HP-UX Itanium FIPS and OpenSSL build

From OpenSSLWiki
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

The OpenSSL FIPS 140-2 Security Policy details the way to build the fipscanister.o object module in a FIPS capable way.

Below are the steps with sample instruction to build fipscanister.o and a FIPS Capable version of OpenSSL on HP-UX on Itanium 2 based platform.



Use HP-UX Itanium 2 based system

Ensure that you are building on a HP-UX Itanium 2 based system (HP-UX 11i v2 and HP-UX 11i v3 supports this hardware)

$ uname -a

HP-UX systemname B.11.31 U ia64 0647852721 unlimited-user license

$ machinfo

CPU info:
 2 Intel(R) Itanium 2 processors (1.5 GHz, 6 MB)
         400 MT/s bus, CPU version B1
-
-

Use correct compiler

Ensure that you have the ac++ compiler and acc linker. The “Appendix C” of OpenSSL FIPS 140-2 Security Policy mentions that “HP C/aC++ B3910B” was used to generate the FIPS module fipscanister.o. The use of the specific version is not mandatory.

$ swlist | grep -e ACC -e aC++ -e PHSS_43743

 B9007AA                               C.11.31.08     HP C/aC++ Developer's Bundle
 HP-ACC-Link                           C.11.31.03     HP aCC_link Bundle
 PHSS_43743                            1.0            linker + fdp cumulative patch       >>> This patch might get superseded in future

$ cc -V

cc: HP C/aC++ B3910B A.06.28 [Nov 21 2013]

$ which ld

/usr/bin/ld

$ ll /usr/bin/ld

lr-xr-xr-x   1 bin        bin             15 Dec  3  2010 /usr/bin/ld -> /usr/ccs/bin/ld

$ what /usr/ccs/bin/ld

/usr/ccs/bin/ld:
       ld_msgs.cat: $Revision: 1.85 $
       92453-07 linker ld HP Itanium(R) B.12.61  IPF/IPF
       REL Tue Feb 25 05:59:30 2014 PST
       HP aC++ for Integrity Servers B3910B A.06.28 [Nov 21 2013] C++ Standard Library (RogueWave Version 2.02.01)
       HP aC++ for Integrity Servers B3910B A.06.28 [Nov 21 2013] Language Support Library


Verify HMAC-SHA-1

Before actually building, one of the requirements is to verify the HMAC-SHA-1 digest of the FIPS source code “.tar.gz” file. This digest should match the HMAC-SHA-1 digest given in Appendix B section of the OpenSSL FIPS 140-2 Security Policy. Care should be taken to use a SHA-1 FIPs validated implementation to generate the HMAC-SHA-1 digest. A CD containing this source code can also be requested from OpenSSL Foundation (see http://opensslfoundation.org/fips/verify.html).

Sample Build

Copy the FIPS and the latest OpenSSL sources in a specific folder. Say in /openssl_fips

$ ls -1 /openssl_fips

openssl-1.0.1g.tar.gz
openssl-fips-2.0.5.tar.gz


A sample set of instruction for building FIPS 2.0.5 code with OpenSSL 1.0.1g is given below. The FIPS code install into /usr/local/ssl/fips-2.0 directory. The OpenSSL code builds into /opt/my_openssl/64bits and /opt/my_openssl/32bits for 64 and 32 bit build respectively. We move the 64 and 32 bit installed FIPS module to /opt/my_openssl/64_bits/fips-2.0 and /opt/my_openssl/32_bits/fips-2.0 later after the build.


#
#=====================================================================
# Initial setup
#=====================================================================
#
# cd to the source directory where all .tar.gz files are located.
#
cd /openssl_fips
#
# Remove the destination directories where FIPS module and OpenSSL
# gets installed
#
if [[ -d /usr/local/ssl ]] ; then mv /usr/local/ssl /usr/local/ssl_bkp;  fi
if [[ -d /opt/my_openssl ]] ; then mv /opt/my_openssl /opt/my_openssl_bkp; fi
#
#=====================================================================
# 64 bit build
#=====================================================================
#
# copy and extract code
#
mkdir 64_bits
cp openssl-fips-2.0.5.tar.gz 64_bits
cp openssl-1.0.1g.tar.gz  64_bits
cd 64_bits
gunzip openssl-fips-2.0.5.tar.gz
tar xvf openssl-fips-2.0.5.tar
gunzip openssl-1.0.1g.tar.gz
tar xvf openssl-1.0.1g.tar
#
# Start the 64 bit FIPS build.
#
cd openssl-fips-2.0.5
./config no-asm
make
make install
cd ..
#
# Start the 64 bit OpenSSL build
#
cd openssl-1.0.1g
./config fips threads shared --openssldir=/opt/my_openssl/64_bits
make depend
make
make install
cd ..
#
# move the 64 bit FIPS built modules into /opt/my_openssl/64_bits
#
mv /usr/local/ssl/fips-2.0 /opt/my_openssl/64_bits/fips-2.0
#
# change to /openssl_fips directory
#
cd /openssl_fips
#
#=====================================================================
# 32 bit build
#=====================================================================
#
# KERNEL_BITS variable is used by OpenSSL to build 32/64 bits code on HP-UX.
# default is 64 bits. Hence, we need to explicitly set the variable for 32 bit build.
#
export KERNEL_BITS=32
#
# copy and extract code
#
mkdir 32_bits
cp openssl-fips-2.0.5.tar.gz 32_bits
cp openssl-1.0.1g.tar.gz  32_bits
cd 32_bits
gunzip openssl-fips-2.0.5.tar.gz
tar xvf openssl-fips-2.0.5.tar
gunzip openssl-1.0.1g.tar.gz
tar xvf openssl-1.0.1g.tar
#
# Start the 32 bit FIPS build.
#
cd openssl-fips-2.0.5
./config no-asm
make
make install
cd ..
#
# Start the 32 bit OpenSSL build
#
cd openssl-1.0.1g
./config fips threads shared --openssldir=/opt/my_openssl/32_bits
make depend
make
make install
cd ..
#
# move the 32 bit FIPS built modules into /opt/my_openssl/32_bits
#
mv /usr/local/ssl/fips-2.0 /opt/my_openssl/32_bits/fips-2.0
#
# Unset the KERNEL_BITS variables which we had used for 32 bits build
#
unset KERNEL_BITS
#
# Done
#


Check if FIPS generated build works

Check if the FIPS really works. You will see that md5 algorithm do not work in FIPS mode and will throw an error “digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c”.

echo helloworld > /tmp/test.txt
/opt/my_openssl/64_bits/bin/openssl sha1 < /tmp/test.txt
/opt/my_openssl/64_bits/bin/openssl md5 < /tmp/test.txt
export OPENSSL_FIPS=1
/opt/my_openssl/64_bits/bin/openssl sha1 < /tmp/test.txt
/opt/my_openssl/64_bits/bin/openssl md5 < /tmp/test.txt
unset OPENSSL_FIPS
rm /tmp/test.txt


Additional Tests

Additional testing can be performed by using “make test” on the OpenSSL build and following the “CMVP Test Procedure” provided in the User Guide for the OpenSSL FIPS Object Module

--Prasad.sg 08:45, 21 April 2014 (UTC)