This is a request to pull in check-in 22392 into the 1.0.1 series of
OpenSSL builds.
The change is needed to add a linker flag to OpenSSL builds.
Unless added, OpenSSL builds with the FIPS module run into a fingerprint
mismatch issue.
The email discussion on openssl-dev list follows.
Thanks in advance,
Parag Doke
Save paper, save trees. Do not print emails/documents unless absolutely
necessary.
-- Forwarded message --
From: Dave Thompson
Date: Tue, Feb 11, 2014 at 6:30 AM
Subject: FIPS2.0-Win /fixed fix?, was Re: Which OpenSSL version picked up
check-in 22392?
To: openssl-dev@openssl.org
> From: owner-openssl-...@openssl.org On Behalf Of Parag Doke
> Sent: Sunday, February 09, 2014 01:16
> What is the right way to build FIPS compliant OpenSSL binaries? I
> assumed the right way was:
> 1) Build FIPS module (say 2.0.5) using VS2008.
> Going by your reply, this should already have the "/fixed" linker
> flag. I will search the FIPS module source tarball to find which file
> has this.
It is still in utll/pl/VC-32.pl but in a different line than for
FIPS1.2/Openssl0.9.8.
> 2) Configure OpenSSL (say 1.0.1e) with the following configure options:
> perl Configure VC-WIN32 fips --with-fipslibdir=
> And then call make:
> nmake /f ms\ntdll.mak
>
I think you're doing it right, though I can't confirm from experience.
> In this approach, I confirm that I see the mismatch error as discussed
> on thread:
> http://comments.gmane.org/gmane.comp.encryption.openssl.devel/18309
>
> When I patched OpenSSL 1.0.1e source (util/pl/VC-32.pl) and built it
> again, the problem was fixed.
>
> That led me to believe the change didn't make it to the 1.0.1
> branches. Either that, or the way I'm building is wrong :-).
>
The change certainly isn't in the FIPS-USING 1.0.1, that's clear from
just looking. From the discussion I thought that doing it on the FIPS module
should work without doing it on the caller, but maybe not. In fact thinking
about it, since the FIPS module is embedded in libeay32.dll it makes sense
it should be in the FIPS-USING build, but at this point you need a real dev
(which I'm not) to confirm.
> If this is the right way to build, should I request this list to patch
> 1.0.1 series?
Probably you should request the change, but via the request tracker
not the maillist. (Maillist messages can easily get lost.)
Certainly if it works for you, you can just use it. You are permitted
to change the FIPS-USING code compile and link as long as it follows
a few specific bits of the security policy, unlike the FIPS module itself
which per policy you can't modify at all even when it makes no difference.
> Thanks in advance,
> Parag Doke
>
> On 2/8/14, Dave Thompson wrote:
> > I'm not a dev or even a real FIPSian, but I'll take a stab:
> >
> >
> >
> > The commit itself says branch_0_9_8_stable, and see it in 0.9.8 v and
> > later.
> > But I don't think it does any good
> >
> > there, because you don't want to build a FIPS module from a normal
tarball.
> > (It's not validated, so it's no better
> >
> > and perhaps worse than a plain non-FIPS library.) There is one release
on
> > the website of fips-1.2 after
> >
> > 2012-apr-15, 1.2.4, which clearly does not have the change (VC-32.pl
> > contents and timestamp unchanged).
> >
> >
> >
> > All of the fips-2.0* tarballs are well after 2012-apr and do add /fixed,
> > but
> > not exactly this way. They put
> >
> > it in a different place that looks to have the same result, but I don't
> > have
> > actual FIPS builds to verify.
> >
> >
> >
> >
> >
> > From: owner-openssl-...@openssl.org [mailto:owner-openssl-
> d...@openssl.org]
> > On Behalf Of Parag Doke
> > Sent: Thursday, February 06, 2014 08:37
> > To: openssl-dev@openssl.org
> > Subject: *** Spam *** Which OpenSSL version picked up check-in 22392?
> >
> >
> >
> > Hello All.
> >
> > I'm new to this list. Just wanted to ask which OpenSSL version picked up
> > check-in 22392 ?
> >
> > Here is the change I'm interested in:
> > http://cvs.openssl.org/chngview?cn=22392
> >
> >
> > Context:
> >
> > Avoid rebasing dll so that the fingerprint mismatch issue does not show
up.
> > The discussion is on this link:
> > http://comments.gmane.org/gmane.comp.encryption.openssl.devel/18309
> >
> > I looked at the code for OpenSSL 1.0.1e and 1.0.1f, both did not have
this
> > change.
> >
> > Was it obsoleted by some other subsequent change ?
> >
> > Thanks in advance,
> >
> >
> > Parag Doke
> > Save paper, save trees. Do not print emails/documents unless absolutely
> > necessary.
> >
> >
>
>
> --
> Parag Doke
> Save paper, save trees. Do not print emails/documents unless absolutely
> necessary.
> _
> _
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager majord...@openssl.org
_