HP-UX Itanium FIPS and OpenSSL build
The OpenSSL FIPS 140-2 Security Policy details the way to build the fipscanister.o object module in a FIPS capable way.
Below are the steps with sample instruction to build fipscanister.o and a FIPS Capable version of OpenSSL on HP-UX on Itanium 2 based platform.
Use HP-UX Itanium 2 based system[edit]
Ensure that you are building on a HP-UX Itanium 2 based system (HP-UX 11i v2 and HP-UX 11i v3 supports this hardware)
$ uname -a
HP-UX systemname B.11.31 U ia64 0647852721 unlimited-user license
$ machinfo
CPU info:
2 Intel(R) Itanium 2 processors (1.5 GHz, 6 MB)
400 MT/s bus, CPU version B1
-
-
Use correct compiler[edit]
Ensure that you have the ac++ compiler and acc linker. The “Appendix C” of OpenSSL FIPS 140-2 Security Policy mentions that “HP C/aC++ B3910B” was used to generate the FIPS module fipscanister.o. The use of the specific version is not mandatory.
$ swlist | grep -e ACC -e aC++ -e PHSS_43743
B9007AA C.11.31.08 HP C/aC++ Developer's Bundle HP-ACC-Link C.11.31.03 HP aCC_link Bundle PHSS_43743 1.0 linker + fdp cumulative patch >>> This patch might get superseded in future
$ cc -V
cc: HP C/aC++ B3910B A.06.28 [Nov 21 2013]
$ which ld
/usr/bin/ld
$ ll /usr/bin/ld
lr-xr-xr-x 1 bin bin 15 Dec 3 2010 /usr/bin/ld -> /usr/ccs/bin/ld
$ what /usr/ccs/bin/ld
/usr/ccs/bin/ld:
ld_msgs.cat: $Revision: 1.85 $
92453-07 linker ld HP Itanium(R) B.12.61 IPF/IPF
REL Tue Feb 25 05:59:30 2014 PST
HP aC++ for Integrity Servers B3910B A.06.28 [Nov 21 2013] C++ Standard Library (RogueWave Version 2.02.01)
HP aC++ for Integrity Servers B3910B A.06.28 [Nov 21 2013] Language Support Library
Verify HMAC-SHA-1[edit]
Before actually building, one of the requirements is to verify the HMAC-SHA-1 digest of the FIPS source code “.tar.gz” file. This digest should match the HMAC-SHA-1 digest given in Appendix B section of the OpenSSL FIPS 140-2 Security Policy. Care should be taken to use a SHA-1 FIPs validated implementation to generate the HMAC-SHA-1 digest. A CD containing this source code can also be requested from OpenSSL Foundation (see http://opensslfoundation.org/fips/verify.html).
Sample Build[edit]
Copy the FIPS and the latest OpenSSL sources in a specific folder. Say in /openssl_fips
$ ls -1 /openssl_fips
openssl-1.0.1g.tar.gz openssl-fips-2.0.5.tar.gz
A sample set of instruction for building FIPS 2.0.5 code with OpenSSL 1.0.1g is given below. The FIPS code install into /usr/local/ssl/fips-2.0 directory. The OpenSSL code builds into /opt/my_openssl/64bits and /opt/my_openssl/32bits for 64 and 32 bit build respectively. We move the 64 and 32 bit installed FIPS module to /opt/my_openssl/64_bits/fips-2.0 and /opt/my_openssl/32_bits/fips-2.0 later after the build.
# #===================================================================== # Initial setup #===================================================================== # # cd to the source directory where all .tar.gz files are located. # cd /openssl_fips # # Remove the destination directories where FIPS module and OpenSSL # gets installed # if [[ -d /usr/local/ssl ]] ; then mv /usr/local/ssl /usr/local/ssl_bkp; fi if [[ -d /opt/my_openssl ]] ; then mv /opt/my_openssl /opt/my_openssl_bkp; fi # #===================================================================== # 64 bit build #===================================================================== # # copy and extract code # mkdir 64_bits cp openssl-fips-2.0.5.tar.gz 64_bits cp openssl-1.0.1g.tar.gz 64_bits cd 64_bits gunzip openssl-fips-2.0.5.tar.gz tar xvf openssl-fips-2.0.5.tar gunzip openssl-1.0.1g.tar.gz tar xvf openssl-1.0.1g.tar # # Start the 64 bit FIPS build. # cd openssl-fips-2.0.5 ./config no-asm make make install cd .. # # Start the 64 bit OpenSSL build # cd openssl-1.0.1g ./config fips threads shared --openssldir=/opt/my_openssl/64_bits make depend make make install cd .. # # move the 64 bit FIPS built modules into /opt/my_openssl/64_bits # mv /usr/local/ssl/fips-2.0 /opt/my_openssl/64_bits/fips-2.0 # # change to /openssl_fips directory # cd /openssl_fips # #===================================================================== # 32 bit build #===================================================================== # # KERNEL_BITS variable is used by OpenSSL to build 32/64 bits code on HP-UX. # default is 64 bits. Hence, we need to explicitly set the variable for 32 bit build. # export KERNEL_BITS=32 # # copy and extract code # mkdir 32_bits cp openssl-fips-2.0.5.tar.gz 32_bits cp openssl-1.0.1g.tar.gz 32_bits cd 32_bits gunzip openssl-fips-2.0.5.tar.gz tar xvf openssl-fips-2.0.5.tar gunzip openssl-1.0.1g.tar.gz tar xvf openssl-1.0.1g.tar # # Start the 32 bit FIPS build. # cd openssl-fips-2.0.5 ./config no-asm make make install cd .. # # Start the 32 bit OpenSSL build # cd openssl-1.0.1g ./config fips threads shared --openssldir=/opt/my_openssl/32_bits make depend make make install cd .. # # move the 32 bit FIPS built modules into /opt/my_openssl/32_bits # mv /usr/local/ssl/fips-2.0 /opt/my_openssl/32_bits/fips-2.0 # # Unset the KERNEL_BITS variables which we had used for 32 bits build # unset KERNEL_BITS # # Done #
Check if FIPS generated build works[edit]
Check if the FIPS really works. You will see that md5 algorithm do not work in FIPS mode and will throw an error “digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c”.
echo helloworld > /tmp/test.txt /opt/my_openssl/64_bits/bin/openssl sha1 < /tmp/test.txt /opt/my_openssl/64_bits/bin/openssl md5 < /tmp/test.txt export OPENSSL_FIPS=1 /opt/my_openssl/64_bits/bin/openssl sha1 < /tmp/test.txt /opt/my_openssl/64_bits/bin/openssl md5 < /tmp/test.txt unset OPENSSL_FIPS rm /tmp/test.txt
Additional Tests[edit]
Additional testing can be performed by using “make test” on the OpenSSL build and following the “CMVP Test Procedure” provided in the User Guide for the OpenSSL FIPS Object Module
--Prasad.sg 08:45, 21 April 2014 (UTC)
