Re: Quick question on fips 1.2.3 running on windows
Steve Thanks. On the issue to build against a newer OpenSSl. I am calling ms/do_fips bat file to build the Fips OpenSSL .Can you point me to a doc that shows how to build against a different source base. Thanks so much for your help. Ricky From: Dr. Stephen Henson st...@openssl.org To: openssl-dev@openssl.org Sent: Tuesday, September 6, 2011 10:48 PM Subject: Re: Quick question on fips 1.2.3 running on windows On Tue, Sep 06, 2011, ricardo brillon wrote: I am new to openssl and have to created a OpennSSl Fips application in windows. I downloaded the openssl-fips-1.2.3.tar.gz and the 140sp1051.pdf which is for Fips 1.2.3 I ranned the do_fips bat which build with no problem on VS2008. I ran the fips_test_suite.exe which ran without error(see below). I then created a test application that connect to existing SSL enable server. Which is connecting with no problem. I am also calling FIPS_mode_set(1) function and it is returning 1. So all look to be working. But on the document there is the section on Linking the Runtime Executable Application (show below)which I am not sure on. Do I need to do any thing special to my application. Any help will be great. Thanks Ricky Linking the Runtime Executable Application Note that applications interfacing with the FIPS Object Module are outside of the cryptographic boundary. When linking the application with the FIPS Object Module two steps are necessary: 1. The HMAC-SHA-1 digest of the FIPS Object Module file must be calculated and verified against the installed digest to ensure the integrity of the FIPS object module. 2. A HMAC-SHA1 digest of the FIPS Object Module must be generated and embedded in the FIPS Object Module for use by the FIPS_mode_set() function at runtime initialization. Two things, don't use the version of OpenSSL that comes with the 1.2.3 module: it is hopelessly out of date. Create a FIPS capable OpenSSL instead against OpenSSL 0.9.8r. As regards the other issue. If you are linking against the FIPS capable DLLs you can ignore the comments about special linking because that has already been done for you in the build process. You only need to use the special linking process for static builds. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Quick question on fips 1.2.3 running on windows
On Wed, Sep 07, 2011, ricardo brillon wrote: Steve Thanks. On the issue to build against a newer OpenSSl. I am calling ms/do_fips bat file to build the Fips OpenSSL .Can you point me to a doc that shows how to build against a different source base. Thanks so much for your help. You use the validated tarball at http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz to build the validated module. You install the module in an appropriate place then download OpenSSL 0.9.8r and link it to the validated module. For example using the command line: perl Configure VCWIN32 fips withfipslibdir=c:\fips\path see the user guide for more details. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Quick question on fips 1.2.3 running on windows
I am new to openssl and have to created a OpennSSl Fips application in windows. I downloaded the openssl-fips-1.2.3.tar.gz and the 140sp1051.pdf which is for Fips 1.2.3 I ranned the do_fips bat which build with no problem on VS2008. I ran the fips_test_suite.exe which ran without error(see below). I then created a test application that connect to existing SSL enable server. Which is connecting with no problem. I am also calling FIPS_mode_set(1) function and it is returning 1. So all look to be working. But on the document there is the section on Linking the Runtime Executable Application (show below)which I am not sure on. Do I need to do any thing special to my application. Any help will be great. Thanks Ricky Linking the Runtime Executable Application Note that applications interfacing with the FIPS Object Module are outside of the cryptographic boundary. When linking the application with the FIPS Object Module two steps are necessary: 1. The HMAC-SHA-1 digest of the FIPS Object Module file must be calculated and verified against the installed digest to ensure the integrity of the FIPS object module. 2. A HMAC-SHA1 digest of the FIPS Object Module must be generated and embedded in the FIPS Object Module for use by the FIPS_mode_set() function at runtime initialization. fips_test_suite.exe results: C:\OpenSSL FIPS 140-2(V1.2.3)\openssl-fips-1.2.3(Latest)\openssl-fips-1.2.3.tar\openssl-fips-1.2.3\out32dllfips_test_suite.exe FIPS-mode test application 1. Non-Approved cryptographic operation test... a. Included algorithm (D-H)...successful 2. Automatic power-up self test...successful 3. AES encryption/decryption...successful 4. RSA key generation and encryption/decryption...successful 5. DES-ECB encryption/decryption...successful 6. DSA key generation and signature validation...successful 7a. SHA-1 hash...successful 7b. SHA-256 hash...successful 7c. SHA-512 hash...successful 7d. HMAC-SHA-1 hash...successful 7e. HMAC-SHA-224 hash...successful 7f. HMAC-SHA-256 hash...successful 7g. HMAC-SHA-384 hash...successful 7h. HMAC-SHA-512 hash...successful 8. Non-Approved cryptographic operation test... a. Included algorithm (D-H)...successful as expected 9. Zero-ization... Generated 128 byte RSA private key BN key before overwriting: 14c1cd71a6ee8f838356ed8e99fafac6e30e2013323bb30ed5d811e1f6f6e3f59f79227e6eecf3b88f3f56f898d7eee76a5e19d90df414ec5f74c57d2db44b483dba3e6c3 b4ea5de97dcc55d02692d9c619e2738f30564a7199e835f801fc439906c099b326b7075df675af38efcbdf2928d941f82c84cd2d4fbb3d620ce1 BN key after over ting: 4489c354b39f237f23c199b4633c7b8aff06f59852714ab9f5420c09d9c3b307de21039865df6fee4cee23c8babe4ea4bb3a3f224ff26be5fc15d09eaddae1cc0bebc9ba6 91de77141ab52ef154410d369bb50420e9ae734124483950ab96e28bd1069cd08d682b4274fad9af293ea92c1e9e5185883113e4d4c216a181af char buffer key b re overwriting: 4850f0a33aedd3af6e477f8302b10968 char buffer key after overwriting: 200db54d63bfab8141f28dcabbf412ec successful as expected All tests completed with 0 errors