OpenSSL fips 1.0 build for WinCE 5.0

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL fips 1.0 build for WinCE 5.0

BAO, ROBERT
OpenSSL fips 1.0 build for WinCE 5.0

Hi,

Our WinCE devices use ARM (Intel PXA255) processor. When I followed the build instructions to build the non-fips OpenSSL (perl Configure VC-CE), with minor changes to the build script and few source files, I managed to build the OpenSSL.exe, libeay32.dll and ssleay32.dll successfully.

However, when I tried to build the fips version (perl Configure VC-CE fips), I got this error:
***FIPS module directory sanity check failed***
FIPS module build failed, or was deleted
Please rebuild FIPS module.

I found a useful discussion thread ("Compilation of OpenSSL-fips-1.0 under Windows" 03/30/06), and realized that people have to use MSYS and gcc to compile fips module first, etc.

My questions are:
1. Do we have to use the same "trick" to compile the fips module for WinCE?
2. Can we use Microsoft WinCE Platform Builder's ARM compiler to achieve this?
3. If we do have to use MSYS and/or gcc, they should be the ARM's version right? Where can I get it if there exists one?

Your response is very much appreciated.

Robert

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL fips 1.0 build for WinCE 5.0

Dr. Stephen Henson
On Thu, May 04, 2006, BAO, ROBERT wrote:

> Hi,
>
> >
> > However, when I tried to build the fips version (perl Configure VC-CE
> > fips), I got this error:
> > ***FIPS module directory sanity check failed***
> > FIPS module build failed, or was deleted
> > Please rebuild FIPS module.
> >
> > I found a useful discussion thread ("Compilation of OpenSSL-fips-1.0 under
> > Windows" 03/30/06), and realized that people have to use MSYS and gcc to
> > compile fips module first, etc.
> >

Yes that's correct. The build instructions have to be followed to the letter
for the validated FIPS module. That's why the MSYS stuff is there.

> > My questions are:
> > 1. Do we have to use the same "trick" to compile the fips module for
> > WinCE?
> > 2. Can we use Microsoft WinCE Platform Builder's ARM compiler to achieve
> > this?
> > 3. If we do have to use MSYS and/or gcc, they should be the ARM's version
> > right? Where can I get it if there exists one?
> >

You can't change a single thing in the fips validated source so anything that
requires changes there will not be validated.

It could be changed for a followup certification effort though. Contact OSSI
if you are interested in that.

The existing source works under Windows because a Unix-like compilation
environment (MSYS+mingw) can correctly compile OpenSSL *and* the result can be
used with VC++. You'd have to be able to achieve the same thing under ARM and
WinCE.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL fips 1.0 build for WinCE 5.0

BAO, ROBERT
In reply to this post by BAO, ROBERT
Re: OpenSSL fips 1.0 build for WinCE 5.0

Thanks for the reply, Steve.

Since the 0.9.7j version was just out, I got a copy and tried again. This time I got the following error:

The file fipscanister.o could not be located. Please build and install the
FIPS module using the instructions in the user guide before compiling OpenSSL
in FIPS mode. Ensure that the correct path to the FIPS module directory
has been given to the --with-fipslibdir option.


What went wrong this time?

Because the error is totally different than that for version OpenSSL-fips-1.0, not to confuse other people, I didn't attach my previous post. However, in your reply you did mention that "The build instructions have to be followed to the letter for the validated FIPS module." Could you please let me know (or point a web link to me) the detailed instructions?

Thanks for your time.

Robert

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL fips 1.0 build for WinCE 5.0

Dr. Stephen Henson
On Thu, May 04, 2006, BAO, ROBERT wrote:

> Thanks for the reply, Steve.
>
> Since the 0.9.7j version was just out, I got a copy and tried again. This
> time I got the following error:
>
> The file fipscanister.o could not be located. Please build and install the
> FIPS module using the instructions in the user guide before compiling
> OpenSSL
> in FIPS mode. Ensure that the correct path to the FIPS module directory
> has been given to the --with-fipslibdir option.
>
>
> What went wrong this time?
>

It can't find the validated fips module and associated files.

> Because the error is totally different than that for version
> OpenSSL-fips-1.0, not to confuse other people, I didn't attach my previous
> post. However, in your reply you did mention that "The build instructions
> have to be followed to the letter for the validated FIPS module." Could you
> please let me know (or point a web link to me) the detailed instructions?
>
>

There's a user guide being prepared which will give more details. Basically to
be covered by this certification you can *only* do:

./config fips
make
make install

from the validated source to compile fipscanister.o no other options are
permitted and no source files can be changed. If that doesn't work then it
isn't covered by the current certification.

Because the new source releases aren't validated they link against
fipscanister.o and friends which have been compiled from the validated source.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: OpenSSL fips 1.0 build for WinCE 5.0

BAO, ROBERT
In reply to this post by BAO, ROBERT
Steve,

I downloaded and installed MinGW/ActivePerl5.8.8.

In MinGW shell window, I ran:
1. tar -xvzf OpenSSL-0.9.7j.tar.gz, it was successful!

2 ./config fips, this gave me the following error:

Operating system: i686-whatever-mingw
Configuring for mingw
The file fipscanister.o could not be located. Please build and install the
FIPS module using the instructions in the user guide before compiling
OpenSSL
in FIPS mode.
Configuring for mingw


What's missing in my case?

Thanks for your time.

Robert

-----Original Message-----
From: Dr. Stephen Henson [mailto:[hidden email]]
Sent: Thursday, May 04, 2006 4:08 PM
To: [hidden email]
Subject: Re: OpenSSL fips 1.0 build for WinCE 5.0

On Thu, May 04, 2006, BAO, ROBERT wrote:

> Thanks for the reply, Steve.
>
> Since the 0.9.7j version was just out, I got a copy and tried again.
> This time I got the following error:
>
> The file fipscanister.o could not be located. Please build and install
> the FIPS module using the instructions in the user guide before
> compiling OpenSSL in FIPS mode. Ensure that the correct path to the
> FIPS module directory has been given to the --with-fipslibdir option.
>
>
> What went wrong this time?
>

It can't find the validated fips module and associated files.

> Because the error is totally different than that for version
> OpenSSL-fips-1.0, not to confuse other people, I didn't attach my
> previous post. However, in your reply you did mention that "The build
> instructions have to be followed to the letter for the validated FIPS
> module." Could you please let me know (or point a web link to me) the
detailed instructions?
>
>

There's a user guide being prepared which will give more details. Basically
to be covered by this certification you can *only* do:

./config fips
make
make install

from the validated source to compile fipscanister.o no other options are
permitted and no source files can be changed. If that doesn't work then it
isn't covered by the current certification.

Because the new source releases aren't validated they link against
fipscanister.o and friends which have been compiled from the validated
source.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL fips 1.0 build for WinCE 5.0

Dr. Stephen Henson
On Fri, May 05, 2006, BAO, ROBERT wrote:

> Steve,
>
> I downloaded and installed MinGW/ActivePerl5.8.8.
>
> In MinGW shell window, I ran:
> 1. tar -xvzf OpenSSL-0.9.7j.tar.gz, it was successful!
>
> 2 ./config fips, this gave me the following error:
>
> Operating system: i686-whatever-mingw
> Configuring for mingw
> The file fipscanister.o could not be located. Please build and install the
> FIPS module using the instructions in the user guide before compiling
> OpenSSL
> in FIPS mode.
> Configuring for mingw
>
>
> What's missing in my case?
>

You missed this bit:

>
> from the validated source to compile fipscanister.o no other options are
  =========================

The only source that is validated is the tarball:

http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz

nothing else can be used for that step. After the FIPS module has been built
and installed then 0.9.7j can be used to link against it.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]