HP-UX Itanium FIPS and OpenSSL build
The OpenSSL FIPS 140-2 Security Policy details the way to build the fipscanister.o object module in a FIPS capable way.
Below are the steps with sample instruction to build fipscanister.o and a FIPS Capable version of OpenSSL on HP-UX on Itanium 2 based platform.
Use HP-UX Itanium 2 based system
Ensure that you are building on a HP-UX Itanium 2 based system (HP-UX 11i v2 and HP-UX 11i v3 supports this hardware)
$ uname -a
HP-UX systemname B.11.31 U ia64 0647852721 unlimited-user license
$ machinfo
CPU info: 2 Intel(R) Itanium 2 processors (1.5 GHz, 6 MB) 400 MT/s bus, CPU version B1 - -
Use correct compiler
Ensure that you have the ac++ compiler and acc linker. The “Appendix C” of OpenSSL FIPS 140-2 Security Policy mentions that “HP C/aC++ B3910B” was used to generate the FIPS module fipscanister.o. The use of the specific version is not mandatory.
$ swlist | grep -e ACC -e aC++ -e PHSS_43743
B9007AA C.11.31.08 HP C/aC++ Developer's Bundle HP-ACC-Link C.11.31.03 HP aCC_link Bundle PHSS_43743 1.0 linker + fdp cumulative patch >>> This patch might get superseded in future
$ cc -V
cc: HP C/aC++ B3910B A.06.28 [Nov 21 2013]
$ which ld
/usr/bin/ld
$ ll /usr/bin/ld
lr-xr-xr-x 1 bin bin 15 Dec 3 2010 /usr/bin/ld -> /usr/ccs/bin/ld
$ what /usr/ccs/bin/ld
/usr/ccs/bin/ld: ld_msgs.cat: $Revision: 1.85 $ 92453-07 linker ld HP Itanium(R) B.12.61 IPF/IPF REL Tue Feb 25 05:59:30 2014 PST HP aC++ for Integrity Servers B3910B A.06.28 [Nov 21 2013] C++ Standard Library (RogueWave Version 2.02.01) HP aC++ for Integrity Servers B3910B A.06.28 [Nov 21 2013] Language Support Library
Verify HMAC-SHA-1
Before actually building, one of the requirements is to verify the HMAC-SHA-1 digest of the FIPS source code “.tar.gz” file. This digest should match the HMAC-SHA-1 digest given in Appendix B section of the OpenSSL FIPS 140-2 Security Policy. Care should be taken to use a SHA-1 FIPs validated implementation to generate the HMAC-SHA-1 digest. A CD containing this source code can also be requested from OpenSSL Foundation (see http://opensslfoundation.org/fips/verify.html).
Sample Build
Copy the FIPS and the latest OpenSSL sources in a specific folder. Say in /openssl_fips
$ ls -1 /openssl_fips
openssl-1.0.1g.tar.gz openssl-fips-2.0.5.tar.gz
A sample set of instruction for building FIPS 2.0.5 code with OpenSSL 1.0.1g is given below. The FIPS code install into /usr/local/ssl/fips-2.0 directory. The OpenSSL code builds into /opt/my_openssl/64bits and /opt/my_openssl/32bits for 64 and 32 bit build respectively. We move the 64 and 32 bit installed FIPS module to /opt/my_openssl/64_bits/fips-2.0 and /opt/my_openssl/32_bits/fips-2.0 later after the build.
# #===================================================================== # Initial setup #===================================================================== # # cd to the source directory where all .tar.gz files are located. # cd /openssl_fips # # Remove the destination directories where FIPS module and OpenSSL # gets installed # if [[ -d /usr/local/ssl ]] ; then mv /usr/local/ssl /usr/local/ssl_bkp; fi if [[ -d /opt/my_openssl ]] ; then mv /opt/my_openssl /opt/my_openssl_bkp; fi # #===================================================================== # 64 bit build #===================================================================== # # copy and extract code # mkdir 64_bits cp openssl-fips-2.0.5.tar.gz 64_bits cp openssl-1.0.1g.tar.gz 64_bits cd 64_bits gunzip openssl-fips-2.0.5.tar.gz tar xvf openssl-fips-2.0.5.tar gunzip openssl-1.0.1g.tar.gz tar xvf openssl-1.0.1g.tar # # Start the 64 bit FIPS build. # cd openssl-fips-2.0.5 ./config no-asm make make install cd .. # # Start the 64 bit OpenSSL build # cd openssl-1.0.1g ./config fips threads shared --openssldir=/opt/my_openssl/64_bits make depend make make install cd .. # # move the 64 bit FIPS built modules into /opt/my_openssl/64_bits # mv /usr/local/ssl/fips-2.0 /opt/my_openssl/64_bits/fips-2.0 # # change to /openssl_fips directory # cd /openssl_fips # #===================================================================== # 32 bit build #===================================================================== # # KERNEL_BITS variable is used by OpenSSL to build 32/64 bits code on HP-UX. # default is 64 bits. Hence, we need to explicitly set the variable for 32 bit build. # export KERNEL_BITS=32 # # copy and extract code # mkdir 32_bits cp openssl-fips-2.0.5.tar.gz 32_bits cp openssl-1.0.1g.tar.gz 32_bits cd 32_bits gunzip openssl-fips-2.0.5.tar.gz tar xvf openssl-fips-2.0.5.tar gunzip openssl-1.0.1g.tar.gz tar xvf openssl-1.0.1g.tar # # Start the 32 bit FIPS build. # cd openssl-fips-2.0.5 ./config no-asm make make install cd .. # # Start the 32 bit OpenSSL build # cd openssl-1.0.1g ./config fips threads shared --openssldir=/opt/my_openssl/32_bits make depend make make install cd .. # # move the 32 bit FIPS built modules into /opt/my_openssl/32_bits # mv /usr/local/ssl/fips-2.0 /opt/my_openssl/32_bits/fips-2.0 # # Unset the KERNEL_BITS variables which we had used for 32 bits build # unset KERNEL_BITS # # Done #
Check if FIPS generated build works
Check if the FIPS really works. You will see that md5 algorithm do not work in FIPS mode and will throw an error “digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c”.
echo helloworld > /tmp/test.txt /opt/my_openssl/64_bits/bin/openssl sha1 < /tmp/test.txt /opt/my_openssl/64_bits/bin/openssl md5 < /tmp/test.txt export OPENSSL_FIPS=1 /opt/my_openssl/64_bits/bin/openssl sha1 < /tmp/test.txt /opt/my_openssl/64_bits/bin/openssl md5 < /tmp/test.txt unset OPENSSL_FIPS rm /tmp/test.txt
Additional Tests
Additional testing can be performed by using “make test” on the OpenSSL build and following the “CMVP Test Procedure” provided in the User Guide for the OpenSSL FIPS Object Module
--Prasad.sg 08:45, 21 April 2014 (UTC)