RE: Build the FIPS Object Module issue on Ubuntu 18.04
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Jakob Bohm via openssl-users > Sent: Thursday, May 16, 2019 02:21 > > On 16/05/2019 02:11, Paul Dale wrote: > > Just noting that any module built in this manner is *not* FIPS compliant. > > > Only deviations from the official process in creating the > fipscanister invalidates the FIPS validation. > > The FIPS-capable OpenSSL is "outside the boundary" of the > FIPS module and can be changed at will. This is why a new > FIPS validation is not needed every time OpenSSL releases > a bugfix to OpenSSL 1.0.x . That's my understanding too, though I don't deal with a FIPS-validated distribution myself. As the OpenSSL FIPS User Guide puts it, "OpenSSL itself is not validated,and never will be". For FIPS, what matters is the OpenSSL FIPS Object Module (the "canister"). However, in this case that's probably moot. The existing validations cover only a handful of Android releases (none later than 5.0, aka Lollipop) on specific hardware. So the best the OP can achieve is a FIPS 140-2 self-validation claim (or pay for a complete validation by some outside lab). Some customers may accept that, but it's weak. That's one of the problems with FIPS validation - platform restrictions means it has a short shelf life, at least in any market which actually cares about following the letter of the regulations. -- Michael Wojcik Distinguished Engineer, Micro Focus
Re: Build the FIPS Object Module issue on Ubuntu 18.04
On 16/05/2019 02:11, Paul Dale wrote: Just noting that any module built in this manner is *not* FIPS compliant. The distribution must be unmodified and build exactly as per the documentation. Any change to the files or the build process renders the result invalid from a FIPS perspective. Only deviations from the official process in creating the fipscanister invalidates the FIPS validation. The FIPS-capable OpenSSL is "outside the boundary" of the FIPS module and can be changed at will. This is why a new FIPS validation is not needed every time OpenSSL releases a bugfix to OpenSSL 1.0.x . 1.1.x will not have FIPS support, and 4.y.x may lack this agility. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
RE: Build the FIPS Object Module issue on Ubuntu 18.04
Just noting that any module built in this manner is *not* FIPS compliant. The distribution must be unmodified and build exactly as per the documentation. Any change to the files or the build process renders the result invalid from a FIPS perspective. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia -Original Message- From: sreekanth1m [mailto:sreekant...@gmail.com] Sent: Thursday, 16 May 2019 7:56 AM To: openssl-users@openssl.org Subject: Re: Build the FIPS Object Module issue on Ubuntu 18.04 I was able to generate FIPS Object Module - fipscanister.o fipscanister.o.sha1 fips_premain.c fips_premain.c.sha1 successfully but now struck in generating Build the FIPS capable library. followed below steps: $ . ./setenv-android.sh $ cd openssl-1.0.1e/ Next, fix the makefile and run configure. $ perl -pi -e 's/install: all install_docs install_sw/install: install_docs install_sw/g' Makefile.org $ ./config fips shared no-ssl2 no-ssl3 no-comp no-hw no-engine --openssldir=/usr/local/ssl/android-14/ \ --with-fipsdir=/usr/local/ssl/android-14/ --with-fipslibdir=/usr/local/ssl/android-14/lib/ Then run make depend and make all: $ make depend $ make all make all is resulting in failure with below error message: /usr/local/ssl/android-22/bin/fipsld: ./fips_premain_dso: not found Makefile.shared: 169: recipe for target 'link_a.gnu' failed. please let me know what I am missing. Thanks -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Re: Build the FIPS Object Module issue on Ubuntu 18.04
I was able to generate FIPS Object Module - fipscanister.o fipscanister.o.sha1 fips_premain.c fips_premain.c.sha1 successfully but now struck in generating Build the FIPS capable library. followed below steps: $ . ./setenv-android.sh $ cd openssl-1.0.1e/ Next, fix the makefile and run configure. $ perl -pi -e 's/install: all install_docs install_sw/install: install_docs install_sw/g' Makefile.org $ ./config fips shared no-ssl2 no-ssl3 no-comp no-hw no-engine --openssldir=/usr/local/ssl/android-14/ \ --with-fipsdir=/usr/local/ssl/android-14/ --with-fipslibdir=/usr/local/ssl/android-14/lib/ Then run make depend and make all: $ make depend $ make all make all is resulting in failure with below error message: /usr/local/ssl/android-22/bin/fipsld: ./fips_premain_dso: not found Makefile.shared: 169: recipe for target 'link_a.gnu' failed. please let me know what I am missing. Thanks -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Build the FIPS Object Module issue on Ubuntu 18.04
Hi, I am trying to build the FIPS object module using the fips library openssl-fips-2.0.16 on Ubuntu 18.04 for x86 arch. I am following the steps in https://wiki.openssl.org/index.php/FIPS_Library_and_Android below steps are followed to Build the FIPS Object Module: $ . ./setenv-android.sh $ cd openssl-fips-2.0.5/ $ ./config $ make First 3 steps are successful, able to set the environment paths, run the config but make fails with error "cryptlib.h:62:20: fatal error: stdlib.h: No such file or directory" - "#inlcude I do have the libraries under /usr/inlcude but the make is not looking at the right path. below is the error message received: In file included from cryptlib.c:117:0: cryptlib.h:62:20: fatal error: stdlib.h: No such file or directory #include ^ compilation terminated. : recipe for target 'cryptlib.o' failed make[1]: *** [cryptlib.o] Error 1 Also, attaching the complete error log. Could you please suggest what is the issue and where to change the path reference (in config). Thanks, Sreekanth Build FIPS Object Module_x86_Ubuntu_18.04 Description: Binary data