HP-UX Itanium FIPS and OpenSSL build

From OpenSSLWiki
Jump to: navigation, search

The OpenSSL FIPS 140-2 Security Policy details the way to build the fipscanister.o object module in a FIPS capable way.

Below are the steps with sample instruction to build fipscanister.o and a FIPS Capable version of OpenSSL on HP-UX on Itanium 2 based platform.



Use HP-UX Itanium 2 based system[edit]

Ensure that you are building on a HP-UX Itanium 2 based system (HP-UX 11i v2 and HP-UX 11i v3 supports this hardware)

$ uname -a

HP-UX systemname B.11.31 U ia64 0647852721 unlimited-user license

$ machinfo

CPU info:
 2 Intel(R) Itanium 2 processors (1.5 GHz, 6 MB)
         400 MT/s bus, CPU version B1
-
-

Use correct compiler[edit]

Ensure that you have the ac++ compiler and acc linker. The “Appendix C” of OpenSSL FIPS 140-2 Security Policy mentions that “HP C/aC++ B3910B” was used to generate the FIPS module fipscanister.o. The use of the specific version is not mandatory.

$ swlist | grep -e ACC -e aC++ -e PHSS_43743

 B9007AA                               C.11.31.08     HP C/aC++ Developer's Bundle
 HP-ACC-Link                           C.11.31.03     HP aCC_link Bundle
 PHSS_43743                            1.0            linker + fdp cumulative patch       >>> This patch might get superseded in future

$ cc -V

cc: HP C/aC++ B3910B A.06.28 [Nov 21 2013]

$ which ld

/usr/bin/ld

$ ll /usr/bin/ld

lr-xr-xr-x   1 bin        bin             15 Dec  3  2010 /usr/bin/ld -> /usr/ccs/bin/ld

$ what /usr/ccs/bin/ld

/usr/ccs/bin/ld:
       ld_msgs.cat: $Revision: 1.85 $
       92453-07 linker ld HP Itanium(R) B.12.61  IPF/IPF
       REL Tue Feb 25 05:59:30 2014 PST
       HP aC++ for Integrity Servers B3910B A.06.28 [Nov 21 2013] C++ Standard Library (RogueWave Version 2.02.01)
       HP aC++ for Integrity Servers B3910B A.06.28 [Nov 21 2013] Language Support Library


Verify HMAC-SHA-1[edit]

Before actually building, one of the requirements is to verify the HMAC-SHA-1 digest of the FIPS source code “.tar.gz” file. This digest should match the HMAC-SHA-1 digest given in Appendix B section of the OpenSSL FIPS 140-2 Security Policy. Care should be taken to use a SHA-1 FIPs validated implementation to generate the HMAC-SHA-1 digest. A CD containing this source code can also be requested from OpenSSL Foundation (see http://opensslfoundation.org/fips/verify.html).

Sample Build[edit]

Copy the FIPS and the latest OpenSSL sources in a specific folder. Say in /openssl_fips

$ ls -1 /openssl_fips

openssl-1.0.1g.tar.gz
openssl-fips-2.0.5.tar.gz


A sample set of instruction for building FIPS 2.0.5 code with OpenSSL 1.0.1g is given below. The FIPS code install into /usr/local/ssl/fips-2.0 directory. The OpenSSL code builds into /opt/my_openssl/64bits and /opt/my_openssl/32bits for 64 and 32 bit build respectively. We move the 64 and 32 bit installed FIPS module to /opt/my_openssl/64_bits/fips-2.0 and /opt/my_openssl/32_bits/fips-2.0 later after the build.


#
#=====================================================================
# Initial setup
#=====================================================================
#
# cd to the source directory where all .tar.gz files are located.
#
cd /openssl_fips
#
# Remove the destination directories where FIPS module and OpenSSL
# gets installed
#
if [[ -d /usr/local/ssl ]] ; then mv /usr/local/ssl /usr/local/ssl_bkp;  fi
if [[ -d /opt/my_openssl ]] ; then mv /opt/my_openssl /opt/my_openssl_bkp; fi
#
#=====================================================================
# 64 bit build
#=====================================================================
#
# copy and extract code
#
mkdir 64_bits
cp openssl-fips-2.0.5.tar.gz 64_bits
cp openssl-1.0.1g.tar.gz  64_bits
cd 64_bits
gunzip openssl-fips-2.0.5.tar.gz
tar xvf openssl-fips-2.0.5.tar
gunzip openssl-1.0.1g.tar.gz
tar xvf openssl-1.0.1g.tar
#
# Start the 64 bit FIPS build.
#
cd openssl-fips-2.0.5
./config no-asm
make
make install
cd ..
#
# Start the 64 bit OpenSSL build
#
cd openssl-1.0.1g
./config fips threads shared --openssldir=/opt/my_openssl/64_bits
make depend
make
make install
cd ..
#
# move the 64 bit FIPS built modules into /opt/my_openssl/64_bits
#
mv /usr/local/ssl/fips-2.0 /opt/my_openssl/64_bits/fips-2.0
#
# change to /openssl_fips directory
#
cd /openssl_fips
#
#=====================================================================
# 32 bit build
#=====================================================================
#
# KERNEL_BITS variable is used by OpenSSL to build 32/64 bits code on HP-UX.
# default is 64 bits. Hence, we need to explicitly set the variable for 32 bit build.
#
export KERNEL_BITS=32
#
# copy and extract code
#
mkdir 32_bits
cp openssl-fips-2.0.5.tar.gz 32_bits
cp openssl-1.0.1g.tar.gz  32_bits
cd 32_bits
gunzip openssl-fips-2.0.5.tar.gz
tar xvf openssl-fips-2.0.5.tar
gunzip openssl-1.0.1g.tar.gz
tar xvf openssl-1.0.1g.tar
#
# Start the 32 bit FIPS build.
#
cd openssl-fips-2.0.5
./config no-asm
make
make install
cd ..
#
# Start the 32 bit OpenSSL build
#
cd openssl-1.0.1g
./config fips threads shared --openssldir=/opt/my_openssl/32_bits
make depend
make
make install
cd ..
#
# move the 32 bit FIPS built modules into /opt/my_openssl/32_bits
#
mv /usr/local/ssl/fips-2.0 /opt/my_openssl/32_bits/fips-2.0
#
# Unset the KERNEL_BITS variables which we had used for 32 bits build
#
unset KERNEL_BITS
#
# Done
#


Check if FIPS generated build works[edit]

Check if the FIPS really works. You will see that md5 algorithm do not work in FIPS mode and will throw an error “digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c”.

echo helloworld > /tmp/test.txt
/opt/my_openssl/64_bits/bin/openssl sha1 < /tmp/test.txt
/opt/my_openssl/64_bits/bin/openssl md5 < /tmp/test.txt
export OPENSSL_FIPS=1
/opt/my_openssl/64_bits/bin/openssl sha1 < /tmp/test.txt
/opt/my_openssl/64_bits/bin/openssl md5 < /tmp/test.txt
unset OPENSSL_FIPS
rm /tmp/test.txt


Additional Tests[edit]

Additional testing can be performed by using “make test” on the OpenSSL build and following the “CMVP Test Procedure” provided in the User Guide for the OpenSSL FIPS Object Module

--Prasad.sg 08:45, 21 April 2014 (UTC)