Monday, May 7, 2012

OpenSSL FIPS 140-2 and RHEL 5

Since I often use the Internet to find guidance and answers to questions, I thought I'd add my own small contribution back to the community.

We found ourselves needing to build a FIPS 140-2 compliant version of the OpenSSL openssl command-line utility recently.  A good starting point is the OpenSSL FIPS 140-2 User Guide.  It contains instructions for where to find OpenSSL source, and importantly, instructions for verifying the integrity of the distribution, and this is a necessary component of building a FIPS 140-2 openssl.

I worked through the guide through nearly page 23.  However, when I reached section 4.2.1, things started to go wrong for me.  I was able to run config with no problem, but the make failed with an error about not having a target for fipscannister.o.

I then found a very helpful bit of advice in a Google Group post about OpenSSL and FIPS 140-2.  But that advice didn't quite match our environment (it was Ubuntu, and we run RHEL).  So here are my directions for building an openssl utility on RHEL 5.

First, in our case we downloaded and verified the integrity of openss-1.2.3 using the directions from the guide above.  Here are the results in a little sandbox:

batch-bryan:; pwd
/tmp/openssl-fips
batch-bryan:; ls -R
.:
lib/  src/

./lib:

./src:
openssl-fips-1.2.3.tar

Now, we head into the src directory, and unpackage the tarball:

batch-bryan:; cd src
/tmp/openssl-fips/src
batch-bryan:; tar xf openssl-fips-1.2.3.tar

And then configure things to build the FIPS canister and utility:

batch-bryan:; cd openssl-fips-1.2.3
/tmp/openssl-fips/src/openssl-fips-1.2.3
batch-bryan:; ./config fipscanisterbuild --prefix="/tmp/openssl-fips"

Now to build and install:

batch-bryan:; make
batch-bryan:; make install

And there it is:

batch-bryan:; ls /tmp/openssl-fips/lib
engines/             fips_premain.c       libcrypto.so@        libssl.so@
fipscanister.o       fips_premain.c.sha1  libcrypto.so.0.9.8*  libssl.so.0.9.8*
fipscanister.o.sha1  libcrypto.a          libssl.a             pkgconfig/


And there is the utility:

batch-bryan:; cd /tmp/openssl-fips/bin
/tmp/openssl-fips/bin
batch-bryan:; ls
c_rehash*  openssl*
batch-bryan:; setenv OPENSSL_FIPS 1
batch-bryan:; ./openssl version
OpenSSL FIPS Object Module v1.2

But if we try the stock one:

batch-bryan:; /usr/bin/openssl version
13789:error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match:fips.c:493:
batch-bryan:; unsetenv OPENSSL_FIPS
batch-bryan:; /usr/bin/openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

Not so much.

To build and install the FIPS 140-2 compliant version of OpenSSL in a more "real" location than a sandbox, just change the value used in the prefix variable used in the config invocation above.





4 comments:

  1. Thanks for the good instructions. Want to ask one question, by following openssl-fips-2.0-user-manual, I can only generate libcrypto.a, how did you make the shared lib libcrypto.so. Want to do the same thing. Thanks.

    ReplyDelete
    Replies
    1. Jeff, all I did was unpack the tarball, ran config (as in the post), and then did the make and make install. If that is not building the shared lib, I'm not sure why.

      Are you downloading the same build (v1.2.3)?

      Delete
  2. Hi Bryan,
    I am following this document:
    http://www.openssl.org/docs/fips/UserGuide-2.0.pdf
    especially section 4.2.

    Trying to make a FIPS openssl build (libcrypto.so) with:
    openssl-fips-2.0-test-201206xx.tar.gz and
    openssl-1.0.2-stable-SNAP-201206xx.tar.gz

    which are downloaded from here:
    http://www.mmnt.net/db/0/0/ftp.openssl.org/snapshot

    As mentioned in user-manual-2.0, the build script should NOT be modified in order to have a FIPS capable library, so I suppose there must be a target to build libcrypto.so, but couldn't get any.

    Thanks

    ReplyDelete
    Replies
    1. Hi, Jeff. I'm not familiar with that download site, but it looks to me like v1.0.2 is probably old, and 2.0 is not ready for primetime.

      My build came from the OpenSSL web site, and was this (now older) download:

      http://www.openssl.org/source/openssl-fips-1.2.2.tar.gz

      Following the instructions in the OpenSSL FIPS Object Module guide (http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf) to check signatures and checksums, and then using the few commands above (the config, make, and make install) did the trick for me.

      Delete

Note: Only a member of this blog may post a comment.