<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoPlainText>Hi Mr. Stephen N. Henson,<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Thankyou so much for the reply.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>We would like to use the option1 mentioned by you. But unfortunately the dll's were not generated, only static lib's were generated.<o:p></o:p></p><p class=MsoPlainText>Please guide if we have missed any steps.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>===================================================== <o:p></o:p></p><p class=MsoPlainText>Procedure for FIPS Enabled OpenSSL Module Compilation <o:p></o:p></p><p class=MsoPlainText>===================================================== <o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText> ================================= <o:p></o:p></p><p class=MsoPlainText> 1. Compile openssl-fips2.0.9 module <o:p></o:p></p><p class=MsoPlainText> =================================<o:p></o:p></p><p class=MsoPlainText> a. Extract the contents of openssl-fips-2.0.9.tar.gz to C:\openssl-fips-2.0\ <o:p></o:p></p><p class=MsoPlainText> b. Open Visual Studio 2008 Command Prompt. <o:p></o:p></p><p class=MsoPlainText> c. cd C:\openssl-fips2.0.9\ <o:p></o:p></p><p class=MsoPlainText> d. Copy all the contents of "C:\Program Files\NASM" in this source folder <o:p></o:p></p><p class=MsoPlainText> e. ms\do_fips [no-asm] (nmake -f ms\ntdll.mak & nmake -f ms\ntdll.mak install are included in this command) <o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText> Compiled FIPS module is located at C:\usr\local\ssl\fips-2.0 <o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText> ======================================================= <o:p></o:p></p><p class=MsoPlainText> 2. Integrate compiled openssl-fips2.0.9 in openssl-1.0.2c <o:p></o:p></p><p class=MsoPlainText> =======================================================<o:p></o:p></p><p class=MsoPlainText> a. Extract the contents of openssl-1.0.2c.tar.gz to C:\openssl-1.0.2c-fips-compliant\ <o:p></o:p></p><p class=MsoPlainText> b. Open Visual Studio 2008 Command Prompt. <o:p></o:p></p><p class=MsoPlainText> <span lang=ES>c. cd C:\openssl-1.0.2c-fips-compliant\ <o:p></o:p></span></p><p class=MsoPlainText><span lang=ES> </span>d. Copy all the contents of "C:\Program Files\NASM" in this source folder <o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText> e. perl Configure VC-WIN32 fips --with-fipslibdir=C:\usr\local\ssl\fips-2.0.9 <o:p></o:p></p><p class=MsoPlainText> f. ms\do_nasm <o:p></o:p></p><p class=MsoPlainText> g. nmake -f ms\nt.mak <o:p></o:p></p><p class=MsoPlainText> h. For Testing, use the following command: nmake -f ms\nt.mak test <o:p></o:p></p><p class=MsoPlainText> i. nmake -f ms\nt.mak install <o:p></o:p></p><p class=MsoPlainText> j. (If you want to create DLL files then Use the following commands nmake -f ms\ntdll.mak && nmake -f ms\ntdll.mak install) <o:p></o:p></p><p class=MsoPlainText> k. Compiled FIPS compliant OpenSSL exe is located at C:\usr\local\ssl\bin\openssl.exe <o:p></o:p></p><p class=MsoPlainText> l. Run C:\usr\local\ssl\bin\openssl.exe and type "version". You will be confirmed to get the following output. <o:p></o:p></p><p class=MsoPlainText> ======================================= <o:p></o:p></p><p class=MsoPlainText> ****OpenSSL 1.0.2c-fips 11 Feb 2013**** <o:p></o:p></p><p class=MsoPlainText> ======================================= <o:p></o:p></p><p class=MsoPlainText> m. Compiled FIPS compliant OpenSSL fipslibeay32.lib, ssleay32.lib & libeaycompat32.lib are located at C:\openssl-1.0.2c-fips-compliant\out32 <o:p></o:p></p><p class=MsoPlainText> n. Compiled FIPS compliant OpenSSL fipslibeay32.dll & ssleay32.dll are located at C:\openssl-1.0.2c-fips-compliant\out32 <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> <span style='background:aqua;mso-highlight:aqua'>But for the step-n fipslibeay32.dll was not generated. Please let me know if the dll will be generated with some other naming convention. Or some procedure was missing.</span><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> Your help is most appreciated. Please do not close the call.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Thanks&Regards<o:p></o:p></p><p class=MsoPlainText>Ashwini V Patil <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>-----Original Message-----<br>From: Stephen Henson via RT [mailto:rt@openssl.org] <br>Sent: Friday, August 14, 2015 7:23 PM<br>To: Patil, Ashwini IN BLR STS<br>Cc: openssl-dev@openssl.org<br>Subject: [openssl.org #3978] RE: Openssl 1.0.2c include the FIPS 140-2 Object Module<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>On Tue Aug 04 03:24:21 2015, <a href="mailto:ashwini.vpatil@siemens.com"><span style='color:windowtext;text-decoration:none'>ashwini.vpatil@siemens.com</span></a> wrote:<o:p></o:p></p><p class=MsoPlainText>> Hello All,<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> Following steps are done to check the FIPS feasibility .<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> To check ASLR dependency the following link was referred.<o:p></o:p></p><p class=MsoPlainText>> <a href="http://openssl.6102.n7.nabble.com/FIPS-Module-1-2-build-with-Visual-"><span style='color:windowtext;text-decoration:none'>http://openssl.6102.n7.nabble.com/FIPS-Module-1-2-build-with-Visual-</span></a><o:p></o:p></p><p class=MsoPlainText>> Studio-2010-fails-self-tests-td36372.html<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> Linker properties were changed in visual studio 2008 for the test <o:p></o:p></p><p class=MsoPlainText>> application executable file.<o:p></o:p></p><p class=MsoPlainText>> The following flag was disabled ( which was enabled by default in<o:p></o:p></p><p class=MsoPlainText>> 2008VS)<o:p></o:p></p><p class=MsoPlainText>> Linker> Advanced Properties>Disable the "Randomized Base Address <o:p></o:p></p><p class=MsoPlainText>> Linker> property "<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> I have followed the below steps Integration of FIPS Complaint compiled <o:p></o:p></p><p class=MsoPlainText>> OPENSSL Library with Visual Studio 2008 <o:p></o:p></p><p class=MsoPlainText>> ====================================================================<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> 1. Open Visual Studio 2008<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> 2. File => New => Project => Visual C++ => Win 32 => Win32 Console <o:p></o:p></p><p class=MsoPlainText>> Application=> Next => Empty Project => Finish<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> 3. Right Click on source file => Add => Existing Items => C:\openssl- <o:p></o:p></p><p class=MsoPlainText>> fips-2.0\fips\hmac\fips_hmactest.c<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> 4. Right Click on Resources File => Add => Existing Items => <o:p></o:p></p><p class=MsoPlainText>> libeayfips32.lib, ssleay32.lib & libeaycompat32.lib (from C:\openssl-<o:p></o:p></p><p class=MsoPlainText>> 1.0.2c-fips-compliant\out32) and C:\openssl-1.0.2c- <o:p></o:p></p><p class=MsoPlainText>> simple\out32\libeay32.lib (OpenSSL simple Version)<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> 5. Right Click on fips_hmactest.c=> Properties => C++ => General => <o:p></o:p></p><p class=MsoPlainText>> Additional Include Directories : C:\usr\local\ssl\include => Finish<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> 6. Compile the Project => Works Fine<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> We get the below error when run the exe:<o:p></o:p></p><p class=MsoPlainText>> ERROR:2D06B06F:LIB-45,FUNC=107,REASON=111:FILE=fips.c line=232<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Your problem is that your link procedure doesn't embed the incore fingerprint in the target binary.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>You have two options.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>The easiest is to link against the FIPS capable OpenSSL shared library instead of the static one: the signature is already in the DLL so it should just work.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>The second and much harder option is to follow the appropriate link procedure to embed a signature in the target binary. There is a perl script called fipslink.pl in the FIPS module which does this and examples in the static makefile ms\nt.mak. You would have to customise the VC build procedure to do something similar and/or link using a script instead.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Closing this as it isn't a bug report, please address and follow up to openssl-users.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Steve.<o:p></o:p></p><p class=MsoPlainText>--<o:p></o:p></p><p class=MsoPlainText>Dr Stephen N. Henson. OpenSSL project core developer.<o:p></o:p></p><p class=MsoPlainText>Commercial tech support now available see: <a href="http://www.openssl.org"><span style='color:windowtext;text-decoration:none'>http://www.openssl.org</span></a><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p></div></body></html>