Prasad.sg: HP-UX OpenSSL build (FIPS capable)

2014-04-21T08:45:17Z

HP-UX OpenSSL build (FIPS capable)

New page

The [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf OpenSSL FIPS 140-2 Security Policy] details the way to build the fipscanister.o object module in a FIPS capable way.

Below are the steps with sample instruction to build fipscanister.o and a FIPS Capable version of OpenSSL on HP-UX on Itanium 2 based platform.

----

== Use HP-UX Itanium 2 based system ==
Ensure that you are building on a HP-UX Itanium 2 based system (HP-UX 11i v2 and HP-UX 11i v3 supports this hardware)

$ uname -a
HP-UX systemname B.11.31 U ia64 0647852721 unlimited-user license
$ machinfo
CPU info:
2 Intel(R) Itanium 2 processors (1.5 GHz, 6 MB)
400 MT/s bus, CPU version B1
-
-

== Use correct compiler ==
Ensure that you have the ac++ compiler and acc linker. The “Appendix C” of [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf OpenSSL FIPS 140-2 Security Policy] mentions that “HP C/aC++ B3910B” was used to generate the FIPS module fipscanister.o. The use of the specific version is not mandatory.

$ swlist | grep -e ACC -e aC++ -e PHSS_43743
B9007AA C.11.31.08 HP C/aC++ Developer's Bundle
HP-ACC-Link C.11.31.03 HP aCC_link Bundle
PHSS_43743 1.0 linker + fdp cumulative patch >>> This patch might get superseded in future

$ cc -V
cc: HP C/aC++ B3910B A.06.28 [Nov 21 2013]

$ which ld
/usr/bin/ld
$ ll /usr/bin/ld
lr-xr-xr-x 1 bin bin 15 Dec 3 2010 /usr/bin/ld -> /usr/ccs/bin/ld
$ what /usr/ccs/bin/ld
/usr/ccs/bin/ld:
ld_msgs.cat: $Revision: 1.85 $
92453-07 linker ld HP Itanium(R) B.12.61 IPF/IPF
REL Tue Feb 25 05:59:30 2014 PST
HP aC++ for Integrity Servers B3910B A.06.28 [Nov 21 2013] C++ Standard Library (RogueWave Version 2.02.01)
HP aC++ for Integrity Servers B3910B A.06.28 [Nov 21 2013] Language Support Library

== Verify HMAC-SHA-1 ==
Before actually building, one of the requirements is to verify the HMAC-SHA-1 digest of the FIPS source code “.tar.gz” file. This digest should match the HMAC-SHA-1 digest given in Appendix B section of the [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf OpenSSL FIPS 140-2 Security Policy]. Care should be taken to use a SHA-1 FIPs validated implementation to generate the HMAC-SHA-1 digest. A CD containing this source code can also be requested from OpenSSL Foundation (see [http://opensslfoundation.org/fips/verify.html http://opensslfoundation.org/fips/verify.html]).

== Sample Build ==

Copy the FIPS and the latest OpenSSL sources in a specific folder. Say in /openssl_fips

$ ls -1 /openssl_fips
openssl-1.0.1g.tar.gz
openssl-fips-2.0.5.tar.gz

A sample set of instruction for building FIPS 2.0.5 code with OpenSSL 1.0.1g is given below. The FIPS code install into /usr/local/ssl/fips-2.0 directory. The OpenSSL code builds into /opt/my_openssl/64bits and /opt/my_openssl/32bits for 64 and 32 bit build respectively. We move the 64 and 32 bit installed FIPS module to /opt/my_openssl/64_bits/fips-2.0 and /opt/my_openssl/32_bits/fips-2.0 later after the build.

#
#=====================================================================
# Initial setup
#=====================================================================
#
# cd to the source directory where all .tar.gz files are located.
#
cd /openssl_fips
#
# Remove the destination directories where FIPS module and OpenSSL
# gets installed
#
if <nowiki>[[ -d /usr/local/ssl ]]</nowiki> ; then mv /usr/local/ssl /usr/local/ssl_bkp; fi
if <nowiki>[[ -d /opt/my_openssl ]]</nowiki> ; then mv /opt/my_openssl /opt/my_openssl_bkp; fi
#
#=====================================================================
# 64 bit build
#=====================================================================
#
# copy and extract code
#
mkdir 64_bits
cp openssl-fips-2.0.5.tar.gz 64_bits
cp openssl-1.0.1g.tar.gz 64_bits
cd 64_bits
gunzip openssl-fips-2.0.5.tar.gz
tar xvf openssl-fips-2.0.5.tar
gunzip openssl-1.0.1g.tar.gz
tar xvf openssl-1.0.1g.tar
#
# Start the 64 bit FIPS build.
#
cd openssl-fips-2.0.5
./config no-asm
make
make install
cd ..
#
# Start the 64 bit OpenSSL build
#
cd openssl-1.0.1g
./config fips threads shared --openssldir=/opt/my_openssl/64_bits
make depend
make
make install
cd ..
#
# move the 64 bit FIPS built modules into /opt/my_openssl/64_bits
#
mv /usr/local/ssl/fips-2.0 /opt/my_openssl/64_bits/fips-2.0
#
# change to /openssl_fips directory
#
cd /openssl_fips
#
#=====================================================================
# 32 bit build
#=====================================================================
#
# KERNEL_BITS variable is used by OpenSSL to build 32/64 bits code on HP-UX.
# default is 64 bits. Hence, we need to explicitly set the variable for 32 bit build.
#
export KERNEL_BITS=32
#
# copy and extract code
#
mkdir 32_bits
cp openssl-fips-2.0.5.tar.gz 32_bits
cp openssl-1.0.1g.tar.gz 32_bits
cd 32_bits
gunzip openssl-fips-2.0.5.tar.gz
tar xvf openssl-fips-2.0.5.tar
gunzip openssl-1.0.1g.tar.gz
tar xvf openssl-1.0.1g.tar
#
# Start the 32 bit FIPS build.
#
cd openssl-fips-2.0.5
./config no-asm
make
make install
cd ..
#
# Start the 32 bit OpenSSL build
#
cd openssl-1.0.1g
./config fips threads shared --openssldir=/opt/my_openssl/32_bits
make depend
make
make install
cd ..
#
# move the 32 bit FIPS built modules into /opt/my_openssl/32_bits
#
mv /usr/local/ssl/fips-2.0 /opt/my_openssl/32_bits/fips-2.0
#
# Unset the KERNEL_BITS variables which we had used for 32 bits build
#
unset KERNEL_BITS
#
# Done
#

== Check if FIPS generated build works ==
Check if the FIPS really works. You will see that md5 algorithm do not work in FIPS mode and will throw an error “digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c”.

echo helloworld > /tmp/test.txt
/opt/my_openssl/64_bits/bin/openssl sha1 < /tmp/test.txt
/opt/my_openssl/64_bits/bin/openssl md5 < /tmp/test.txt
export OPENSSL_FIPS=1
/opt/my_openssl/64_bits/bin/openssl sha1 < /tmp/test.txt
/opt/my_openssl/64_bits/bin/openssl md5 < /tmp/test.txt
unset OPENSSL_FIPS
rm /tmp/test.txt

== Additional Tests ==
Additional testing can be performed by using “make test” on the OpenSSL build and following the “CMVP Test Procedure” provided in the [http://www.openssl.org/docs/fips/UserGuide-2.0.pdf User Guide for the OpenSSL FIPS Object Module]

--[[User:Prasad.sg|Prasad.sg]] 08:45, 21 April 2014 (UTC)

HP-UX Itanium FIPS and OpenSSL build - Revision history

Prasad.sg: HP-UX OpenSSL build (FIPS capable)