Re: [Openvpn-devel] Code to confirm "FIPS MODE" throwing compile error

Thu, 07 Jul 2016 03:09:56 +0000 

--------- Original Message --------- Subject: Re: [Openvpn-devel] Code to 
confirm "FIPS MODE" throwing compile error
From: "Gert Doering" <g...@greenie.muc.de>
List-Post: openvpn-devel@lists.sourceforge.net
Date: 1/8/16 1:41 am
To: "Kevin Long" <kevinlong...@gmail.com>
Cc: openvpn-devel@lists.sourceforge.net

Hi

 On Thu, Jan 07, 2016 at 02:57:34PM -0800, Kevin Long wrote:
 > 
 > I believe I have successfully compiled openvpn on debian , using static 
 > openssl library containing the FIPS compliance module.
 > 
 > 
 > However, I have followed this instruction found online:
 > 
 > "Now you should have a FIPS capable OpenSSL (NOTE: OpenSSL itself is not 
 > FIPS validated, only FIPS capable along with the FIPS Object Module). To 
 > make OpenVPN FIPS compliant, you need to add:
 > 
 > #ifdef OPENSSL_FIPS 
 > if(options.no_fips <= 0) {
 > if(!FIPS_mode_set(1) {
 > ERR_load_crypto_strings();
 > ERR_print_errors_fp(stderr);
 > exit(1);
 > 
 > }
 > }
 > else
 > fprintf(stderr,"*** IN FIPS MODE ***\n");
 > #endif

 I'm not sure where this is coming from (it's not something I've seen
 before) but it is at least broken C code - the "if (!FIPS_mode_set(1)" line
 is missing a closing bracket - and it is based on patches to options.c
 and options.h that are missing - as you've noticed, there is no "no_fips"
 field in the "options" structure (and, at this place in the code, there
 is not even an "options" variable around).

 gert
 -- 


 I was wondering anyone maintains the patch file that would cover the options.h 
change?  I found one here:
 
https://build.opensuse.org/package/show/network:vpn/openvpn
 
but that patch for options.h only has this:
 
--- openvpn-2.3.2/src/openvpn/options.c
+++ openvpn-2.3.2/src/openvpn/options.c 2015/02/19 09:15:10
@@ -828,6 +828,10 @@ init_options (struct options *o, const b
 #endif
 #ifdef ENABLE_CRYPTO
 o->ciphername = "BF-CBC";
+#ifdef OPENSSL_FIPS
+ if(FIPS_mode())
+ o->ciphername = "AES-256-CBC";
+#endif
 o->ciphername_defined = true;
 o->authname = "SHA1";
 o->authname_defined = true;
 However, this still does not define the no_fips.  Is there a maintained patch 
for openvpn?  Any help would be appreciated.
  
 Thank you,
 Peter

Reply via email to