Build issue- openssl 1.0.1c with FIPS
Hi,I am trying to build FIPS capable openssl 1.0.1c.(Cross Compiling, but both OS s are linux x86_64)Following are the steps i followed-1) Downloaded openssl-fips-2.0.2.tar.gz untared and build object module in /common/openssl/openssl-fips-2.0.2/ using - ./config makefipscanister.o and sha1 files are formed in /common/openssl/openssl-fips-2.0.2/fips/ folder.2) Downloaded openssl-1.0.1c.tar.gzuntared and build in /common/openssl/openssl-1.0.1c/ using commands- ./config fips --with-fipsdir=/common/openssl/openssl-fips-2.0.2/ make depend make Initially make failed since Makefile of 1.0.1c expected *fipscanister.o* to be in /common/openssl/openssl-fips-2.0.2/lib and *fipsld* in /common/openssl/openssl-fips-2.0.2/bin. But those folders were not there. So i created those two folders and copied files to there.Now the make is failing with following log.make[2]: Leaving directory `/common/openssl/openssl-1.0.1c/crypto/cmac'if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \(cd ..; make libcrypto.so.1.0.0); \fimake[2]: Entering directory `/common/openssl/openssl-1.0.1c'[ -z "libcrypto" ] || gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I/software/src/common/openssl/openssl-fips-2.0.2//include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -Iinclude \ -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso \ /common/openssl/openssl-fips-2.0.2//lib/fips_premain.c /common/openssl/openssl-fips-2.0.2//lib/fipscanister.o \libcrypto.a -ldlmake[3]: Entering directory `/common/openssl/openssl-1.0.1c'make[4]: Entering directory `/common/openssl/openssl-1.0.1c'libcrypto.a(x86_64cpuid.o)(.text+0x1a0): In function `OPENSSL_cleanse':: multiple definition of `OPENSSL_cleanse'libcrypto.a(mem_clr.o)(.text+0x0): first defined here/usr/bin/ld: Warning: size of symbol `OPENSSL_cleanse' changed from 90 in libcrypto.a(mem_clr.o) to 81 in libcrypto.a(x86_64cpuid.o)libcrypto.a(wp-x86_64.o)(.text+0x0): In function `whirlpool_block':: multiple definition of `whirlpool_block'libcrypto.a(wp_block.o)(.text+0x0): first defined here/usr/bin/ld: Warning: size of symbol `whirlpool_block' changed from 3606 in libcrypto.a(wp_block.o) to 2148 in libcrypto.a(wp-x86_64.o)libcrypto.a(aes-x86_64.o)(.text+0x460): In function `asm_AES_encrypt':: multiple definition of `AES_encrypt'libcrypto.a(aes_core.o)(.text+0x650): first defined here/usr/bin/ld: Warning: size of symbol `AES_encrypt' changed from 1262 in libcrypto.a(aes_core.o) to 179 in libcrypto.a(aes-x86_64.o)...libcrypto.a(x86_64-mont.o)(.text+0x0): In function `bn_mul_mont':: multiple definition of `bn_mul_mont'libcrypto.a(bn_asm.o)(.text+0x4af0): first defined here/usr/bin/ld: Warning: size of symbol `bn_mul_mont' changed from 3 in libcrypto.a(bn_asm.o) to 591 in libcrypto.a(x86_64-mont.o)collect2: ld returned 1 exit statusmake[4]: *** [link_a.gnu] Error 1make[4]: Leaving directory `/common/openssl/openssl-1.0.1c'make[3]: *** [do_linux-shared] Error 2make[3]: Leaving directory `/common/openssl/openssl-1.0.1c'make[2]: *** [libcrypto.so.1.0.0] Error 2make[2]: Leaving directory `/common/openssl/openssl-1.0.1c'make[1]: *** [shared] Error 2make[1]: Leaving directory `/common/openssl/openssl-1.0.1c/crypto'make: *** [build_crypto] Error 1bash-3.00$Can you please help me with this errors?Thanks,Cipher -- View this message in context: http://openssl.6102.n7.nabble.com/Build-issue-openssl-1-0-1c-with-FIPS-tp44235.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
Re: Build issue- openssl 1.0.1c with FIPS
(Re-Aligning) Hi, I am trying to build FIPS capable openssl 1.0.1c.(Cross Compiling, but both OS s are linux x86_64) Following are the steps i followed- 1) Downloaded openssl-fips-2.0.2.tar.gz untared and build object module in /common/openssl/openssl-fips-2.0.2/ using - ./config make fipscanister.o and sha1 files are formed in /common/openssl/openssl-fips-2.0.2/fips/ folder. 2) Downloaded openssl-1.0.1c.tar.gz untared and build in /common/openssl/openssl-1.0.1c/ using commands- ./config fips --with-fipsdir=/common/openssl/openssl-fips-2.0.2/ make depend make Initially make failed since Makefile of 1.0.1c expected *fipscanister.o* to be in /common/openssl/openssl-fips-2.0.2/lib and *fipsld* in /common/openssl/openssl-fips-2.0.2/bin. But those folders were not there. So i created those two folders and copied files to there. Now the make is failing with following log. make[2]: Leaving directory `/common/openssl/openssl-1.0.1c/crypto/cmac' if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \ (cd ..; make libcrypto.so.1.0.0); \ fi make[2]: Entering directory `/common/openssl/openssl-1.0.1c' [ -z "libcrypto" ] || gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I/software/src/common/openssl/openssl-fips-2.0.2//include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -Iinclude \ -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso \ /common/openssl/openssl-fips-2.0.2//lib/fips_premain.c /common/openssl/openssl-fips-2.0.2//lib/fipscanister.o \ libcrypto.a -ldl make[3]: Entering directory `/common/openssl/openssl-1.0.1c' make[4]: Entering directory `/common/openssl/openssl-1.0.1c' libcrypto.a(x86_64cpuid.o)(.text+0x1a0): In function `OPENSSL_cleanse': : multiple definition of `OPENSSL_cleanse' libcrypto.a(mem_clr.o)(.text+0x0): first defined here /usr/bin/ld: Warning: size of symbol `OPENSSL_cleanse' changed from 90 in libcrypto.a(mem_clr.o) to 81 in libcrypto.a(x86_64cpuid.o) libcrypto.a(wp-x86_64.o)(.text+0x0): In function `whirlpool_block': : multiple definition of `whirlpool_block' libcrypto.a(wp_block.o)(.text+0x0): first defined here /usr/bin/ld: Warning: size of symbol `whirlpool_block' changed from 3606 in libcrypto.a(wp_block.o) to 2148 in libcrypto.a(wp-x86_64.o) libcrypto.a(aes-x86_64.o)(.text+0x460): In function `asm_AES_encrypt': : multiple definition of `AES_encrypt' libcrypto.a(aes_core.o)(.text+0x650): first defined here /usr/bin/ld: Warning: size of symbol `AES_encrypt' changed from 1262 in libcrypto.a(aes_core.o) to 179 in libcrypto.a(aes-x86_64.o) . . . libcrypto.a(x86_64-mont.o)(.text+0x0): In function `bn_mul_mont': : multiple definition of `bn_mul_mont' libcrypto.a(bn_asm.o)(.text+0x4af0): first defined here /usr/bin/ld: Warning: size of symbol `bn_mul_mont' changed from 3 in libcrypto.a(bn_asm.o) to 591 in libcrypto.a(x86_64-mont.o) collect2: ld returned 1 exit status make[4]: *** [link_a.gnu] Error 1 make[4]: Leaving directory `/common/openssl/openssl-1.0.1c' make[3]: *** [do_linux-shared] Error 2 make[3]: Leaving directory `/common/openssl/openssl-1.0.1c' make[2]: *** [libcrypto.so.1.0.0] Error 2 make[2]: Leaving directory `/common/openssl/openssl-1.0.1c' make[1]: *** [shared] Error 2 make[1]: Leaving directory `/common/openssl/openssl-1.0.1c/crypto' make: *** [build_crypto] Error 1 bash-3.00$ Can you please help me with this errors? - Cipher -- View this message in context: http://openssl.6102.n7.nabble.com/Build-issue-openssl-1-0-1c-with-FIPS-tp44235p44236.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build issue- openssl 1.0.1c with FIPS
Dr. Stephen Henson wrote > On Wed, Mar 13, 2013, Cipher wrote: > >> (Re-Aligning) >> Hi, >> I am trying to build FIPS capable openssl 1.0.1c.(Cross Compiling, but >> both >> OS s are linux x86_64) >> Following are the steps i followed- >> >> 1) Downloaded openssl-fips-2.0.2.tar.gz >> untared and build object module in >> /common/openssl/openssl-fips-2.0.2/ >> using - >> ./config >> make >> >> fipscanister.o and sha1 files are formed in >> /common/openssl/openssl-fips-2.0.2/fips/ folder. >> > > You need to do: > > make install > > to install the module and associated files in an appropriate place. You > can > set the FIPSDIR environment variable to specify an alternative location. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > Development Mailing List > openssl-dev@ > Automated List Manager > majordomo@ Hi Steve, I am building it on a Build server where i don't have root permissions. I need to create *.deb* file and install it on other machine. Also, I believe building openssl( make) will form *libcrypto.a* library. How to form *.deb* from it? Thanks, Cipher -- View this message in context: http://openssl.6102.n7.nabble.com/Build-issue-openssl-1-0-1c-with-FIPS-tp44235p44240.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
FIPS module Algorithm tests failure.
I am cross compiling FIPS object module as per FIPS user guide 2.0. After creating fipscanister.o, i tried *make build_tests* to generate *fips_test_suite file*, which i could run successfully(both in build system and target system). But When i try running *perl fipsalgtest.pl --dir=fips-2.0-testvectors/* in the Target system, I get this: Running DSA tests Running DSA2 tests Running ECDSA tests Running ECDSA2 tests Running RSA tests Running SHA tests No FIPS_SHA support ERROR: can't open output file fips-2.0-testvectors//OSF_2464_OE4/SHA/resp/SHA1LongMsg.tst No FIPS_SHA support ERROR: can't open output file fips-2.0-testvectors//OSF_2464_OE4/SHA/resp/SHA1Monte.tst No FIPS_SHA support ERROR: can't open output file fips-2.0-testvectors//OSF_2464_OE4/SHA/resp/SHA1ShortMsg.tst No FIPS_SHA support ERROR: can't open output file fips-2.0-testvectors//OSF_2464_OE4/SHA/resp/SHA224LongMsg.tst No FIPS_SHA support ERROR: can't open output file fips-2.0-testvectors//OSF_2464_OE4/SHA/resp/SHA224Monte.tst No FIPS_SHA support ERROR: can't open output file fips-2.0-testvectors//OSF_2464_OE4/SHA/resp/SHA224ShortMsg.tst No FIPS_SHA support ERROR: can't open output file fips-2.0-testvectors//OSF_2464_OE4/SHA/resp/SHA256LongMsg.tst No FIPS_SHA support ERROR: can't open output file fips-2.0-testvectors//OSF_2464_OE4/SHA/resp/SHA256Monte.tst No FIPS_SHA support ERROR: can't open output file fips-2.0-testvectors//OSF_2464_OE4/SHA/resp/SHA256ShortMsg.tst No FIPS_SHA support ERROR: can't open output file fips-2.0-testvectors//OSF_2464_OE4/SHA/resp/SHA384LongMsg.tst . . ALGORITHM TEST VERIFY SUMMARY REPORT: Tests skipped due to missing files:0 Algorithm test program execution failures: 0 Test comparisons successful: 229 Test comparisons failed: 15 Test sanity checks successful: 15 Test sanity checks failed: 0 Sanity check program execution failures: 0 ***TEST FAILURE*** I dont see this error when i run same script on my build system(I am cross compiling). I dont understand why SHA tests are failing in the target system? (FYI, i copied ./test directory, fipsalgtest.pl, fips_test_suite and fips-2.0-tv.tar.gz to the target machine) Also, when i try running *./fips_hmactest -v fips_hmactest.c* , i get a *FATAL input initialization error* message(even in my build system) which is my second concern. Thanks, Cipher -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-module-Algorithm-tests-failure-tp44420.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS module Algorithm tests failure.
FYI, My Build system and target system have similar OS. Build System: x86_64 x86_64 x86_64 GNU/Linux Target System: x86_64 GNU/Linux -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-module-Algorithm-tests-failure-tp44420p9.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Apache 2.2.24 doesnt come up with FIPS capable openssl 1.0.1c
Hi All, I installed openssl 1.0.1c with FIPS and it works fine. export OPENSSL_FIPS=1 [root@PC ~]# openssl SHA1 incore SHA1(incore)= b5acba7f6333aafdfe9804d2aebe373c39024bc3 [root@PC ~]# openssl md5 incore Error setting digest md5 139723413960360:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180: Also, ciphers option shows fewer ciphers. I compiled HTTPD 2.2.24 against this openssl. But HTTPD is not coming up with SSLFIPS on throwing following errors. [Mon Apr 01 19:07:46 2013] [emerg] FIPS mode failed [Mon Apr 01 19:07:46 2013] [emerg] SSL Library Error: 755413103 error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match Here is the detail of build procedure i followed for httpd. 1)Set Env Variables export INCLUDES="-I/software/common/mod_ssl/mod_ssl-2.8.30-1.3.39/pkg.sslmod" LIBS=-ldl export CPPFLAGS="-I/software/common/openssl/openssl-1.0.1c/include/openssl" export LD_LIBRARY_PATH="/software/common/openssl/openssl-1.0.1c/" 2) ./configure --with-ssl=/software/common/openssl/openssl-1.0.1c --enable-so --enable-ssl --enable-shared=ssl 3) make Which resulted in libmod_ssl.a lib and httpd binary. Symbols in lib and binary are, [root@PC .libs]# nm -n -f 'sysv' libmod_ssl.a | grep FIPS ssl_cmd_SSLFIPS || U |NOTYPE| | |*UND* ssl_cmd_SSLFIPS |1130| T | FUNC|006d| |.text FIPS_mode || U |NOTYPE| | |*UND* FIPS_mode_set || U |NOTYPE| | |*UND* [root@PC httpd-2.2.24]# nm -n -f 'sysv' httpd | grep FIPS|grep .rodata FIPS_rodata_start |0062ecc0| R | OBJECT|0010| |.rodata FIPS_hmac_key |0062ecd0| r | OBJECT|0011| |.rodata FIPS_bn_version |0062eda0| R | OBJECT|0036| |.rodata FIPS_rodata_end |0063a040| R | OBJECT|0010| |.rodata Can someone help me with this? Thanks, Cipher -- View this message in context: http://openssl.6102.n7.nabble.com/Apache-2-2-24-doesnt-come-up-with-FIPS-capable-openssl-1-0-1c-tp44630.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Apache 2.2.24 doesnt come up with FIPS capable openssl 1.0.1c
k...@bitzermobile.com wrote > You have to statically link the openssl dynamic libraries How to Statistically link the dynamic libraries? what configuration and make commands i should follow? Iam a new newbie on this.. any help is highly appreciated. -- View this message in context: http://openssl.6102.n7.nabble.com/Apache-2-2-24-doesnt-come-up-with-FIPS-capable-openssl-1-0-1c-tp44630p44637.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Libcrypto in FIPS mode?
All, I do know that setting Env variable OPENSSL_FIPS=1 will turn on FIPS mode for openssl/sshd binary. Now, Is there a way to turn on FIPS mode for all the applications(SSH, Apache Server etc) which uses libcrypto using a single switch? Or in other words, how to make libcryto to work in FIPS mode? -- View this message in context: http://openssl.6102.n7.nabble.com/Libcrypto-in-FIPS-mode-tp44701.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Apache 2.2.16 with fips prints a Hex value on start up
Hi , I recently build Apache 2.2.16 with fips support using following confs. $CC=fipsld , $FIPSLD_CC=gcc ./configure --with-ssl=/software/openssl/openssl-1.0.1c --enable-so --enable-ssl LIBS=-ldl make But when i run the created executable, it prints a hex value. bash-3.00$ cd httpd-2.2.16/.libs/ bash-3.00$ ./httpd 504f11f782e3492cb7c8be83aec4a0cc55572f04 bash-3.00$ bash-3.00$ldd httpd linux-vdso.so.1 => (0x7fff8edff000) libm.so.6 => /lib/libm.so.6 (0x7f23d7ad5000) libaprutil-1.so.0 => /usr/lib64/libaprutil-1.so.0 (0x7f23d78b) libexpat.so.0 => /usr/lib64/libexpat.so.0 (0x7f23d779) libapr-1.so.0 => /usr/lib64/libapr-1.so.0 (0x7f23d7557000) libuuid.so.1 => /lib/libuuid.so.1 (0x7f23d7352000) librt.so.1 => /lib/librt.so.1 (0x7f23d714a000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x7f23d6f13000) libpthread.so.0 => /lib/libpthread.so.0 (0x7f23d6cf6000) libdl.so.2 => /lib/libdl.so.2 (0x7f23d6af2000) libc.so.6 => /lib/libc.so.6 (0x7f23d679) libexpat.so.1 => /usr/lib64/libexpat.so.1 (0x7f23d6567000) /lib64/ld-linux-x86-64.so.2 (0x7f23d7d63000) Can someone tell me what is happening here? Without fips with gcc, i could successfully compile and httpd works fine. Thanks, Cipher -- View this message in context: http://openssl.6102.n7.nabble.com/Apache-2-2-16-with-fips-prints-a-Hex-value-on-start-up-tp44733.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
turning on FIPS mode for different applications- Does POST takes place every time FIPS_mode_set() is called?
Hi, According to FIPS security requirement, untill POST and other tests are successful in FIPS mode, no crypto interfaces should be up. Now, i have a doubt here. I have two daemons, sshd and apache. I turn on FIPS in *sshd*, which runs POST and other algorithm tests and then listens on port 22 in FIPS mode. Now if i turn on FIPS mode in *apache*, will the POST and other tests will be run again? If so, i am in trouble since my ssh interface is already up which is a crypto interface. How to sync up the power on tests and other tests for different applications? Any suggestions would be a great help. -- View this message in context: http://openssl.6102.n7.nabble.com/turning-on-FIPS-mode-for-different-applications-Does-POST-takes-place-every-time-FIPS-mode-set-is-ca-tp44786.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
