On 07/01/16 23:57, Kevin Long wrote:
>
> Hello,
>
> I believe I have successfully compiled openvpn on debian , using static
> openssl library containing the FIPS compliance module.
>
>
> However, I have followed this instruction found online:
>
> "Now you should have a FIPS capable OpenSSL (NOTE: OpenSSL itself is not FIPS
> validated, only FIPS capable along with the FIPS Object Module). To make
> OpenVPN FIPS compliant, you need to add:
>
> #ifdef OPENSSL_FIPS
> if(options.no_fips <= 0) {
> if(!FIPS_mode_set(1) {
> ERR_load_crypto_strings();
> ERR_print_errors_fp(stderr);
> exit(1);
>
> }
> }
> else
> fprintf(stderr,"*** IN FIPS MODE ***\n");
> #endif
>
> in the file /src/openvpn.c in the OpenVPN source code folder, in the main ()
> function at the very bottom on the file, just before the: return
> openvpn_main(argc, argv);”
>
>
>
>
> Placing that code into the openvpn.c main function throws the following
> compiler error:
>
> openvpn.c: In function ‘main’:
> openvpn.c:361:12: error: ‘options’ undeclared (first use in this function)
> if(options.no_fips <= 0) {
> ^
> openvpn.c:361:12: note: each undeclared identifier is reported only once for
> each function it appears in
> openvpn.c:362:38: error: expected ‘)’ before ‘{’ token
> if(!FIPS_mode_set(1) {
> ^
> openvpn.c:368:8: error: expected expression before ‘}’ token
> }
> ^
> Makefile:627: recipe for target 'openvpn.o’ failed
>
>
>
>
>
> Please pardon my ignorance. My goal is to get FIPS compliance and to be able
> to confirm it, but I have not been able to find a good tutorial on how to do
> this.
This code isn't available in the upstream OpenVPN code base AFAICT ...
$ git rev-parse HEAD
b76acd72cd8ea295b925e058336440ff819ca8f4
$ git rev-parse --symbolic-full-name HEAD
refs/heads/release/2.3
$ git grep --ignore-case fips
$ git log -p | grep -i fips
$
So this seems to be an external patch which have never been in our code
base. The first 'git grep' looks for anything in all source files which
contains 'fips' (and ignoring upper/lower case). The 'git log -p | grep
-i fips' greps through all commits, including the code changes itself,
since the very beginning of the git tree - which dates back to the time
where the 2.1 BETA was forked out as a separate SVN branch back in
September 2005.
I also did the same check on the master branch, with the same results.
You also say you believe you compiled this successfully on Debian, I
doubt that. Then it was a different additional patch *or* OPENSSL_FIPS
was not defined when building OpenVPN.
If you want to have a certified OpenVPN release, then I'd probably
recommend looking into OpenVPN-NL [1] instead.
[1] <https://openvpn.fox-it.com/>
--
kind regards,
David Sommerseth
