[openssl-dev] [openssl.org #3978] Openssl 1.0.2c include the FIPS 140-2 Object Module
Patil, Ashwini IN BLR STS via RT
rt at openssl.org
Thu Aug 13 09:15:43 UTC 2015
Hello All,
fips_standalone_sha1 command can be used to perform the verification of the FIPS Object Module
and to generate the new HMAC-SHA-1 digest for the runtime executable application.
Failure to embed the digest in the executable object will prevent initialization of FIPS mode.
Please guide how to use the above command to verify the FIPS object module.
Any help is appreciated.
Regards
Ashwini Patil
_____________________________________________
From: Patil, Ashwini IN BLR STS
Sent: Thursday, August 13, 2015 12:23 PM
To: 'rt at openssl.org'; 'openssl-dev at openssl.org'; 'openssl-users at openssl.org'
Cc: Inbarajan, Prabhu IN BLR STS; Reddy, Harshavardhana IN BLR STS; CN, Sujai IN BLR STS
Subject: RE: [openssl.org #3978] Openssl 1.0.2c include the FIPS 140-2 Object Module
Hello All,
Some details are given in the below link.(PAGE 13)
http://openssl.org/docs/fips/UserGuide-2.0.pdf
HMAC-SHA-1 digest
A HMAC-SHA-1 digest of a file using a specific HMAC key (the ASCII string
"etaonrishdlcupfm"). Such digests are referred to in this document as "digests" or
"fingerprints". The digests are used for integrity checking to verify that the software in question
has not been modified or corrupted from the form originally used as the basis of the FIPS 140-2
validation.
Trying to relate the following error code status from test Application:
2D06B06F - (FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT),"FIPS_check_incore_fingerprint"},
Please guide about this command.
openssl sha1 -hmac etaonrishdlcupfm openssl-fips-2.0.9.tar.gz
Regards
Ashwini Patil
_____________________________________________
From: Patil, Ashwini IN BLR STS
Sent: Thursday, August 13, 2015 8:13 AM
To: 'rt at openssl.org'
Subject: RE: [openssl.org #3978] Openssl 1.0.2c include the FIPS 140-2 Object Module
Hello All,
Appreciate for any suggestion.
Currently no clue about the issue.
Thanks&Regards
Ashwini V Patil
_____________________________________________
From: Patil, Ashwini IN BLR STS
Sent: Tuesday, August 04, 2015 8:24 AM
To: 'openssl-dev at openssl.org'; 'openssl-users at openssl.org'; 'rt at openssl.org'
Cc: Inbarajan, Prabhu IN BLR STS; Karunakaran, Sajith IN BLR STS; Reddy, Harshavardhana IN BLR STS; Karunakaran, Sajith IN BLR STS
Subject: RE: Openssl 1.0.2c include the FIPS 140-2 Object Module
Hello All,
Following steps are done to check the FIPS feasibility .
To check ASLR dependency the following link was referred.
http://openssl.6102.n7.nabble.com/FIPS-Module-1-2-build-with-Visual-Studio-2010-fails-self-tests-td36372.html
Linker properties were changed in visual studio 2008 for the test application executable file.
The following flag was disabled ( which was enabled by default in 2008VS)
Linker>Advanced Properties>Disable the "Randomized Base Address property "
I have followed the below steps Integration of FIPS Complaint compiled OPENSSL Library with Visual Studio 2008
====================================================================
1. Open Visual Studio 2008
2. File => New => Project => Visual C++ => Win 32 => Win32 Console Application=> Next => Empty Project => Finish
3. Right Click on source file => Add => Existing Items => C:\openssl-fips-2.0\fips\hmac\fips_hmactest.c
4. Right Click on Resources File => Add => Existing Items => libeayfips32.lib, ssleay32.lib & libeaycompat32.lib (from C:\openssl-1.0.1e-fips-compliant\out32) and C:\openssl-1.0.1e-simple\out32\libeay32.lib (OpenSSL simple Version)
5. Right Click on fips_hmactest.c=> Properties => C++ => General => Additional Include Directories : C:\usr\local\ssl\include => Finish
6. Compile the Project => Works Fine
We get the below error when run the exe:
ERROR:2D06B06F:LIB-45,FUNC=107,REASON=111:FILE=fips.c line=232
FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
Note:
The libleay32.dll preferred address is 0xFB00000 in Q-Build
Its different in case of Syngo normal build 0x10000000.
Regards
Ashwini Patil
_____________________________________________
From: Patil, Ashwini IN BLR STS
Sent: Thursday, July 30, 2015 3:17 PM
To: 'openssl-dev at openssl.org'; 'openssl-users at openssl.org'
Cc: Inbarajan, Prabhu IN BLR STS; Karunakaran, Sajith IN BLR STS
Subject: FW: Openssl 1.0.2c include the FIPS 140-2 Object Module
Hello All,
I have followed the below steps Integration of FIPS Complaint compiled OPENSSL Library with Visual Studio 2008
====================================================================
1. Open Visual Studio 2008
2. File => New => Project => Visual C++ => Win 32 => Win32 Console Application=> Next => Empty Project => Finish
3. Right Click on source file => Add => Existing Items => C:\openssl-fips-2.0\fips\hmac\fips_hmactest.c
4. Right Click on Resources File => Add => Existing Items => libeayfips32.lib, ssleay32.lib & libeaycompat32.lib (from C:\openssl-1.0.1e-fips-compliant\out32) and C:\openssl-1.0.1e-simple\out32\libeay32.lib (OpenSSL simple Version)
5. Right Click on fips_hmactest.c=> Properties => C++ => General => Additional Include Directories : C:\usr\local\ssl\include => Finish
6. Compile the Project => Works Fine
The following code was used to set the fips mode in our application.
int mode = FIPS_mode(), ret = 0;
unsigned long err = 0;
if(mode == 0)
{
ret = FIPS_mode_set(1 );
err = ERR_get_error();
}
if(1 != ret)
DisplayError("FIPS_mode_set failed", err);
Get the following error code status:
2D06B06F - (FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT),"FIPS_check_incore_fingerprint"},
Please guide me throught the error.
Kindly share your thoughts and let me know opinion and also provide us the steps how this error can be overcome?
To check ASLR dependency the following link was referred.
http://openssl.6102.n7.nabble.com/FIPS-Module-1-2-build-with-Visual-Studio-2010-fails-self-tests-td36372.html
Linker properties were changed in visual studio 2008 for the test application executable file.
The following flag was disabled ( which was enabled by default in 2008VS)
Linker>Advanced Properties>Disable the "Randomized Base Address property "
There is no change in the error code.
We get the below error when run the exe:
ERROR:2D06B06F:LIB-45,FUNC=107,REASON=111:FILE=fips.c line=232
FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
Regards
Ashwini Patil
_____________________________________________
From: Patil, Ashwini IN BLR STS
Sent: Friday, July 17, 2015 5:31 PM
To: 'openssl-dev at openssl.org'
Cc: Inbarajan, Prabhu IN BLR STS; CN, Sujai IN BLR STS; Reddy, Harshavardhana IN BLR STS
Subject: RE: Openssl 1.0.2c include the FIPS 140-2 Object Module
Hello All,
I am using windows 7 64-BIT Service Pack 1 OS .
Visual Studio 2008 (Visual studio tool used is normal 32-bit cmd prompt not cross compiler)
Nasm - nasm-2.11.08
Perl - ActivePerl-5.20.1.2000-MSWin32-x86-64int-298557 (1)
I have used the below steps to integrate openssl-fips2.0.9 in openssl-1.0.2c :
Procedure for FIPS Enabled OpenSSL Module Compilation
=====================================================
=================================
1. Compile openssl-fips2.0 module
=================================
a. Extract the contents of openssl-fips-2.0.9tar.gz to C:\openssl-fips-2.0.9\
b. Open Visual Studio 2008 Command Prompt.
c. cd C:\openssl-fips2.0.9\
d. Copy all the contents of "C:\Program Files\NASM" in this source folder
e. ms\do_fips [no-asm] (nmake -f ms\ntdll.mak & nmake -f ms\ntdll.mak install are included in this command)
Compiled FIPS module is located at C:\usr\local\ssl\fips-2.0.9
=======================================================
2. Integrate compiled openssl-fips2.0.9 in openssl-1.0.2c
=======================================================
a. Extract the contents of openssl-1.0.1e.tar.gz to C:\openssl-1.0.2c-fips-compliant\
b. Open Visual Studio 2008 Command Prompt.
c. cd C:\openssl-1.0.2c-fips-compliant\
d. Copy all the contents of "C:\Program Files\NASM" in this source folder
e. perl Configure VC-WIN32 fips --with-fipslibdir=C:\usr\local\ssl\fips-2.0.9
f. ms\do_nasm
g. nmake -f ms\nt.mak
h. For Testing, use the following command: nmake -f ms\nt.mak test
i. nmake -f ms\nt.mak install
j. (If you want to create DLL files then Use the following commands nmake -f ms\ntdll.mak && nmake -f ms\ntdll.mak install)
k. Compiled FIPS compliant OpenSSL exe is located at C:\usr\local\ssl\bin\openssl.exe
l. Run C:\usr\local\ssl\bin\openssl.exe and type "version". You will be confirmed to get the following output.
=======================================
****OpenSSL 1.0.2c-fips 12 June 2015****
=======================================
m. Compiled FIPS compliant OpenSSL fipslibeay32.lib, ssleay32.lib & libeaycompat32.lib are located at C:\openssl-1.0.1e-fips-compliant\out32
n. Compiled FIPS compliant OpenSSL fipslibeay32.dll & ssleay32.dll are located at C:\openssl-1.0.1e-fips-compliant\out32
Build is successful and able to generate fipslibeay32.lib, ssleay32.lib, libeaycompat32.lib & ssleay32.dll.
But fipslibeay32.dll is missing. Please guide me .
When executed the command nmake -f ms\ntdll.mak I get the below error for the first time:
nmake -f ms\ntdll.mak
Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp
out32dll\fips_premain_dso.exe out32dll\libeay32.dll
2796:error:25078067:DSO support routines:WIN32_LOAD:could not load the shared li
brary:.\crypto\dso\dso_win32.c:179:filename(out32dll\libeay32.dll)
2796:error:25070067:DSO support routines:DSO_load:could not load the shared libr
ary:.\crypto\dso\dso_lib.c:232:
Get hash failure at \usr\local\ssl\fips-2.0\bin\fipslink.pl line 60.
NMAKE : fatal error U1077: 'C:\Perl64\bin\perl.EXE' : return code '0x1'
Stop.
Please provide your help for the same.
Please let me know if any steps are missed.
With best regards,
Ashwini V Patil
Siemens Technology and Services Private Limited
CT DC AA HC H1-FH STD IBP 6
84, Hosur Road
Bengaluru 560100, Indien
Mobil: +91 9008132565
mailto:ashwini.vpatil at siemens.com
http://www.siemens.co.in/STS
Registered Office: 130, Pandurang Budhkar Marg, Worli, Mumbai 400 018. Telephone +91 22 39677000. Fax +91 22 39677075. Other Offices: Bengaluru, Chennai, Gurgaon, Noida, Pune. Corporate Identity number:U99999MH1986PLC093854
More information about the openssl-dev
mailing list