Openssl 1.0.2c include the FIPS 140-2 Object Module

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Openssl 1.0.2c include the FIPS 140-2 Object Module

Ashwini V Patil
Hello All,
 
Please let me know if openssl-1.0.2c include FIPS 140-2 Object Module.
Also please explain how to validate the application.
 
Your help is appreciated.
 
With best regards,
Ashwini V Patil
 
Siemens Technology and Services Private Limited
CT DC AA HC H1-FH STD IBP 6
84, Hosur Road
Bengaluru 560100, Indien
Mobil: +91 9008132565
 
Registered Office: 130, Pandurang Budhkar Marg, Worli, Mumbai 400 018. Telephone +91 22 39677000. Fax +91 22 39677075. Other Offices: Bengaluru, Chennai, Gurgaon, Noida, Pune. Corporate Identity number:U99999MH1986PLC093854
 
 

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2c include the FIPS 140-2 Object Module

Steve Marquess-4
On 07/01/2015 02:24 AM, Patil, Ashwini IN BLR STS wrote:
> Hello All,
>  
> Please let me know if openssl-1.0.2c include FIPS 140-2 Object Module.
> Also please explain how to validate the application.

This question would be more appropriate for the openssl-users list. The
-dev list is for OpenSSL development issues, not for basic usage questions.

You might want to start with the OpenSSL FIPS User Guide:

  https://www.openssl.org/docs/fips/UserGuide-2.0.pdf

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2c include the FIPS 140-2 Object Module

Ashwini V Patil
In reply to this post by Ashwini V Patil
Hello All,
 
I have used the below steps to integrate openssl-fips2.0.9 in openssl-1.0.2c :
Procedure for FIPS Enabled OpenSSL Module Compilation 
===================================================== 
    
    ================================= 
    1. Compile openssl-fips2.0 module 
    =================================
        a. Extract the contents of openssl-fips-2.0.9tar.gz to C:\openssl-fips-2.0.9\ 
        b. Open Visual Studio 2008 Command Prompt. 
        c. cd C:\openssl-fips2.0.9\ 
        d. Copy all the contents of "C:\Program Files\NASM" in this source folder 
        e. ms\do_fips [no-asm] (nmake -f ms\ntdll.mak  &  nmake -f ms\ntdll.mak install are included in this command) 
    
        Compiled FIPS module is located at C:\usr\local\ssl\fips-2.0.9     
    
    ======================================================= 
    2. Integrate compiled openssl-fips2.0.9 in openssl-1.0.2c
    =======================================================
        a. Extract the contents of openssl-1.0.1e.tar.gz to C:\openssl-1.0.2c-fips-compliant\ 
        b. Open Visual Studio 2008 Command Prompt. 
        c. cd C:\openssl-1.0.2c-fips-compliant\ 
        d. Copy all the contents of "C:\Program Files\NASM" in this source folder 
        
        e. perl Configure VC-WIN32 fips --with-fipslibdir=C:\usr\local\ssl\fips-2.0.9 
        f. ms\do_nasm 
        g. nmake -f ms\nt.mak         
        h. For Testing, use the following command: nmake -f ms\nt.mak test     
        i. nmake -f ms\nt.mak install     
        j. (If you want to create DLL files then Use the following commands  nmake -f ms\ntdll.mak  &&     nmake -f ms\ntdll.mak install) 
        k. Compiled FIPS compliant OpenSSL exe is located at C:\usr\local\ssl\bin\openssl.exe         
        l. Run C:\usr\local\ssl\bin\openssl.exe and type "version". You will be confirmed to get the following output. 
            ======================================= 
            ****OpenSSL 1.0.2c-fips 12 June 2015**** 
            =======================================            
        m. Compiled FIPS compliant OpenSSL fipslibeay32.lib, ssleay32.lib & libeaycompat32.lib are located at C:\openssl-1.0.1e-fips-compliant\out32         
        n. Compiled FIPS compliant OpenSSL fipslibeay32.dll & ssleay32.dll are located at C:\openssl-1.0.1e-fips-compliant\out32     
    
Build is successful and able to generate fipslibeay32.lib, ssleay32.lib, libeaycompat32.lib & ssleay32.dll.
But fipslibeay32.dll is missing. Please guide me .
 
Thanks&Regards
Ashwini V Patil
_____________________________________________
From: Patil, Ashwini IN BLR STS
Sent: Wednesday, July 01, 2015 11:55 AM
To: '[hidden email]'
Subject: Openssl 1.0.2c include the FIPS 140-2 Object Module
 
 
Hello All,
 
Please let me know if openssl-1.0.2c include FIPS 140-2 Object Module.
Also please explain how to validate the application.
 
Your help is appreciated.
 
With best regards,
Ashwini V Patil
 
Siemens Technology and Services Private Limited
CT DC AA HC H1-FH STD IBP 6
84, Hosur Road
Bengaluru 560100, Indien
Mobil: +91 9008132565
 
Registered Office: 130, Pandurang Budhkar Marg, Worli, Mumbai 400 018. Telephone +91 22 39677000. Fax +91 22 39677075. Other Offices: Bengaluru, Chennai, Gurgaon, Noida, Pune. Corporate Identity number:U99999MH1986PLC093854
 
 

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2c include the FIPS 140-2 Object Module

Jan Ehrhardt
In reply to this post by Steve Marquess-4
Steve Marquess in gmane.comp.encryption.openssl.devel (Wed, 01 Jul 2015
09:53:14 -0400):
>On 07/01/2015 02:24 AM, Patil, Ashwini IN BLR STS wrote:
>> Hello All,
>>  
>> Please let me know if openssl-1.0.2c include FIPS 140-2 Object Module.
>> Also please explain how to validate the application.
>
>This question would be more appropriate for the openssl-users list. The
>-dev list is for OpenSSL development issues, not for basic usage questions.

Patil has a point, because FIPS 140-2 building on Windows is broken
since the introduction of applink.c. The generated fips_premain_dso.exe
fails during the building process:

link /nologo /subsystem:console /opt:ref /debug /dll /fixed /map
/base:0xFB00000 /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def
@D:\Temp\nmB1D5.tmp
   Creating library out32dll\libeay32.lib and object
out32dll\libeay32.exp
out32dll\fips_premain_dso.exe out32dll\libeay32.dll
OPENSSL_Uplink(00CBB000,08): no OPENSSL_Applink
Get hash failure at \usr\local\ssl\fips-2.0\bin\fipslink.pl line 60.
NMAKE : fatal error U1077: 'C:\Perl64\bin\perl.EXE' : return code '0x1'

Outside of the building script the error is the same
C:\openssl>out32dll\fips_premain_dso.exe out32dll\libeay32.dll
OPENSSL_Uplink(010CB000,08): no OPENSSL_Applink

Solution: fips/fips_premain.c in the FIPS sources should include
applink.c on Windows

I managed to build a fips_premain_dso.exe with Applink and use that to
create Openssl 1.0.2d fips, but this was certainly not without breaking
the FIPS rules.

It is time for openssl-fips-2.0.10
--
Jan

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2c include the FIPS 140-2 Object Module

Jan Ehrhardt
Jan Ehrhardt in gmane.comp.encryption.openssl.devel (Sat, 11 Jul 2015
18:08:58 +0200):
>OPENSSL_Uplink(00CBB000,08): no OPENSSL_Applink
>Get hash failure at \usr\local\ssl\fips-2.0\bin\fipslink.pl line 60.
>NMAKE : fatal error U1077: 'C:\Perl64\bin\perl.EXE' : return code '0x1'

>It is time for openssl-fips-2.0.10

The two changes to fix the broken build on Windows are here:
https://github.com/Jan-E/openssl-fips/commits/master

Please pass this on to the maintainers of Openssl FIPS.
--
Jan

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2c include the FIPS 140-2 Object Module

Dr. Matthias St. Pierre
In reply to this post by Jan Ehrhardt
Hello Jan,

thank you for sharing your observations and your patch. I stumbled over it,
because we are currently having a similar problem with our Windows builds producing
these "OPENSSL_Uplink/no OPENSSL_Applink" errors.

However, I'm in doubt whether your patch really fixes the cause of the problem
or just the symptoms. I believe that there must be a fix for the problem without
modifying the sequestered code of the fips module.

You say that FIPS 140-2 was broken by the introduction of applink.c .

However the applink.c module was introduced way back in 2004 and nevertheless
OpenSSL 1.0.1 and the FIPS 2.0.9 module built happily together on Windows ever since.
(and you can see in the build logs that '-DOPENSSL_USE_APPLINK' appears a lot)

Even OpenSSL 1.0.2 and FIPS 2.0.9 build together perfectly on our Windows machines
with VS2012. Only after migrating to VS2015 we started to have this problem.

So I am quite sure that the true cause of the problem does not lie in incompatible
changes between 1.0.1 and 1.0.2, the problem must lie elsewhere. But unfortunately,
I have no solution yet.

If you (or anybody else) disagree(s), I would be happy to hear from you.

Regards,

Matthias

On 07/11/2015 06:08 PM, Jan Ehrhardt wrote:

> Steve Marquess in gmane.comp.encryption.openssl.devel (Wed, 01 Jul 2015
> 09:53:14 -0400):
>> On 07/01/2015 02:24 AM, Patil, Ashwini IN BLR STS wrote:
>>> Hello All,
>>>  
>>> Please let me know if openssl-1.0.2c include FIPS 140-2 Object Module.
>>> Also please explain how to validate the application.
>>
>> This question would be more appropriate for the openssl-users list. The
>> -dev list is for OpenSSL development issues, not for basic usage questions.
>
> Patil has a point, because FIPS 140-2 building on Windows is broken
> since the introduction of applink.c. The generated fips_premain_dso.exe
> fails during the building process:
>
> link /nologo /subsystem:console /opt:ref /debug /dll /fixed /map
> /base:0xFB00000 /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def
> @D:\Temp\nmB1D5.tmp
>    Creating library out32dll\libeay32.lib and object
> out32dll\libeay32.exp
> out32dll\fips_premain_dso.exe out32dll\libeay32.dll
> OPENSSL_Uplink(00CBB000,08): no OPENSSL_Applink
> Get hash failure at \usr\local\ssl\fips-2.0\bin\fipslink.pl line 60.
> NMAKE : fatal error U1077: 'C:\Perl64\bin\perl.EXE' : return code '0x1'
>
> Outside of the building script the error is the same
> C:\openssl>out32dll\fips_premain_dso.exe out32dll\libeay32.dll
> OPENSSL_Uplink(010CB000,08): no OPENSSL_Applink
>
> Solution: fips/fips_premain.c in the FIPS sources should include
> applink.c on Windows
>
> I managed to build a fips_premain_dso.exe with Applink and use that to
> create Openssl 1.0.2d fips, but this was certainly not without breaking
> the FIPS rules.
>
> It is time for openssl-fips-2.0.10
>
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2c include the FIPS 140-2 Object Module

Jan Ehrhardt
Dr. Matthias St. Pierre in gmane.comp.encryption.openssl.devel (Fri, 14
Aug 2015 08:12:58 +0200):
>You say that FIPS 140-2 was broken by the introduction of applink.c .
>
>However the applink.c module was introduced way back in 2004 and nevertheless
>OpenSSL 1.0.1 and the FIPS 2.0.9 module built happily together on Windows ever since.
>(and you can see in the build logs that '-DOPENSSL_USE_APPLINK' appears a lot)

I guess there was a change from optional (in VC9/VC11) to required in
VC14, but only for the 1.0.2 branch. The PHP devs were the first to notice
and included applink.c in the VS2015/VC14 builds of PHP7. Apachelounge
followed by including applink.c in the VS2015/VC14 builds of Apache
2.4.16. Then I tried to compile OpenSSL 1.0.2c + FIPS 2.0.9 with VC14 and
ran into the error.

>Even OpenSSL 1.0.2 and FIPS 2.0.9 build together perfectly on our Windows machines
>with VS2012. Only after migrating to VS2015 we started to have this problem.

True. But the Windows world is moving to VS2015/VC14, so OpenSSL has to
follow. I have a faint recollection that OpenSSL 1.0.2a still had FIPS
support. If that is the case, maybe you can track down where it went
wrong.

Jan

PS. We are not obliged to use a FIPS compliant OpenSSL, so I did not
investigate further. And, besides that, we are still running OpenSSL
1.0.1.

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2c include the FIPS 140-2 Object Module

Jan Ehrhardt
Jan Ehrhardt in gmane.comp.encryption.openssl.devel (Fri, 14 Aug 2015
16:22:51 +0200):
>I have a faint recollection that OpenSSL 1.0.2a still had FIPS support.

I checked that. OpenSSL 1.0.2a has the same problem and also does not
compile with FIPS enabled.
--
Jan

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2c include the FIPS 140-2 Object Module

Dr. Matthias St. Pierre
In reply to this post by Jan Ehrhardt

Am 14.08.2015 um 16:22 schrieb Jan Ehrhardt:
> I guess there was a change from optional (in VC9/VC11) to required in
> VC14, but only for the 1.0.2 branch. The PHP devs were the first to
> notice and included applink.c in the VS2015/VC14 builds of PHP7.
> Apachelounge followed by including applink.c in the VS2015/VC14 builds
> of Apache 2.4.16. Then I tried to compile OpenSSL 1.0.2c + FIPS 2.0.9
> with VC14 and ran into the error.
Thank you once more for the detailed reply. I applied your patches
provisorily before going on vacation last friday to keep the builds
going. After my vacation we will have to decide what to do about the
FIPS problem.

Regards,
Matthias



_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2c include the FIPS 140-2 Object Module

Jan Ehrhardt
Dr. Matthias St. Pierre in gmane.comp.encryption.openssl.devel (Sun, 16
Aug 2015 23:52:21 +0200):

>
>Am 14.08.2015 um 16:22 schrieb Jan Ehrhardt:
>> I guess there was a change from optional (in VC9/VC11) to required in
>> VC14, but only for the 1.0.2 branch. The PHP devs were the first to
>> notice and included applink.c in the VS2015/VC14 builds of PHP7.
>> Apachelounge followed by including applink.c in the VS2015/VC14 builds
>> of Apache 2.4.16. Then I tried to compile OpenSSL 1.0.2c + FIPS 2.0.9
>> with VC14 and ran into the error.
>Thank you once more for the detailed reply. I applied your patches
>provisorily before going on vacation last friday to keep the builds
>going. After my vacation we will have to decide what to do about the
>FIPS problem.

Surely, your holiday must be over by now ;-)

Jan

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2c include the FIPS 140-2 Object Module

Dr. Matthias St. Pierre

On 09/21/2015 12:01 AM, Jan Ehrhardt wrote:

> Dr. Matthias St. Pierre in gmane.comp.encryption.openssl.devel (Sun, 16
> Aug 2015 23:52:21 +0200):
>>
>> Thank you once more for the detailed reply. I applied your patches
>> provisorily before going on vacation last friday to keep the builds
>> going. After my vacation we will have to decide what to do about the
>> FIPS problem.
>
> Surely, your holiday must be over by now ;-)
>
> Jan
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>


Sorry for not answering earlier, I overlooked your post. Not because of holidays,
but because I was busy with other problems.

As you might have guessed, my provisional arrangement is still in place ;-)
I noticed there has been some movement on issue #4042 recently and hope there
will be an official solution to the problem soon.

Thanks for persisting on the subject, anyway.

Regards,
Matthias
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev