[openssl-dev] [openssl.org #3978] Openssl 1.0.2c include the FIPS 140-2 Object Module

Patil, Ashwini IN BLR STS via RT rt at openssl.org
Thu Aug 13 02:43:40 UTC 2015 

Hello All,

Appreciate for any suggestion.
Currently no clue about the issue.

Thanks&Regards
Ashwini V Patil

_____________________________________________
From: Patil, Ashwini IN BLR STS
Sent: Tuesday, August 04, 2015 8:24 AM
To: 'openssl-dev at openssl.org'; 'openssl-users at openssl.org'; 'rt at openssl.org'
Cc: Inbarajan, Prabhu IN BLR STS; Karunakaran, Sajith IN BLR STS; Reddy, Harshavardhana IN BLR STS; Karunakaran, Sajith IN BLR STS
Subject: RE: Openssl 1.0.2c include the FIPS 140-2 Object Module


Hello All,

Following steps are done to check the FIPS feasibility .

To check ASLR dependency the following link was referred.
http://openssl.6102.n7.nabble.com/FIPS-Module-1-2-build-with-Visual-Studio-2010-fails-self-tests-td36372.html

Linker properties were changed in visual studio 2008 for the test application executable file.
The following flag was disabled ( which was enabled by default in 2008VS)
Linker>Advanced Properties>Disable the "Randomized Base Address property "

I have followed the below steps Integration of FIPS Complaint compiled OPENSSL Library with Visual Studio 2008
====================================================================

1. Open Visual Studio 2008

2. File => New => Project =>  Visual C++ => Win 32 => Win32 Console Application=> Next => Empty Project => Finish

3. Right Click on source file => Add => Existing Items => C:\openssl-fips-2.0\fips\hmac\fips_hmactest.c

4. Right Click on Resources File => Add => Existing Items => libeayfips32.lib, ssleay32.lib & libeaycompat32.lib (from C:\openssl-1.0.1e-fips-compliant\out32) and C:\openssl-1.0.1e-simple\out32\libeay32.lib (OpenSSL simple Version)

5. Right Click on fips_hmactest.c=> Properties => C++ => General => Additional Include Directories : C:\usr\local\ssl\include => Finish

6. Compile the Project => Works Fine

We get the below error when run the exe:
ERROR:2D06B06F:LIB-45,FUNC=107,REASON=111:FILE=fips.c line=232
FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);

Note:
The libleay32.dll preferred address is  0xFB00000 in Q-Build
Its different in case of Syngo normal build 0x10000000.


Regards
Ashwini Patil


_____________________________________________
From: Patil, Ashwini IN BLR STS
Sent: Thursday, July 30, 2015 3:17 PM
To: 'openssl-dev at openssl.org'; 'openssl-users at openssl.org'
Cc: Inbarajan, Prabhu IN BLR STS; Karunakaran, Sajith IN BLR STS
Subject: FW: Openssl 1.0.2c include the FIPS 140-2 Object Module


Hello All,

I have followed the below steps Integration of FIPS Complaint compiled OPENSSL Library with Visual Studio 2008
====================================================================

1. Open Visual Studio 2008

2. File => New => Project =>  Visual C++ => Win 32 => Win32 Console Application=> Next => Empty Project => Finish

3. Right Click on source file => Add => Existing Items => C:\openssl-fips-2.0\fips\hmac\fips_hmactest.c

4. Right Click on Resources File => Add => Existing Items => libeayfips32.lib, ssleay32.lib & libeaycompat32.lib (from C:\openssl-1.0.1e-fips-compliant\out32) and C:\openssl-1.0.1e-simple\out32\libeay32.lib (OpenSSL simple Version)

5. Right Click on fips_hmactest.c=> Properties => C++ => General => Additional Include Directories : C:\usr\local\ssl\include => Finish

6. Compile the Project => Works Fine

The following code was used to set the fips mode in our application.


int mode = FIPS_mode(), ret = 0;
unsigned long err = 0;
if(mode == 0)
{
ret = FIPS_mode_set(1 );
err = ERR_get_error();
}
if(1 != ret)
DisplayError("FIPS_mode_set failed", err);

Get the following error code status:
2D06B06F - (FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT),"FIPS_check_incore_fingerprint"},

Please guide me throught the error.

Kindly share your thoughts and let me know opinion and also provide us the steps how this error can be overcome?


To check ASLR dependency the following link was referred.
http://openssl.6102.n7.nabble.com/FIPS-Module-1-2-build-with-Visual-Studio-2010-fails-self-tests-td36372.html

Linker properties were changed in visual studio 2008 for the test application executable file.
The following flag was disabled ( which was enabled by default in 2008VS)
Linker>Advanced Properties>Disable the "Randomized Base Address property "

There is no change in the error code.
We get the below error when run the exe:
ERROR:2D06B06F:LIB-45,FUNC=107,REASON=111:FILE=fips.c line=232
FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);


Regards
Ashwini Patil


_____________________________________________
From: Patil, Ashwini IN BLR STS
Sent: Friday, July 17, 2015 5:31 PM
To: 'openssl-dev at openssl.org'
Cc: Inbarajan, Prabhu IN BLR STS; CN, Sujai IN BLR STS; Reddy, Harshavardhana IN BLR STS
Subject: RE: Openssl 1.0.2c include the FIPS 140-2 Object Module



Hello All,

I am using windows 7 64-BIT Service Pack 1 OS .
Visual Studio 2008 (Visual studio tool used is normal 32-bit cmd prompt not cross compiler)
Nasm - nasm-2.11.08
Perl - ActivePerl-5.20.1.2000-MSWin32-x86-64int-298557 (1)

I have used the below steps to integrate openssl-fips2.0.9 in openssl-1.0.2c :
Procedure for FIPS Enabled OpenSSL Module Compilation
=====================================================

    =================================
    1. Compile openssl-fips2.0 module
    =================================
        a. Extract the contents of openssl-fips-2.0.9tar.gz to C:\openssl-fips-2.0.9\
        b. Open Visual Studio 2008 Command Prompt.
        c. cd C:\openssl-fips2.0.9\
        d. Copy all the contents of "C:\Program Files\NASM" in this source folder
        e. ms\do_fips [no-asm] (nmake -f ms\ntdll.mak  &  nmake -f ms\ntdll.mak install are included in this command)

        Compiled FIPS module is located at C:\usr\local\ssl\fips-2.0.9

    =======================================================
    2. Integrate compiled openssl-fips2.0.9 in openssl-1.0.2c
    =======================================================
        a. Extract the contents of openssl-1.0.1e.tar.gz to C:\openssl-1.0.2c-fips-compliant\
        b. Open Visual Studio 2008 Command Prompt.
        c. cd C:\openssl-1.0.2c-fips-compliant\
        d. Copy all the contents of "C:\Program Files\NASM" in this source folder

        e. perl Configure VC-WIN32 fips --with-fipslibdir=C:\usr\local\ssl\fips-2.0.9
        f. ms\do_nasm
        g. nmake -f ms\nt.mak
        h. For Testing, use the following command: nmake -f ms\nt.mak test
        i. nmake -f ms\nt.mak install
        j. (If you want to create DLL files then Use the following commands  nmake -f ms\ntdll.mak  &&     nmake -f ms\ntdll.mak install)
        k. Compiled FIPS compliant OpenSSL exe is located at C:\usr\local\ssl\bin\openssl.exe
        l. Run C:\usr\local\ssl\bin\openssl.exe and type "version". You will be confirmed to get the following output.
            =======================================
            ****OpenSSL 1.0.2c-fips 12 June 2015****
            =======================================
        m. Compiled FIPS compliant OpenSSL fipslibeay32.lib, ssleay32.lib & libeaycompat32.lib are located at C:\openssl-1.0.1e-fips-compliant\out32
        n. Compiled FIPS compliant OpenSSL fipslibeay32.dll & ssleay32.dll are located at C:\openssl-1.0.1e-fips-compliant\out32

Build is successful and able to generate fipslibeay32.lib, ssleay32.lib, libeaycompat32.lib & ssleay32.dll.
But fipslibeay32.dll is missing. Please guide me .


When executed the command  nmake -f ms\ntdll.mak  I get the below error for the first time:
nmake -f ms\ntdll.mak

   Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp
out32dll\fips_premain_dso.exe out32dll\libeay32.dll
2796:error:25078067:DSO support routines:WIN32_LOAD:could not load the shared li
brary:.\crypto\dso\dso_win32.c:179:filename(out32dll\libeay32.dll)
2796:error:25070067:DSO support routines:DSO_load:could not load the shared libr
ary:.\crypto\dso\dso_lib.c:232:
Get hash failure at \usr\local\ssl\fips-2.0\bin\fipslink.pl line 60.
NMAKE : fatal error U1077: 'C:\Perl64\bin\perl.EXE' : return code '0x1'
Stop.

Please provide your help for the same.
Please let me know if any steps are missed.

With best regards,
Ashwini V Patil

Siemens Technology and Services Private Limited
CT DC AA HC H1-FH STD IBP 6
84, Hosur Road
Bengaluru 560100, Indien
Mobil: +91 9008132565
mailto:ashwini.vpatil at siemens.com
http://www.siemens.co.in/STS

Registered Office: 130, Pandurang Budhkar Marg, Worli, Mumbai 400 018. Telephone +91 22 39677000. Fax +91 22 39677075. Other Offices: Bengaluru, Chennai, Gurgaon, Noida, Pune. Corporate Identity number:U99999MH1986PLC093854

More information about the openssl-dev mailing list