Hi,
I am trying to get a FIPs certifier version of openssl built on
HP-UX I64 11.31.
The build of FIP's module is successful and i could even use it
to build openssl (libcrypto.so.1.0.0).
I was looking if anybody could check the steps used and confirm
that the final built openssl is can be stated as FIPs certified.
I am looking more towards the below questions:
1.) Is the version of compiler used okay?
I have used latest version. The bundle name is B9007AA.
However, if I do a "what /opt/aCC/bin/cc" I see the string
has B3910B, which is the same mentioned in the
OpenSSL Security policy.
2.) I had to do a "export KERNEL_BITS=32" before building
the 32 bit variant of files. Some of the OpenSSL email archives
suggests that this is valid and can be used.
STEPS USED to build
//////////////////////
Build System details (11.31 -- IA64)
======================================
$ uname -a
HP-UX hpntc175 B.11.31 U ia64 0790988087 unlimited-user license
$ model
ia64 hp server rx4640
Installed Compiler and linker used (Using the latest as of 2013)
===================================================================
-- note that Ac++ bundle on HP-UX is B9007AA but
the what string on /opt/aCC/bin/cc shows version B3910B A.06.27
-- The what string on /usr/ccs/bin/ld shows version B3910B A.06.27
$ swlist -l bundle | grep -i aC++
B9007AA C.11.31.07 HP C/aC++ Developer's Bundle
$ swlist | grep -i acc
HP-ACC-Link C.11.31.03 HP aCC_link Bundle
$
$ swlist | grep -i PHSS_43585
PHSS_43585 1.0 linker + fdp cumulative patch
$
$ which cc
/usr/bin/cc
$ ll /usr/bin/cc
lrwxr-xr-x 1 bin bin 15 Oct 8 14:25 /usr/bin/cc ->
/opt/aCC/bin/cc
$ ll /opt/aCC/bin/cc
-r-xr-xr-x 4 bin bin 977104 Jun 12 2012 /opt/aCC/bin/cc
$ what /opt/aCC/bin/cc
/opt/aCC/bin/cc:
HP C/aC++ for Integrity Servers B3910B A.06.27 [May 22 2012]
$
$
$ which ld
/usr/bin/ld
$ ll /usr/bin/ld
lr-xr-xr-x 1 bin bin 15 Jan 20 2007 /usr/bin/ld ->
/usr/ccs/bin/ld
$ ll /usr/ccs/bin/ld
-r-xr-xr-x 1 bin bin 14067560 Jun 5 21:11 /usr/ccs/bin/ld
$ what /usr/ccs/bin/ld
/usr/ccs/bin/ld:
ld_msgs.cat: $Revision: 1.85 $
92453-07 linker ld HP Itanium(R) B.12.60 IPF/IPF
REL Wed Jun 5 03:51:23 2013 PDT
HP aC++ for Integrity Servers B3910B A.06.27 [May 22 2012] C++ Standard
Library (RogueWave Version 2.02.01)
HP aC++ for Integrity Servers B3910B A.06.27 [May 22 2012] Language
Support Library
$
Verify the HMAC-SHA-1 digest of openssl-fips-2.0.4.tar.gz from a previous
version of OpenSSL that is FIPs certified
===================================================================================================================
$ pwd
/openssl_code
$ ls
openssl-1.0.1e.tar.gz openssl-fips-2.0.4.tar.gz
$ ll
total 11552
-rw-r--r-- 1 root sys 4459777 Oct 9 09:50 openssl-1.0.1e.tar.gz
-rw-r--r-- 1 root sys 1442721 Oct 9 09:50
openssl-fips-2.0.4.tar.gz
$
$ /opt/openssl/fips/0.9.7/bin/openssl.fipsonly sha1 -hmac etaonrishdlcupfm
openssl-fips-2.0.4.tar.gz
HMAC-SHA1(openssl-fips-2.0.4.tar.gz)= eaa5f86dab2c5da7086aec4786bce27d3b3c1b8a
$
$ /opt/openssl/fips/0.9.7/bin/openssl.fipsonly md5 -hmac etaonrishdlcupfm
openssl-fips-2.0.4.tar.gz
Error setting digest MD5
6858:error:0608008D:digital envelope routines:EVP_DigestInit:disabled for
fips:digest.c:237:
$
Ensure that there is no /usr/local/ssl directory initially
===========================================================
$ ls /usr/local/
asf etc
hpntc175_asf_v6_latest.tar man
asf_v6 games include
openssl
bin hplx info
sbin
doc hpntc175_asf_latest.tar lib
share
$
Unzip the FIPs code
======================
$ gunzip -c openssl-fips-2.0.4.tar.gz | tar xf -
$ cd openssl-fips-2.0.4
Build and Install the FIPs module
==================================
$ ./config no-asm
Operating system: ia64-hp-hpux1x
Auto Configuring fipsonly
Auto Configuring fipsonly
-
-
This is the OpenSSL FIPS 2.0 module.
$
$ make
if [ -n "libcrypto" ]; then \
-
-
/usr/bin/ranlib ../libcrypto.a || echo Never mind.
if [ "y" = "n" -a -n "fipscanister.o" ]; then ar r ../libcrypto.a
fipscanister.o; fi
$
$
$ make install
if [ -n "libcrypto" ]; then \
-
-
chmod 0444 /usr/local/ssl/fips-2.0/lib/fips*
making install in test...
$
Check if New files are installed
==================================
$ ll /usr/local/ssl/
total 0
drwxr-xr-x 5 root sys 96 Oct 9 10:01 fips-2.0
$
$ ll /usr/local/ssl/fips-2.0/
total 16
drwxr-xr-x 2 root sys 96 Oct 9 10:01 bin
drwxr-xr-x 3 root sys 96 Oct 9 10:01 include
drwxr-xr-x 2 root sys 8192 Oct 9 10:01 lib
$ ll /usr/local/ssl/fips-2.0/lib/fipscanister.o
-r--r--r-- 1 root sys 2132104 Oct 9 10:01
/usr/local/ssl/fips-2.0/lib/fipscanister.o
$
Build the openssl-1.0.1e against this FIPS version
===================================================
$ cd /openssl_code
$ gunzip -c openssl-1.0.1e.tar.gz | tar xf -
$ cd openssl-1.0.1e
$ pwd
/openssl_code/openssl-1.0.1e
$ export PATH=/opt/imake/bin:$PATH
$ which imake
/opt/imake/bin/imake
$
$ ./config fips threads shared no-asm
Operating system: ia64-hp-hpux1x
Configuring for hpux64-ia64-cc
-
-
Since you've disabled or enabled at least one algorithm, you need to do
the following before building:
make depend
Configured for hpux64-ia64-cc.
$
$
$ make depend
making depend in crypto...
making depend in crypto/objects...
-
-
making depend in ssl...
makedepend: warning: s3_srvr.c: 70: #error MD5 is disabled.
making depend in engines...
makedepend: warning: e_padlock.c: 93: # error "Only OpenSSL >= 0.9.7 is
supported"
making depend in engines/ccgost...
making depend in apps...
makedepend: warning: passwd.c: 70: #error MD5 is disabled.
making depend in test...
making depend in tools...
$
$ make
making all in crypto...
( echo "#ifndef MK1MF_BUILD"; \
-
-
-I/usr/local/ssl/fips-2.0/include -c dummytest.c
making all in tools...
$
$ make install
making all in crypto...
-
-
chmod 644 /usr/local/ssl/lib/pkgconfig/openssl.pc
$
$
Check that new files are installed
=======================================
$ ls /usr/local/ssl
bin certs fips-2.0 include lib man
misc openssl.cnf private
$
Validate if the openssl-1.0.1e is really built with FIP's modules
=====================================================================
$ /usr/local/ssl/bin/openssl sha1 < README
(stdin)= 5d7a289bc49e6d734d938b5e6e9b0acef7f2d9f9
$ /usr/local/ssl/bin/openssl md5 < README
(stdin)= 33fc763bdb7274b8a05e26b32a531b1e
$
$
$ export OPENSSL_FIPS=1
$
$ /usr/local/ssl/bin/openssl sha1 < README
(stdin)= 5d7a289bc49e6d734d938b5e6e9b0acef7f2d9f9
$ /usr/local/ssl/bin/openssl md5 < README
Error setting digest md5
11529215045791229240:error:060A80A3:digital envelope
routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
$
$
$
$ ldd /usr/local/ssl/bin/openssl
/usr/local/ssl/bin/openssl:
libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0
libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0
libdl.so.1 => /usr/lib/hpux64/libdl.so.1
libc.so.1 => /usr/lib/hpux64/libc.so.1
libcrypto.so.1.0.0 => ./libcrypto.so.1.0.0
libdl.so.1 => /usr/lib/hpux64/libdl.so.1
$
Changes for getting 32 bit binaries
====================================
1.) Removed any files in /use/local/ssl directory
2.) Opened a new terminal and repeated the same steps
as building 64 bits version of openssl.
The only difference is to export the below variable:
$ export KERNEL_BITS=32
before invoking "./config no-asm" for FIPS build
or "./config fips threads shared no-asm" for openssl build.
ie. FIPS build is done by the steps:
$ export KERNEL_BITS=32
$ ./config no-asm
$ make
$ make install
openssl-1.0.1e build is done by the steps:
$ export KERNEL_BITS=32
$ ./config fips threads shared no-asm
$ make depend
$ make
$ make install
Thanks and warm regards,
Prasad
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
