Build the FIPS Object Module issue on Ubuntu 18.04

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Build the FIPS Object Module issue on Ubuntu 18.04

sreekanth1m
Hi,
I am trying to build the FIPS object module using the fips library openssl-fips-2.0.16 on Ubuntu 18.04 for x86 arch.

below steps are followed to Build the FIPS Object Module:
$ . ./setenv-android.sh
$ cd openssl-fips-2.0.5/
$ ./config
$ make
First 3 steps are successful, able to set the environment paths, run the config but make fails with error "cryptlib.h:62:20: fatal error: stdlib.h: No such file or directory" - "#inlcude <stdlib.h>

I do have the libraries under /usr/inlcude but the make is not looking at the right path.

below is the error message received:
In file included from cryptlib.c:117:0:
cryptlib.h:62:20: fatal error: stdlib.h: No such file or directory
 #include <stdlib.h>
                    ^
compilation terminated.
<builtin>: recipe for target 'cryptlib.o' failed
make[1]: *** [cryptlib.o] Error 1


Also, attaching the complete error log. Could you please suggest what is the issue and where to change the path reference (in config).

Thanks,
Sreekanth 

Build FIPS Object Module_x86_Ubuntu_18.04 (32K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Build the FIPS Object Module issue on Ubuntu 18.04

sreekanth1m
This post was updated on .
I was able to generate FIPS Object Module - fipscanister.o
fipscanister.o.sha1  fips_premain.c  fips_premain.c.sha1 successfully but
now struck in generating Build the FIPS capable library.

followed below steps:

$ . ./setenv-android.sh
$ cd openssl-1.0.1e/
Next, fix the makefile and run configure.

$ perl -pi -e 's/install: all install_docs install_sw/install: install_docs
install_sw/g' Makefile.org
$ ./config fips shared no-ssl2 no-ssl3 no-comp no-hw no-engine
--openssldir=/usr/local/ssl/android-22/ \
  --with-fipsdir=/usr/local/ssl/android-22/
--with-fipslibdir=/usr/local/ssl/android-22/lib/
Then run make depend and make all:

$ make depend
$ make all

make all is resulting in failure with below error message:
/usr/local/ssl/android-22/bin/fipsld: ./fips_premain_dso: not found
Makefile.shared: 169: recipe for target 'link_a.gnu' failed.

please let me know what I am missing.

Thanks



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

RE: Build the FIPS Object Module issue on Ubuntu 18.04

Dr Paul Dale
Just noting that any module built in this manner is *not* FIPS compliant.

The distribution must be unmodified and build exactly as per the documentation.  Any change to the files or the build process renders the result invalid from a FIPS perspective.


Pauli
--
Oracle
Dr Paul Dale | Cryptographer | Network Security & Encryption
Phone +61 7 3031 7217
Oracle Australia

-----Original Message-----
From: sreekanth1m [mailto:[hidden email]]
Sent: Thursday, 16 May 2019 7:56 AM
To: [hidden email]
Subject: Re: Build the FIPS Object Module issue on Ubuntu 18.04

I was able to generate FIPS Object Module - fipscanister.o
fipscanister.o.sha1  fips_premain.c  fips_premain.c.sha1 successfully but now struck in generating Build the FIPS capable library.

followed below steps:

$ . ./setenv-android.sh
$ cd openssl-1.0.1e/
Next, fix the makefile and run configure.

$ perl -pi -e 's/install: all install_docs install_sw/install: install_docs install_sw/g' Makefile.org $ ./config fips shared no-ssl2 no-ssl3 no-comp no-hw no-engine --openssldir=/usr/local/ssl/android-14/ \
  --with-fipsdir=/usr/local/ssl/android-14/
--with-fipslibdir=/usr/local/ssl/android-14/lib/
Then run make depend and make all:

$ make depend
$ make all

make all is resulting in failure with below error message:
/usr/local/ssl/android-22/bin/fipsld: ./fips_premain_dso: not found
Makefile.shared: 169: recipe for target 'link_a.gnu' failed.

please let me know what I am missing.

Thanks



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: Build the FIPS Object Module issue on Ubuntu 18.04

OpenSSL - User mailing list
On 16/05/2019 02:11, Paul Dale wrote:
> Just noting that any module built in this manner is *not* FIPS compliant.
>
> The distribution must be unmodified and build exactly as per the documentation.  Any change to the files or the build process renders the result invalid from a FIPS perspective.
>
Only deviations from the official process in creating the
fipscanister invalidates the FIPS validation.

The FIPS-capable OpenSSL is "outside the boundary" of the
FIPS module and can be changed at will.  This is why a new
FIPS validation is not needed every time OpenSSL releases
a bugfix to OpenSSL 1.0.x .  1.1.x will not have FIPS
support, and 4.y.x may lack this agility.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

Reply | Threaded
Open this post in threaded view
|

RE: Build the FIPS Object Module issue on Ubuntu 18.04

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of
> Jakob Bohm via openssl-users
> Sent: Thursday, May 16, 2019 02:21
>
> On 16/05/2019 02:11, Paul Dale wrote:
> > Just noting that any module built in this manner is *not* FIPS compliant.
> >
> Only deviations from the official process in creating the
> fipscanister invalidates the FIPS validation.
>
> The FIPS-capable OpenSSL is "outside the boundary" of the
> FIPS module and can be changed at will.  This is why a new
> FIPS validation is not needed every time OpenSSL releases
> a bugfix to OpenSSL 1.0.x .

That's my understanding too, though I don't deal with a FIPS-validated distribution myself. As the OpenSSL FIPS User Guide puts it, "OpenSSL itself is not validated,and never will be". For FIPS, what matters is the OpenSSL FIPS Object Module (the "canister").

However, in this case that's probably moot. The existing validations cover only a handful of Android releases (none later than 5.0, aka Lollipop) on specific hardware. So the best the OP can achieve is a FIPS 140-2 self-validation claim (or pay for a complete validation by some outside lab). Some customers may accept that, but it's weak.

That's one of the problems with FIPS validation - platform restrictions means it has a short shelf life, at least in any market which actually cares about following the letter of the regulations.

--
Michael Wojcik
Distinguished Engineer, Micro Focus