[openssl-dev] [openssl.org #3978] RE: Openssl 1.0.2c include the FIPS 140-2 Object Module
Patil, Ashwini IN BLR STS
ashwini.vpatil at siemens.com
Mon Aug 17 06:35:55 UTC 2015
Hi Mr. Stephen N. Henson,
Thankyou so much for the reply.
We would like to use the option1 mentioned by you. But unfortunately the dll's were not generated, only static lib's were generated.
Please guide if we have missed any steps.
=====================================================
Procedure for FIPS Enabled OpenSSL Module Compilation
=====================================================
=================================
1. Compile openssl-fips2.0.9 module
=================================
a. Extract the contents of openssl-fips-2.0.9.tar.gz to C:\openssl-fips-2.0\
b. Open Visual Studio 2008 Command Prompt.
c. cd C:\openssl-fips2.0.9\
d. Copy all the contents of "C:\Program Files\NASM" in this source folder
e. ms\do_fips [no-asm] (nmake -f ms\ntdll.mak & nmake -f ms\ntdll.mak install are included in this command)
Compiled FIPS module is located at C:\usr\local\ssl\fips-2.0
=======================================================
2. Integrate compiled openssl-fips2.0.9 in openssl-1.0.2c
=======================================================
a. Extract the contents of openssl-1.0.2c.tar.gz to C:\openssl-1.0.2c-fips-compliant\
b. Open Visual Studio 2008 Command Prompt.
c. cd C:\openssl-1.0.2c-fips-compliant\
d. Copy all the contents of "C:\Program Files\NASM" in this source folder
e. perl Configure VC-WIN32 fips --with-fipslibdir=C:\usr\local\ssl\fips-2.0.9
f. ms\do_nasm
g. nmake -f ms\nt.mak
h. For Testing, use the following command: nmake -f ms\nt.mak test
i. nmake -f ms\nt.mak install
j. (If you want to create DLL files then Use the following commands nmake -f ms\ntdll.mak && nmake -f ms\ntdll.mak install)
k. Compiled FIPS compliant OpenSSL exe is located at C:\usr\local\ssl\bin\openssl.exe
l. Run C:\usr\local\ssl\bin\openssl.exe and type "version". You will be confirmed to get the following output.
=======================================
****OpenSSL 1.0.2c-fips 11 Feb 2013****
=======================================
m. Compiled FIPS compliant OpenSSL fipslibeay32.lib, ssleay32.lib & libeaycompat32.lib are located at C:\openssl-1.0.2c-fips-compliant\out32
n. Compiled FIPS compliant OpenSSL fipslibeay32.dll & ssleay32.dll are located at C:\openssl-1.0.2c-fips-compliant\out32
But for the step-n fipslibeay32.dll was not generated. Please let me know if the dll will be generated with some other naming convention. Or some procedure was missing.
Your help is most appreciated. Please do not close the call.
Thanks&Regards
Ashwini V Patil
-----Original Message-----
From: Stephen Henson via RT [mailto:rt at openssl.org]
Sent: Friday, August 14, 2015 7:23 PM
To: Patil, Ashwini IN BLR STS
Cc: openssl-dev at openssl.org
Subject: [openssl.org #3978] RE: Openssl 1.0.2c include the FIPS 140-2 Object Module
On Tue Aug 04 03:24:21 2015, ashwini.vpatil at siemens.com<mailto:ashwini.vpatil at siemens.com> wrote:
> Hello All,
>
> Following steps are done to check the FIPS feasibility .
>
> To check ASLR dependency the following link was referred.
> http://openssl.6102.n7.nabble.com/FIPS-Module-1-2-build-with-Visual-
> Studio-2010-fails-self-tests-td36372.html
>
> Linker properties were changed in visual studio 2008 for the test
> application executable file.
> The following flag was disabled ( which was enabled by default in
> 2008VS)
> Linker> Advanced Properties>Disable the "Randomized Base Address
> Linker> property "
>
> I have followed the below steps Integration of FIPS Complaint compiled
> OPENSSL Library with Visual Studio 2008
> ====================================================================
>
> 1. Open Visual Studio 2008
>
> 2. File => New => Project => Visual C++ => Win 32 => Win32 Console
> Application=> Next => Empty Project => Finish
>
> 3. Right Click on source file => Add => Existing Items => C:\openssl-
> fips-2.0\fips\hmac\fips_hmactest.c
>
> 4. Right Click on Resources File => Add => Existing Items =>
> libeayfips32.lib, ssleay32.lib & libeaycompat32.lib (from C:\openssl-
> 1.0.2c-fips-compliant\out32) and C:\openssl-1.0.2c-
> simple\out32\libeay32.lib (OpenSSL simple Version)
>
> 5. Right Click on fips_hmactest.c=> Properties => C++ => General =>
> Additional Include Directories : C:\usr\local\ssl\include => Finish
>
> 6. Compile the Project => Works Fine
>
> We get the below error when run the exe:
> ERROR:2D06B06F:LIB-45,FUNC=107,REASON=111:FILE=fips.c line=232
>
FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
>
Your problem is that your link procedure doesn't embed the incore fingerprint in the target binary.
You have two options.
The easiest is to link against the FIPS capable OpenSSL shared library instead of the static one: the signature is already in the DLL so it should just work.
The second and much harder option is to follow the appropriate link procedure to embed a signature in the target binary. There is a perl script called fipslink.pl in the FIPS module which does this and examples in the static makefile ms\nt.mak. You would have to customise the VC build procedure to do something similar and/or link using a script instead.
Closing this as it isn't a bug report, please address and follow up to openssl-users.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150817/0460736e/attachment-0001.html>
More information about the openssl-dev
mailing list