Hi Mr. Stephen N. Henson,
Thankyou so much for the reply.
We would like to use the option1 mentioned by you. But unfortunately the dll's
were not generated, only static lib's were generated.
Please guide if we have missed any steps.
=====================================================
Procedure for FIPS Enabled OpenSSL Module Compilation
=====================================================
=================================
1. Compile openssl-fips2.0.9 module
=================================
a. Extract the contents of openssl-fips-2.0.9.tar.gz to
C:\openssl-fips-2.0\
b. Open Visual Studio 2008 Command Prompt.
c. cd C:\openssl-fips2.0.9\
d. Copy all the contents of "C:\Program Files\NASM" in this source
folder
e. ms\do_fips [no-asm] (nmake -f ms\ntdll.mak & nmake -f ms\ntdll.mak
install are included in this command)
Compiled FIPS module is located at C:\usr\local\ssl\fips-2.0
=======================================================
2. Integrate compiled openssl-fips2.0.9 in openssl-1.0.2c
=======================================================
a. Extract the contents of openssl-1.0.2c.tar.gz to
C:\openssl-1.0.2c-fips-compliant\
b. Open Visual Studio 2008 Command Prompt.
c. cd C:\openssl-1.0.2c-fips-compliant\
d. Copy all the contents of "C:\Program Files\NASM" in this source
folder
e. perl Configure VC-WIN32 fips
--with-fipslibdir=C:\usr\local\ssl\fips-2.0.9
f. ms\do_nasm
g. nmake -f ms\nt.mak
h. For Testing, use the following command: nmake -f ms\nt.mak test
i. nmake -f ms\nt.mak install
j. (If you want to create DLL files then Use the following commands
nmake -f ms\ntdll.mak && nmake -f ms\ntdll.mak install)
k. Compiled FIPS compliant OpenSSL exe is located at
C:\usr\local\ssl\bin\openssl.exe
l. Run C:\usr\local\ssl\bin\openssl.exe and type "version". You will be
confirmed to get the following output.
=======================================
****OpenSSL 1.0.2c-fips 11 Feb 2013****
=======================================
m. Compiled FIPS compliant OpenSSL fipslibeay32.lib, ssleay32.lib &
libeaycompat32.lib are located at C:\openssl-1.0.2c-fips-compliant\out32
n. Compiled FIPS compliant OpenSSL fipslibeay32.dll & ssleay32.dll are
located at C:\openssl-1.0.2c-fips-compliant\out32
But for the step-n fipslibeay32.dll was not generated. Please let me
know if the dll will be generated with some other naming convention. Or some
procedure was missing.
Your help is most appreciated. Please do not close the call.
Thanks&Regards
Ashwini V Patil
-----Original Message-----
From: Stephen Henson via RT [mailto:[email protected]]
Sent: Friday, August 14, 2015 7:23 PM
To: Patil, Ashwini IN BLR STS
Cc: [email protected]
Subject: [openssl.org #3978] RE: Openssl 1.0.2c include the FIPS 140-2 Object
Module
On Tue Aug 04 03:24:21 2015,
[email protected]<mailto:[email protected]> wrote:
> Hello All,
>
> Following steps are done to check the FIPS feasibility .
>
> To check ASLR dependency the following link was referred.
> http://openssl.6102.n7.nabble.com/FIPS-Module-1-2-build-with-Visual-
> Studio-2010-fails-self-tests-td36372.html
>
> Linker properties were changed in visual studio 2008 for the test
> application executable file.
> The following flag was disabled ( which was enabled by default in
> 2008VS)
> Linker> Advanced Properties>Disable the "Randomized Base Address
> Linker> property "
>
> I have followed the below steps Integration of FIPS Complaint compiled
> OPENSSL Library with Visual Studio 2008
> ====================================================================
>
> 1. Open Visual Studio 2008
>
> 2. File => New => Project => Visual C++ => Win 32 => Win32 Console
> Application=> Next => Empty Project => Finish
>
> 3. Right Click on source file => Add => Existing Items => C:\openssl-
> fips-2.0\fips\hmac\fips_hmactest.c
>
> 4. Right Click on Resources File => Add => Existing Items =>
> libeayfips32.lib, ssleay32.lib & libeaycompat32.lib (from C:\openssl-
> 1.0.2c-fips-compliant\out32) and C:\openssl-1.0.2c-
> simple\out32\libeay32.lib (OpenSSL simple Version)
>
> 5. Right Click on fips_hmactest.c=> Properties => C++ => General =>
> Additional Include Directories : C:\usr\local\ssl\include => Finish
>
> 6. Compile the Project => Works Fine
>
> We get the below error when run the exe:
> ERROR:2D06B06F:LIB-45,FUNC=107,REASON=111:FILE=fips.c line=232
>
FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
>
Your problem is that your link procedure doesn't embed the incore fingerprint
in the target binary.
You have two options.
The easiest is to link against the FIPS capable OpenSSL shared library instead
of the static one: the signature is already in the DLL so it should just work.
The second and much harder option is to follow the appropriate link procedure
to embed a signature in the target binary. There is a perl script called
fipslink.pl in the FIPS module which does this and examples in the static
makefile ms\nt.mak. You would have to customise the VC build procedure to do
something similar and/or link using a script instead.
Closing this as it isn't a bug report, please address and follow up to
openssl-users.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
