Re: FIPS compliance efforts in Fedora and RHEL

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


On Wed, 19 Apr 2023, Dmitry Belyavskiy wrote:

> > While I'm sure this is good for RHEL/rawhide users who care about FIPS,
> > Portable OpenSSH won't be able to merge this. We explictly aim to support
> > LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the
> > OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that
> > I'd describe as "best effort").
> >
> > If this changes we can look again.
> Yes, we understand and respect your choice.
> Would it be acceptable in any form being wrapped in necessary #ifdefs ?

No, I think it would be too intrusive.

IMO if we have to support both the new API and the libressl/1.1.1 API
then the only likely acceptable way would be to reimplement the new
API using the old, similar to what we did when moving to the OpenSSL
1.1.x opaque structs while still supporting the 1.0.x API.

I have no idea whether this is even possible, and we wouldn't have the
luxury of being able to use OpenSSL code to do it (as we did last time)
as the license has changed to one that we don't want to accept in the
OpenSSH codebase.

openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux