discussion. That might take a while.
|
Placing a hold on this until internal discussions are held. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
FIPS providers need to specify identifiable names and versions. Allow to customize the fips provider name prefix, via VERSION.dat which already allows to customize version & buildinfo. With this patch in-place it removes the need of patching code to set customized provider name.
E.g. echo FIPSVENDOR=ACME >> VERSION.dat, results in