Concise steps to Building and Installing the FIPS Object Module with OpenSSL (Unix/Linux)

Concise steps to Building and Installing the FIPS Object Module with OpenSSL (Unix/Linux)

1.      Build OpenSSL FIPS module(I am using openssl-fips-1.2.3)

./config fipscanisterbuild -m32–openssldir=/build/openssl-fips-1.2.3 (--prefix must not be specified.)

make

make install

2.     Build a FIPS capable OpenSSL (I am using openssl-0.9.8n)

./config fips --with-fipslibdir=/build/openssl-fips-1.2.3/lib--openssldir=build/openssl-0.9.8n –m32

make

make install

 

================

Following are extracted from OpenSSL FIPS Object Module user guild 1.2

================

Building and Installing the FIPS Object Module with OpenSSL (Unix/Linux)

Due to significant differences in the two basic operating system families, Unix®/Linux® and
Microsoft® Windows® platforms are discussed separately. Instructions for Windows® are given in
§4.3.
4.2.1 Building the FIPS Object Module from Source
Next build the FIPS Object Module from source. The FIPS 1402
validation specific code is
incorporated into the generated FIPS Object Module when the fips configuration option is
specified. Per the conditions of the FIPS 1402
validation only two configuration commands may
be used:
./config fipscanisterbuild
or
./config fipscanisterbuild noasm
where the specific option used depends on the platform (see §3.2.1).
The specification of any other options on the command line, such as
./config fipscanisterbuild shared
is not permitted. Note that in the case of the “shared” option position independent code is
generated by default so the generated FIPS Object Module can be included in a shared library29.
Note that as a condition of the FIPS 1402
validation no other user specified configuration options
may be specified. This restriction means that an optional install prefix cannot be specified –
however, there is no restriction on subsequent manual relocation of the generated files to the
desired final location.
28The OPENSSL_FIPS=1 environment variable will enable FIPS mode for an openssl command built from a FIPS
capable OpenSSL distribution.
29If not for the FIPS validation prohibition, on most but not all platforms the “shared” option could safely be chosen
regardless of the intended use. See Appendix H for one known exception.
Page 29 of 80
FIPS 1402
User Guide
OpenSSL FIPS Object Module
FIPS 1402
User Guide
Then:
make
to generate the FIPS Object Module file fipscanister.o, the digest for the FIPS Object
Module file, fipscanister.o.sha1, and the source file used to generate the embedded digest,
fips_premain.c. The fipscanister.o, fipscanister.o.sha1, and
fips_premain.c files are intermediate files (i.e., used in the generation of an application but
not referenced by that application at runtime). The object code in the fipscanister.o file is
incorporated into the runtime executable application at the time the binary executable is generated.
This should also be obvious, but modifications to any of the intermediate files generated by the “./
config fipscanisterbuild” or “make” commands are not permitted. If the original
distribution is modified, or if anything than those three specified commands are used, or if any
intermediate files are modified, the result is not FIPS validated.
4.2.2 Installing and Protecting the FIPS Object Module
The system administrator should install the generated fipscanister.o,
fipscanister.o.sha1, and fips_premain.c files in a location protected by the host
operating system security features. These protections should allow write access only to authorized
system administrators (FIPS 1402
Crypto Officers) and read access only to authorized users.
For Unix® based or Linux® systems this protection usually takes the form of root ownership and
permissions of 0755 or less for those files and all parent directories. When all system users are not
authorized users the world (public) read and execute permissions should be removed from these
files.
The usual
make install
will install the fipscanister.o, fipscanister.o.sha1, fips_premain.c, and
fips_premain.c.sha1 files in the target location (typically /usr/local/ssl/fips1.0/
lib/ for Unix® based or Linux® systems.) with the appropriate permissions to satisfy the
security requirement. These four files constitute the validated FIPS Object Module, the (many)
other files also installed by this command are not validated. Note that it is also permissible to
install these files in other locations by other means, provided that they are protected as noted above:
Page 30 of 80
FIPS 1402
User Guide
OpenSSL FIPS Object Module
FIPS 1402
User Guide
cp fipscanister.o fipscanister.o.sha1 <targetdirectory>
cp fips_premain.c fips_premain.c.sha1 <targetdirectory>
Note that fipscanister.o can either be statically linked into an application binary executable,
or statically linked into a shared library.
4.2.3 Building a FIPS Capable OpenSSL
At this point a full OpenSSL library has been installed. However, the special distribution required
to generate the validated FIPS Object Module does not correspond exactly to any official OpenSSL
releases. Once the validated FIPS Object Module has been generated the other OpenSSL
components can be replaced with components from a different OpenSSL distributions. Any 0.9.8
releases from j onwards (i.e. 0.9.8j or above) can be used for this purpose. OpenSSL 1.0 is not
compatible. The commands
./config fips <...other options...>
make <...options...>
make install
will install the new OpenSSL without overwriting the validated FIPS Object Module files. The
withfipslibdir
option can be used to explicitly reference the location of the FIPS Object
Module (fipscanister.o).
The combination of the validated FIPS Object Module plus an OpenSSL distribution built in this
way is referred to as a FIPS capable OpenSSL, as it can be used either as a dropin
replacement for
a nonFIPS
OpenSSL or for use in generating FIPS mode applications.
Note that a standard OpenSSL distribution built for use with the FIPS Object Module must have the
./config fips option specified. Other configuration options may be specified in addition to
fips, but omission of the fips option will cause errors when using the OpenSSL libraries with
the FIPS Object Module.
4.3 Building and Installing the FIPS Object Module with OpenSSL
(Windows)
The build procedure for Windows is similar to that for the regular OpenSSL product, using MSVC
and NASM for compilation. Note MASM is not supported.
Page 31 of 80
FIPS 1402
User Guide
OpenSSL FIPS Object Module
FIPS 1402
User Guide
The second stage uses VC++ to link OpenSSL 0.9.8j or later against the installed FIPS module, to
obtain the complete FIPS capable OpenSSL. Both static and shared libraries are supported.
4.3.1 Building the FIPS Object Module from Source
Build the FIPS Object Module from source:
ms/do_fips [noasm]
where the noasm
option may or may not be present depending on the platform (see §3.2.1).
Note that as a condition of the FIPS 1402
validation no other user specified configuration options
may be specified.
4.3.2 Installing and Protecting the FIPS Object Module
The system administrator should install the generated fipscanister.obj,
fipscanister.obj.sha1, and fips_premain.c files in a location protected by the host
operating system security features. These protections should allow write access only to authorized
system administrators (FIPS 1402
Crypto Officers) and read access only to authorized users.
For Microsoft® Windows® based systems this protection can be provided by ACLs limiting write
access to the administrator group. When all system users are not authorized users the Everyone
(public) read and execute permissions should be removed from these files.
4.3.3 Building a FIPS Capable OpenSSL
The final stage is VC++ compilation of a standard OpenSSL distribution to be referenced in
conjunction with the previously built and installed FIPS Object Module.
Download an OpenSSL 0.9.8 distribution, 0.9.8j or later. Follow the standard Windows® build
procedure except that instead of the command:
perl Configure VCWIN32
Page 32 of 80
FIPS 1402
User Guide
OpenSSL FIPS Object Module
FIPS 1402
User Guide
do:
perl Configure VCWIN32
fips withfipslibdir=
c:/fips/path
where "c:/fips/path" is wherever the FIPS module from the first stage was installed. Static
and shared library builds are supported.
This command is followed by the usual
ms/do_nasm
and
nmake f
ms/ntdll.mak
to build the shared libraries only, or
nmake f
ms/nt.mak
to build the OpenSSL static libraries. The standard OpenSSL build with the fips option will use
a base address for libeay32.dll of 0xFB00000 by default. This value was chosen because it
is unlikely to conflict with other dynamically loaded libraries. In the event of a clash with another
dynamically loaded library which will trigger runtime relocation of libeay32.dll the integrity
check will fail with the error
FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELATED
A base address conflict can be resolved by shuffling the other DLLs or recompiling
OpenSSL with
an alternative base address specified with the withbaseaddr=
option.
Note that the developer can identify which DLLs are relocated with the Process Explorer utility
from http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx.
The resulting FIPS capable OpenSSL can be used for shared or static linking. The shared library
built (when ms/ntdll.mak is used as the Makefile) links fipscanister.o into
libeay32.dll using fipslink.pl in accordance with the requirements of the Security
Policy.