[openssl-dev] Openssl 1.0.2c include the FIPS 140-2 Object Module

Fri Aug 14 06:12:58 UTC 2015

Hello Jan,

thank you for sharing your observations and your patch. I stumbled over it,
because we are currently having a similar problem with our Windows builds producing
these "OPENSSL_Uplink/no OPENSSL_Applink" errors.

However, I'm in doubt whether your patch really fixes the cause of the problem
or just the symptoms. I believe that there must be a fix for the problem without
modifying the sequestered code of the fips module.

You say that FIPS 140-2 was broken by the introduction of applink.c .

However the applink.c module was introduced way back in 2004 and nevertheless
OpenSSL 1.0.1 and the FIPS 2.0.9 module built happily together on Windows ever since.
(and you can see in the build logs that '-DOPENSSL_USE_APPLINK' appears a lot)

Even OpenSSL 1.0.2 and FIPS 2.0.9 build together perfectly on our Windows machines
with VS2012. Only after migrating to VS2015 we started to have this problem.

So I am quite sure that the true cause of the problem does not lie in incompatible
changes between 1.0.1 and 1.0.2, the problem must lie elsewhere. But unfortunately,
I have no solution yet.

If you (or anybody else) disagree(s), I would be happy to hear from you.

Regards,

Matthias

On 07/11/2015 06:08 PM, Jan Ehrhardt wrote:
> Steve Marquess in gmane.comp.encryption.openssl.devel (Wed, 01 Jul 2015
> 09:53:14 -0400):
>> On 07/01/2015 02:24 AM, Patil, Ashwini IN BLR STS wrote:
>>> Hello All,
>>>  
>>> Please let me know if openssl-1.0.2c include FIPS 140-2 Object Module.
>>> Also please explain how to validate the application.
>>
>> This question would be more appropriate for the openssl-users list. The
>> -dev list is for OpenSSL development issues, not for basic usage questions.
> 
> Patil has a point, because FIPS 140-2 building on Windows is broken
> since the introduction of applink.c. The generated fips_premain_dso.exe
> fails during the building process:
> 
> link /nologo /subsystem:console /opt:ref /debug /dll /fixed /map
> /base:0xFB00000 /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def
> @D:\Temp\nmB1D5.tmp
>    Creating library out32dll\libeay32.lib and object
> out32dll\libeay32.exp
> out32dll\fips_premain_dso.exe out32dll\libeay32.dll
> OPENSSL_Uplink(00CBB000,08): no OPENSSL_Applink
> Get hash failure at \usr\local\ssl\fips-2.0\bin\fipslink.pl line 60.
> NMAKE : fatal error U1077: 'C:\Perl64\bin\perl.EXE' : return code '0x1'
> 
> Outside of the building script the error is the same
> C:\openssl>out32dll\fips_premain_dso.exe out32dll\libeay32.dll
> OPENSSL_Uplink(010CB000,08): no OPENSSL_Applink
> 
> Solution: fips/fips_premain.c in the FIPS sources should include
> applink.c on Windows
> 
> I managed to build a fips_premain_dso.exe with Applink and use that to
> create Openssl 1.0.2d fips, but this was certainly not without breaking
> the FIPS rules.
> 
> It is time for openssl-fips-2.0.10
> 