[Openvpn-devel] Added OpenSSL FIPS 2.0 support to OpenVPN

Message ID 1511554982-875-1-git-send-email-jim@carroll.com
State Superseded
Headers show
Series
  • [Openvpn-devel] Added OpenSSL FIPS 2.0 support to OpenVPN
Related show

Commit Message

Jim Carroll Nov. 24, 2017, 8:23 p.m.
From: JimC <jim@carroll.com>

Modified the autoconf, automake and code to support building OpenVPN with
OpenSSL FIPS Object Module v2.0 validated encryption.

        * Adds: --enable-fips-mode switch to configure.ac
        * Adds: --enable-fips-mode command line switch to openvpn
---
 INSTALL                      | 72 ++++++++++++++++++++++++++++++++++++++++++++
 Makefile.am                  |  5 +++
 configure.ac                 | 42 ++++++++++++++++++++++++++
 src/openvpn/crypto.c         |  2 +-
 src/openvpn/crypto_backend.h |  3 +-
 src/openvpn/crypto_openssl.c | 15 ++++++++-
 src/openvpn/crypto_openssl.h |  8 +++++
 src/openvpn/ntlm.c           |  2 +-
 src/openvpn/openvpn.c        |  7 +++++
 src/openvpn/options.c        | 16 ++++++++++
 src/openvpn/options.h        |  1 +
 src/openvpn/ssl.c            | 12 ++++++--
 src/openvpn/ssl.h            |  4 +++
 13 files changed, 183 insertions(+), 6 deletions(-)

Comments

Antonio Quartulli Dec. 3, 2017, 4:57 a.m. | #1
Hi,

On 25/11/17 04:23, jim@carroll.com wrote:
> From: JimC <jim@carroll.com>
> 
> Modified the autoconf, automake and code to support building OpenVPN with
> OpenSSL FIPS Object Module v2.0 validated encryption.
> 
>         * Adds: --enable-fips-mode switch to configure.ac
>         * Adds: --enable-fips-mode command line switch to openvpn

Please make sure your patch includes the Signed-off-by line (I think
Gert mentioned that already? sorry for repeating).
You should actually add that to your commit message when creating it.

Git can help you with that by just adding the '-s' argument to the 'git
commit' command. Make sure you have configured your name and email in
the git config so that it can pick them up.

Speaking about the name: it should be your full name (nicknames like
JimC are not really legally accepted).

> ---
>  INSTALL                      | 72 ++++++++++++++++++++++++++++++++++++++++++++
>  Makefile.am                  |  5 +++
>  configure.ac                 | 42 ++++++++++++++++++++++++++
>  src/openvpn/crypto.c         |  2 +-
>  src/openvpn/crypto_backend.h |  3 +-
>  src/openvpn/crypto_openssl.c | 15 ++++++++-
>  src/openvpn/crypto_openssl.h |  8 +++++
>  src/openvpn/ntlm.c           |  2 +-
>  src/openvpn/openvpn.c        |  7 +++++
>  src/openvpn/options.c        | 16 ++++++++++
>  src/openvpn/options.h        |  1 +
>  src/openvpn/ssl.c            | 12 ++++++--
>  src/openvpn/ssl.h            |  4 +++
>  13 files changed, 183 insertions(+), 6 deletions(-)
> 
> diff --git a/INSTALL b/INSTALL
> index 3a31e6f..adb3df8 100644
> --- a/INSTALL
> +++ b/INSTALL
> @@ -305,6 +305,78 @@ TUN/TAP Driver Configuration:
>  
>  *************************************************************************
>  
> +OpenSSL FIPS Object Module v2.0 Configuration:
> +
> +These instructions were adapted from 
> +
> +    https://www.openssl.org/docs/fipsnotes.html
> +
> +Requirements:
> +
> +    * OpenSSL 1.0.2m
> +    * openssl-fips-2.0.2

I think the points above are expected to be ">="?
Or are these versions strictly required?

> +
> +WARNING
> +
> +To install FIPS validated encryption, you must follow the instructions in the
> +FIPS 2.0 User's Guide precisely. You are not permitted to modify any of the FIPS
> +build artifacts, makefiles or scripts. The FIPS 2.0 module is only compatible with
> +OpenSSL 1.0.1 and 1.0.2. 
> +
> +These instructions describe the use of OpenSSL 1.0.2m.
> +

This is more a general thought: do you think it is reasonable to have
the instructions about how to compile OpenSSL into the OpenVPN package?
Things may change on the OpenSSL side and we'd need to keep our
instructions up to date, even though we are not modifying the OpenVPN code.

Including a link to the openssl website may make sense, but imho we
should just tell the user to get a FIPS certified openssl module before
moving on.

After all, as you say below, it's the entire platform that needs to be
FIPS supported, thus I don't believe it's OpenVPN duty to instruct the
users about how building all the different components.

Some distro may even provide their own FIPS enabled packages.

Thoughts?

> +INSTALLATION:
> +
> +    1. Surf to https://www.openssl.org/source/
> +    2. Download source and validate the download (preferably using PGP)
> +    3. Untar and uncompress tarball
> +    4. You must build using this precise command (do NOT choose any other options):
> +
> +            # ./config && make install
> +
> +            (you may optionally pass 'no-asm' to config)
> +
> +       If the above procedure does not build on your system -- STOP. You are not
> +       building on a FIPS supported platform, and therefore will not have a
> +       FIPS validated encryption environment. See chapter 3 of the FIPS 2.0
> +       User's Guide for the complete list of supported platforms:
> +
> +            https://openssl.org/docs/fips/UserGuide-2.0.pdf
> +
> +    5. Download, build & install openssl 1.0.2m (you are permitted to
> +       modify this step to suite your preferences):
> +
> +            # git clone https://github.com/openssl/openssl.git
> +            # (cd openssl && \
> +                    git checkout OpenSSL_1_0_2m && \
> +                    ./config fips && \
> +                    make depend && \
> +                    make install)
> +
> +    6. Now build openvpn and tell it where to find you recently installed OpenSSL
> +
> +            # ./configure --enable-fips-mode \
> +                    OPENSSL_CFLAGS=-/usr/local/ss/include \
> +                    OPENSSL_LIBS="-ldl -L/usr/local/ssl/lib -lssl -lcrypto"
> +
> +            # make install
> +
> +    7. You can confirm FIPS mode is available with the command
> +
> +            # ./openvpn --version | grep 'library version'
> +            library versions: OpenSSL 1.0.2m-fips  2 Nov 2017, LZO 2.08
> +
> +USAGE:
> +
> +The above adds a new '--enable-fips-mode' command line option to OpenVPN. Add this to your
> +invocation statement. If you've successfully configured OpenVPN for FIPS mode, check your
> +OpenVPN logs for the statement:
> +
> +    *** FIPS MODE ENABLE ***
> +
> +
> +*************************************************************************
> +
>  CAVEATS & BUGS:
>  
>  * I have noticed cases where TCP sessions tunneled over the Linux
> diff --git a/Makefile.am b/Makefile.am
> index 773b786..6d571ec 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -83,6 +83,11 @@ rootdir=$(prefix)
>  root_DATA = version.sh
>  endif
>  
> +if FIPSMODE
> +export CC
> +export FIPSLD_CC
> +endif
> +
>  config-version.h:
>  	@CONFIGURE_GIT_CHFILES="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-files --name-status -r --ignore-submodules --quiet -- || echo \"+\"`"; \
>  	CONFIGURE_GIT_UNCOMMITTED="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-index --cached  --quiet --ignore-submodules HEAD || echo \"*\"`"; \
> diff --git a/configure.ac b/configure.ac
> index 7f2e34f..83ac18d 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -293,6 +293,17 @@ AC_ARG_WITH(
>  	[with_crypto_library="openssl"]
>  )
>  
> +AC_ARG_ENABLE(
> +    [fips-mode],
> +    [AS_HELP_STRING([--enable-fips-mode], [OpenSSL FIPS Object Module 2.0 @<:@default=no@:>@])],
> +    [
> +        if test "${with_crypto_library}" != "openssl"; then
> +            AC_MSG_ERROR([enable_fips_mode requires --with_crypto_library=openssl])
> +        fi
> +    ],
> +    [enable_fips_mode="no"]
> +)
> +
>  AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@])
>  if test -n "${PLUGINDIR}"; then
>  	plugindir="${PLUGINDIR}"
> @@ -954,6 +965,35 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
>  		]
>  	)
>  
> +    if test "${enable_fips_mode}" = "yes"; then
> +        AC_CHECK_FUNCS(
> +            [ \
> +                FIPS_mode \
> +                FIPS_mode_set \
> +                SSLeay_version
> +            ],
> +            [],
> +            [AC_MSG_ERROR([Incorrect version of OpenSSL, require 1.0.2])]
> +            )
> +        AC_RUN_IFELSE(
> +            [AC_LANG_PROGRAM(
> +                [[#include <openssl/crypto.h>]],
> +                [[printf("%s\n", SSLeay_version(SSLEAY_DIR));]])
> +            ],
> +            [AC_SUBST(OPENSSLDIR,
> +                [[`./conftest$EXEEXT | $SED -n 's/.*"\(.*\)".*/\1/p'`]])
> +            ]
> +        )
> +        if ! test -x "${OPENSSLDIR}/fips-2.0/bin/fipsld"; then
> +            AC_MSG_ERROR([Incomplete OpenSSL FIPS installation; missing fipsld])
> +        fi
> +        AC_SUBST([FIPSLD_CC], ["${CC}"])
> +        AC_SUBST([CC], ["${OPENSSLDIR}/fips-2.0/bin/fipsld"])
> +        export CC
> +        export FIPSLD_CC
> +        AC_DEFINE([ENABLE_FIPS], [1], [Enable OpenSSL FIPS 2.0 Options])
> +    fi
> +
>  	CFLAGS="${saved_CFLAGS}"
>  	LIBS="${saved_LIBS}"
>  
> @@ -1373,6 +1413,7 @@ AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "ye
>  AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"])
>  AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"])
>  AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = "yes"])
> +AM_CONDITIONAL([FIPSMODE], [test "${enable_fips_mode}" = "yes"])
>  
>  sampledir="\$(docdir)/sample"
>  AC_SUBST([plugindir])
> @@ -1441,4 +1482,5 @@ AC_CONFIG_FILES([
>  	sample/Makefile
>  ])
>  AC_CONFIG_FILES([tests/t_client.sh], [chmod +x tests/t_client.sh])
> +

random empty line? shouldn't be part of this patch I think.

>  AC_OUTPUT
> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index 3f3caa1..0c05859 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -854,7 +854,7 @@ init_key_ctx(struct key_ctx *ctx, const struct key *key,
>      if (kt->digest && kt->hmac_length > 0)
>      {
>          ctx->hmac = hmac_ctx_new();
> -        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
> +        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, false);
>  
>          msg(D_HANDSHAKE,
>              "%s: Using %d bit message hash '%s' for HMAC authentication",
> diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
> index 567fd9b..d92ab7c 100644
> --- a/src/openvpn/crypto_backend.h
> +++ b/src/openvpn/crypto_backend.h
> @@ -604,10 +604,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
>   * @param key           The key to use for the HMAC
>   * @param key_len       The key length to use
>   * @param kt            Static message digest parameters
> + * @param prf_use       Inteded use for PRF in TLS protocol

little typ0 above: 'Inteded' - > 'Intended'

>   *
>   */
>  void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
> -                   const md_kt_t *kt);
> +                   const md_kt_t *kt, bool prf_use);
>  
>  /*
>   * Free the given HMAC context.
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> index 0134e55..caef17b 100644
> --- a/src/openvpn/crypto_openssl.c
> +++ b/src/openvpn/crypto_openssl.c
> @@ -159,6 +159,17 @@ crypto_init_lib(void)
>  #endif
>  }
>  
> +int
> +crypto_enable_fips_mode(int mode)
> +{
> +	if (!FIPS_mode_set(mode)) {

opening '{' should be on a new line (like for functions)

> +		ERR_print_errors_fp(stderr);
> +		return 1;
> +		}

this '}' is not indented properly

> +	msg(M_INFO, "*** IN FIPS MODE ***\n");

do we really need another '\n' ? msg() will put one on its own already.

> +	return 0;
> +}
> +
>  void
>  crypto_uninit_lib(void)
>  {
> @@ -926,11 +937,13 @@ hmac_ctx_free(HMAC_CTX *ctx)
>  
>  void
>  hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
> -              const EVP_MD *kt)
> +              const EVP_MD *kt, bool prf_use)
>  {
>      ASSERT(NULL != kt && NULL != ctx);
>  
>      HMAC_CTX_reset(ctx);
> +	if (kt == EVP_md5() && prf_use)

bad indentation? (we don't use tabs, but spaces only)

> +		HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
>      HMAC_Init_ex(ctx, key, key_len, kt, NULL);
>  
>      /* make sure we used a big enough key */
> diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
> index 60a2812..11f3378 100644
> --- a/src/openvpn/crypto_openssl.h
> +++ b/src/openvpn/crypto_openssl.h
> @@ -102,4 +102,12 @@ void crypto_print_openssl_errors(const unsigned int flags);
>      } while (false)
>  
>  
> +/**
> + * Enable FIPS Mode. Returns non-zero to indicate an error.
> + *
> + * @param mode         Should be 1. Future versions of OpenSSL FIPS
> + * 					   code are expected to accept extended modes.

same here: don't use tabs

> + */
> +int crypto_enable_fips_mode(int mode);
> +
>  #endif /* CRYPTO_OPENSSL_H_ */
> diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
> index 077fa3e..fe39ab1 100644
> --- a/src/openvpn/ntlm.c
> +++ b/src/openvpn/ntlm.c
> @@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key, int key_len,
>      const md_kt_t *md5_kt = md_kt_get("MD5");
>      hmac_ctx_t *hmac_ctx = hmac_ctx_new();
>  
> -    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
> +    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, false);
>      hmac_ctx_update(hmac_ctx, data, data_len);
>      hmac_ctx_final(hmac_ctx, result);
>      hmac_ctx_cleanup(hmac_ctx);
> diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
> index e237ee5..beb1d2a 100644
> --- a/src/openvpn/openvpn.c
> +++ b/src/openvpn/openvpn.c
> @@ -210,6 +210,13 @@ openvpn_main(int argc, char *argv[])
>              /* parse command line options, and read configuration file */
>              parse_argv(&c.options, argc, argv, M_USAGE, OPT_P_DEFAULT, NULL, c.es);
>  
> +#if ENABLE_FIPS
> +			if (c.options.fips_mode) {
> +				if (enable_fips_mode(c.options.fips_mode)) {
> +					break;
> +					}
> +				}

more indentation.

Then, if openvpn has been compiled with FIPS support, is it "allowed" to
have this binary run with FIPS mode disabled? Shouldn't it be enabled
all the time?

And generally speaking: what would be a use case for not using FIPS on a
FIPS enabled platform?

> +#endif
>  #ifdef ENABLE_PLUGIN
>              /* plugins may contribute options configuration */
>              init_verb_mute(&c, IVM_LEVEL_1);
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 8e5cdf7..8a1501c 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -522,6 +522,11 @@ static const char usage_message[] =
>      "\n"
>      "Data Channel Encryption Options (must be compatible between peers):\n"
>      "(These options are meaningful for both Static Key & TLS-mode)\n"
> +#ifdef ENABLE_FIPS
> +	"--enable-fips-mode : Enable OpenSSL FIPS Object Module v2.0.\n"
> +	"                  Setting this on the server will enforce FIPS validated\n"
> +	"                  encryption on both client and server.\n"
> +#endif
>      "--secret f [d]  : Enable Static Key encryption mode (non-TLS).\n"
>      "                  Use shared secret file f, generate with --genkey.\n"
>      "                  The optional d parameter controls key directionality.\n"
> @@ -854,6 +859,9 @@ init_options(struct options *o, const bool init_gc)
>  #endiffips
>  #ifdef ENABLE_CRYPTO
>      o->ciphername = "BF-CBC";
> +#ifdef ENABLE_FIPS
> +	o->fips_mode = 0;

why not bool?

> +#endif
>  #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
>      o->ncp_enabled = true;
>  #else
> @@ -1561,6 +1569,7 @@ show_settings(const struct options *o)
>  #endif
>  
>  #ifdef ENABLE_CRYPTO
> +	SHOW_INT(fips_mode);
>      SHOW_BOOL(show_ciphers);
>      SHOW_BOOL(show_digests);
>      SHOW_BOOL(show_engines);
> @@ -7442,6 +7451,13 @@ add_option(struct options *options,
>      }
>  #endif /* USE_COMP */
>  #ifdef ENABLE_CRYPTO
> +#ifdef ENABLE_FIPS
> +	else if (streq(p[0], "enable-fips-mode") && !p[1])
> +	{
> +        VERIFY_PERMISSION(OPT_P_GENERAL);
> +		options->fips_mode = 1;
> +	}
> +#endif
>      else if (streq(p[0], "show-ciphers") && !p[1])
>      {
>          VERIFY_PERMISSION(OPT_P_GENERAL);
> diff --git a/src/openvpn/options.h b/src/openvpn/options.h
> index 035c6d1..55d2248 100644
> --- a/src/openvpn/options.h
> +++ b/src/openvpn/options.h
> @@ -189,6 +189,7 @@ struct options
>      int persist_mode;
>  
>  #ifdef ENABLE_CRYPTO
> +	int fips_mode;
>      const char *key_pass_file;
>      bool show_ciphers;
>      bool show_digests;
> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
> index 843bc39..6a212b8 100644
> --- a/src/openvpn/ssl.c
> +++ b/src/openvpn/ssl.c
> @@ -354,6 +354,14 @@ init_ssl_lib(void)
>      crypto_init_lib();
>  }
>  
> +#if ENABLE_FIPS
> +int
> +enable_fips_mode(int mode)
> +{
> +	return crypto_enable_fips_mode(mode);
> +}
> +#endif
> +
>  void
>  free_ssl_lib(void)
>  {
> @@ -1640,8 +1648,8 @@ tls1_P_hash(const md_kt_t *md_kt,
>      chunk = md_kt_size(md_kt);
>      A1_len = md_kt_size(md_kt);
>  
> -    hmac_ctx_init(ctx, sec, sec_len, md_kt);
> -    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
> +    hmac_ctx_init(ctx, sec, sec_len, md_kt, true);
> +    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, true);
>  
>      hmac_ctx_update(ctx,seed,seed_len);
>      hmac_ctx_final(ctx, A1);
> diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
> index 0e0f68f..ae23423 100644
> --- a/src/openvpn/ssl.h
> +++ b/src/openvpn/ssl.h
> @@ -600,6 +600,10 @@ bool is_hard_reset(int op, int key_method);
>  
>  void delayed_auth_pass_purge(void);
>  
> +#if ENABLE_FIPS
> +int enable_fips_mode(int mode);
> +#endif
> +
>  #endif /* ENABLE_CRYPTO */
>  
>  #endif /* ifndef OPENVPN_SSL_H */
> 

In general, you can check if the code is compliant with the codestyle by
running uncrustify with the configuration stored in dev-tools/

Cheers,
Jim Carroll Dec. 3, 2017, 3:10 p.m. | #2
Hi Antonio,

Thanks for reviewing.  If you don’t mind, I'm going to answer your
comments and questions a bit out of order.

First, you suggested a series of coding-style changes and the removal of
extra whitespace. I have no comment about these. I'll make all the changes
you described and resubmit.

You asked:

	> Then, if openvpn has been compiled with FIPS support, is it "allowed"
to
	> have this binary run with FIPS mode disabled? Shouldn't it be enabled
	> all the time?

The short answer is no. FIPS is only required when an entity is engaged in
processing, storing or transmitting Controlled Unclassified Information
(CUI). Furthermore, FIPS mode encryption is only required when
"encryption" is called for controls.

The government rules on this are quite byzantine and described in NIST SP
800-171 and NIST 800-53. There are plenty of times an entity will choose
to relax these rules when engaged in non-FIPS required activity (eg: when
trying to support older technology used for non CUI access).

And you asked:

	> And generally speaking: what would be a use case for not using FIPS on
a
	> FIPS enabled platform?

The best is a service provider with mixed clients. Those customers who
require FIPS encryption would be given access to OpenVPN running with FIPS
restrictions activated, while others would connect to an instance of the
OpenVPN running without the restriction.  The '--enable-fips' command line
option makes this a simple matter from a single binary on the same server.

You asked:

	>> +    * OpenSSL 1.0.2m
	>> +    * openssl-fips-2.0.2

	> I think the points above are expected to be ">="?
	> Or are these versions strictly required?

These versions are strictly required. While the fips module is binary
compatible with OpenSSL 1.0.1x, it would not include OpenSSL bug fixes
available in 1.0.2m which is required by NIST SP 800-171. And because the
fips module is only tested and lab certified up to 1.0.2, you cannot take
the new 1.1.0x branch.  This leaves the user with a single choice 1.0.2m.

If I can belabor this slightly (to frame my next answer). In order to
understand this issue, an Admin would need to read and digest the FIPS 2.0
User's Guide and the security policy document and read and digest the NIST
SP 800-171 document. The 800-171 is a tailoring document, which means it
draws controls from another which is the NIST 800-53 security catalog of
controls.

The point I'm trying to make is that if you are an Admin who's company has
tasked you with deploying FIPS mode encryption for protecting CUI and you
wander into the OpenVPN project, you will have something like a month+ of
reading to make all the correct choices about which software bits to grab
and how to build them. In the end, you will discover you are forced to
make the precise choices as laid out in the INSTALL document.

You asked / commented:

	> This is more a general thought: do you think it is reasonable to have
	> the instructions about how to compile OpenSSL into the OpenVPN package?
	> Things may change on the OpenSSL side and we'd need to keep our
	> instructions up to date, even though we are not modifying the OpenVPN
code.
	>
	> After all, as you say below, it's the entire platform that needs to be
	> FIPS supported, thus I don't believe it's OpenVPN duty to instruct the
	> users about how building all the different components.

There is only one way to achieve FIPS compliance using OpenSSL.  Any
variance, and the user is not-compliant. It seemed like a "mercy" to offer
them the 8 or 10 lines of instructions that will get them to the only
valid path for compliance.

You commented:

	> Some distro may even provide their own FIPS enabled packages.

This is a good point. It is possible that the distro already includes
OpenSSL 1.0.2m. I should change the instructions to suggest they check for
this module and then let them know they can skip the step if they already
have OpenSSL 1.0.2m installed.

Jim C.


begin 666 smime.p7s
M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$'
M`0``H((.$3""!#8P@@,>H ,"`0("`0$P#08)*H9(AO<-`0$%!0`P;S$+, D&
M`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T($%",28P) 8#500+$QU!9&14
M<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B," &`U4$`Q,9061D5')U<W0@
M17AT97)N86P@0T$@4F]O=# >%PTP,# U,S Q,#0X,SA:%PTR,# U,S Q,#0X
M,SA:,&\Q"S )!@-5! 83`E-%,10P$@8#500*$PM!9&14<G5S="!!0C$F,"0&
M`U4$"Q,=061D5')U<W0@17AT97)N86P@5%10($YE='=O<FLQ(C @!@-5! ,3
M&4%D9%1R=7-T($5X=&5R;F%L($-!(%)O;W0P@@$B, T&"2J&2(;W#0$!`04`
M`X(!#P`P@@$*`H(!`0"W]QHSYO(`!"TYX$Y;[1^\; _-M?HCML[>FQ$SEZ0I
M3'V3G[U*O)/M`QKCC\_E;5!:UI<IE%J L$EZVRZ5_;C*OS<X+1X^D4&M<%;'
M\$\_Z#*>=,K(D%3IQE\/>)V:0#P.K&&J7A2/GH>A:E#<UYI.KP6SIG&4G'&S
M4& *QQ.=. >&`JCIJ&DF&)"K3+!/(ZLZ3X38W\Z?X6EON]="UVM$Y,>M[FU!
M7W):<0@WLWEEI%F@E#?W`"\-PI)RVM X<ML4J$7$72I]M[36Q.ZLS1-$M\DK
MW4,`)?IAN6EJ6",1MZ<SCU9U6?7-*==&MPHK9;;30F\5LKA[^^_I75/5-%HG
M`@,!``&C@=PP@=DP'08#51T.!!8$%*V]F'HTM";W^L0F5.\#O> DRU0:, L&
M`U4=#P0$`P(!!C /!@-5'1,!`?\$!3 #`0'_,(&9!@-5'2,$@9$P@8Z %*V]
MF'HTM";W^L0F5.\#O> DRU0:H7.D<3!O,0LP"08#500&$P)313$4,!(&`U4$
M"A,+061D5')U<W0@04(Q)C D!@-5! L3'4%D9%1R=7-T($5X=&5R;F%L(%14
M4"!.971W;W)K,2(P( 8#500#$QE!9&14<G5S="!%>'1E<FYA;"!#02!2;V]T
M@@$!, T&"2J&2(;W#0$!!04``X(!`0"PF^"%)<+6(^(/E@:2G4&8G-F$>8'9
M'EL4!R,V98^PV'>[K$%L1V"#4;#Y,CWG_/8F$\> %J6_6OR'SWAYB2&:XDP'
M"H8UO/+>4<32EK?<?D[N</T<.>L,`E$4+8Z]%N#!WT9UYR2M[/1"M(63<!!G
MNIT&-4H8TRMZS%%"H7ICT>:[H<4KPC:^$PWFO6-^>7NG"0U JVK=CXK#]O:,
M&D(%4=1%]9^G8B%H%2!#/)GG?+TDV*F1%W.(/U8;,3@8M'$/FLW(#IZ.+AOA
MC)B#RQ\Q\41,Q@1S279@#\?XO1> :R[IS$P.6IIY#R *+M6>8R8>59*4V((7
M6GO0O,>/3H8$,(($KS""`Y>@`P(!`@(1`. CRQ42@U.)K6%N>E1G:R$P#08)
M*H9(AO<-`0$+!0`P;S$+, D&`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T
M($%",28P) 8#500+$QU!9&14<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B
M," &`U4$`Q,9061D5')U<W0@17AT97)N86P@0T$@4F]O=# >%PTQ-#$R,C(P
M,# P,#!:%PTR,# U,S Q,#0X,SA:,(&;,0LP"08#500&$P)'0C$;,!D&`U4$
M"!,21W)E871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8#
M500*$Q%#3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR
M-38@0VQI96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$P
M@@$B, T&"2J&2(;W#0$!`04``X(!#P`P@@$*`H(!`0")L0W:>E,93G!2';Q6
MI@8FM[A)X);G4:OQ\%H3216CM(P;8+QZ44*G>8RD(M\784Z1U78C"A332@)_
MMAT)@&ZE!#W9NKL6_J&'J2Y#4D,6?*\R4,BF3UKI"-C/DR6<>XCH,&3FI/A6
M@/TJ)!0S%YFL1.5IBZ-&!DO",]3I0)\&L+&LDT"YM0B3.IPJ4Z,0VST@83Q5
M`X[93G8E`B$I^J-\<79/[N%?@>G[5(#;PWLU4K>$WB(]+# M,7]9O5(WL#-I
M+4/K^M:E\9=W9U&,V>XGZ[RE!SAVC*2I./_?C/4#K$F^RO=SF3H/,JN<E3H3
M/0Y&.E=T85"^QD _R^3BGZ(A`@,!``&C@@$7,((!$S ?!@-5'2,$&# 6@!2M
MO9AZ-+0F]_K$)E3O`[W@),M4&C =!@-5'0X$%@04DF%K@N&BH*I/[&?QPJ/W
MM( `P>PP#@8#51T/`0'_! 0#`@&&,!(&`U4=$P$!_P0(, 8!`?\"`0`P'08#
M51TE!!8P% 8(*P8!!04'`P(&""L&`04%!P,$,!$&`U4=( 0*, @P!@8$51T@
M`#!$!@-5'1\$/3 [,#F@-Z UAC-H='1P.B\O8W)L+G5S97)T<G5S="YC;VTO
M061D5')U<W1%>'1E<FYA;$-!4F]O="YC<FPP-08(*P8!!04'`0$$*3 G,"4&
M""L&`04%!S !AAEH='1P.B\O;V-S<"YU<V5R=')U<W0N8V]M, T&"2J&2(;W
M#0$!"P4``X(!`0`;*FZL5<$ZJXC%V.W-5?.J:V$KP D0(YD/Q69J;['UM+5W
M7@\"80#??07^$K.D@( `_/L=6VIR`@I!O 6ZP5C5)L+JU4V$^_Z"F,]8&^,B
M8YQ2^+L%-JM]6*7>JSMCY=K5<^_LX/M[XJ/_\$(CG,JVC4T^Y$L8`[*H+=38
MNT)+D&F%$-NF-S3H>^ !$*6<RCK'GT^(-&Z*9= :BKNIW,K*-M'T_,)D*36O
MUK&G<1'2`T.QCSZ:[)XR4_1VDLJ&- >Y+,KF'$K8F0W!AN*0DOM:0FHC(1#I
M9<?UU;M^ZHR%( )BZM$Z!RQ9Q9DS\CB)Y;;I%GH?>13V2A :)OI\BON;,((%
M(#""! B@`P(!`@(1`(+-2':;XZ#&U!G>^P&7OJPP#08)*H9(AO<-`0$+!0`P
M@9LQ"S )!@-5! 83`D=",1LP&08#500($Q)'<F5A=&5R($UA;F-H97-T97(Q
M$# .!@-5! <3!U-A;&9O<F0Q&C 8!@-5! H3$4-/34]$3R!#02!,:6UI=&5D
M,4$P/P8#500#$SA#3TU/1$\@4TA!+3(U-B!#;&EE;G0@075T:&5N=&EC871I
M;VX@86YD(%-E8W5R92!%;6%I;"!#03 >%PTQ-S Q,3@P,# P,#!:%PTR,# Q
M,3@R,S4Y-3E:," Q'C <!@DJADB&]PT!"0$6#VII;4!C87)R;VQL+F-O;3""
M`2(P#08)*H9(AO<-`0$!!0`#@@$/`#""`0H"@@$!`+>;EY]ERMD$,P;8"I7X
M?^ /F69VS8/L_HEV(J#N= $S];)Z)NSNCEKQQL*V\)X*[3:U#K&RT"]7`^(9
M/]<<)D]QC$]^CQB)W6&GH=]!S)"#BX#@1Q)ZRNK%`>L!^4T4%*7SH4#L9W*4
MT$5<*UR%\T_56N':G<DYHV-9.='BNEU"'%TY+[]LYZ=B>CA]ND5XQ(/B6G)$
M+.45284OBU4BNP&F^_G1,%^"$.,_`")HQ!K_IW :.=0"J38^R&!!*H#$V>"H
M\A*[L =HF*&;G2L'<8*^T%BY+7S.3D[>P=G4O*#;+C4>,]Q8'MX2A9@G$#LC
M'5]WL4$YZ?=VZ+H"B_33;&T"`P$``:."`=<P@@'3,!\&`U4=(P08,!: %))A
M:X+AHJ"J3^QG\<*C][2 `,'L,!T&`U4=#@06!!2S>P/T;X" O18ML(68VK@Z
M(7<123 .!@-5'0\!`?\$! ,"!: P# 8#51T3`0'_! (P`# =!@-5'24$%C 4
M!@@K!@$%!0<#! 8(*P8!!04'`P(P1@8#51T@!#\P/3 [!@PK!@$$`;(Q`0(!
M`P4P*S I!@@K!@$%!0<"`18=:'1T<',Z+R]S96-U<F4N8V]M;V1O+FYE="]#
M4%,P708#51T?!%8P5#!2H%"@3H9,:'1T<#HO+V-R;"YC;VUO9&]C82YC;VTO
M0T]-3T1/4TA!,C4V0VQI96YT075T:&5N=&EC871I;VYA;F1396-U<F5%;6%I
M;$-!+F-R;#"!D 8(*P8!!04'`0$$@8,P@8 P6 8(*P8!!04', *&3&AT=' Z
M+R]C<G0N8V]M;V1O8V$N8V]M+T-/34]$3U-(03(U-D-L:65N=$%U=&AE;G1I
M8V%T:6]N86YD4V5C=7)E16UA:6Q#02YC<G0P) 8(*P8!!04', &&&&AT=' Z
M+R]O8W-P+F-O;6]D;V-A+F-O;3 :!@-5'1$$$S 1@0]J:6U 8V%R<F]L;"YC
M;VTP#08)*H9(AO<-`0$+!0`#@@$!`'W33 4"-'Y3RQ+/>:PFSC@28531Y 1V
MH"=?*@"]NZ7+1X&;TMD)/=KS<3BZN1X<*%FAF5TT8@\9&Y)W7&M28.,GF/5,
MV'!"E<-"(+ZQU&<SFY>52)<8(H0D6.RB<5"5L#EHH-[8IB]:W7W0)9<VHV>A
M3OF,X]<-(XS5!1:<VY>/Q-+\ZA; \X:\/*#59:$JD)8S.TZ20:Q(!CUZ+E[A
M!-V6+Y9+9_#2CX G4C7LD,*>D_T?J?X.7^&M(*ZE=+5X$_)7^:4-5GJCO[GY
MC*7/4G($(0<G(B/8FO<=,%\M\-V**+[KKM<%HL@AR69,=HU Y_GU3PBE![J;
MWYTVZ97^?=PQ@@0C,(($'P(!`3"!L3"!FS$+, D&`U4$!A,"1T(Q&S 9!@-5
M! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,'4V%L9F]R9#$:,!@&
M`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3.$-/34]$3R!32$$M
M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C=7)E($5M86EL($-!
M`A$`@LU(=IOCH,;4&=[[`9>^K# )!@4K#@,"&@4`H(("1C 8!@DJADB&]PT!
M"0,Q"P8)*H9(AO<-`0<!,!P&"2J&2(;W#0$)!3$/%PTQ-S$R,#,Q-3$P,SE:
M,",&"2J&2(;W#0$)!#$6!!2I0+@OEGD%EQA0_/A_^1D]U][T1C!;!@DJADB&
M]PT!"0\Q3C!,, H&""J&2(;W#0,', X&""J&2(;W#0,"`@(`@# -!@@JADB&
M]PT#`@(!0# '!@4K#@,"!S -!@@JADB&]PT#`@(!*# '!@4K#@,"&C"!P@8)
M*P8!! &"-Q $,8&T,(&Q,(&;,0LP"08#500&$P)'0C$;,!D&`U4$"!,21W)E
M871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8#500*$Q%#
M3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR-38@0VQI
M96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$"$0""S4AV
MF^.@QM09WOL!E[ZL,('$!@LJADB&]PT!"1 ""S&!M*"!L3"!FS$+, D&`U4$
M!A,"1T(Q&S 9!@-5! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,'
M4V%L9F]R9#$:,!@&`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3
M.$-/34]$3R!32$$M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C
M=7)E($5M86EL($-!`A$`@LU(=IOCH,;4&=[[`9>^K# -!@DJADB&]PT!`0$%
M``2"`0!85*Y/("3Q%W@:>M##(#H^4KGLA4=<'"+T[G\GHKWZ/FVC@I\/`_<=
MG!#.8CRGQ<Y'HD;3I0FKN6H-VQ&ZKMJ=7S]!8<ZB-EO'B(.J0^5A&%UV'_S1
MN.OK02B4VCU"F,E)6,B$=60I+1!8ZSQ9[X A64QJ4/T06D4A3T^T52%SW#E%
M-0UG#6&NT/ 9.=FOWC1^L?=QB<;IR4Z;V>@:I6<J,RM-%(JXP"IS\F"#)*W,
MN.C-9["1;W;P=-O,-2Q7D12J-;,^2K>6#>0P+(?)^AI,RW6 0@ZQU^J!C8RG
JH,3B5QF$XJ'NU8O ^OR1U#NZ[1ULV!:#'<+-@E1L?\4I/^@J````````
`
end
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Jim Carroll Dec. 4, 2017, 9:39 p.m. | #3
Hi Antonio,

I've resubmitted our patch(s) for FIPS support. While re-reading your message, 
I see you asked a question I neglected to answer.  In options.h, we declared 
an integer option 'fips_mode', and you asked:

	"why not bool?"

The reason is extendibility for planned changes in OpenSSL. According to 
https://wiki.openssl.org/index.php/FIPS_mode_set():

	...Currently all non-zero values of ONOFF enable FIPS mode. In the
	future other values may specify additional actions beyond enabling
	FIPS mode, such as a value of 2 to designate an additional restriction
	to Suite B algorithms....

My thought is it would make it easier to modify the code if we introduce an 
integer to start with.

Jim C.



begin 666 smime.p7s
M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$'
M`0``H((.$3""!#8P@@,>H ,"`0("`0$P#08)*H9(AO<-`0$%!0`P;S$+, D&
M`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T($%",28P) 8#500+$QU!9&14
M<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B," &`U4$`Q,9061D5')U<W0@
M17AT97)N86P@0T$@4F]O=# >%PTP,# U,S Q,#0X,SA:%PTR,# U,S Q,#0X
M,SA:,&\Q"S )!@-5! 83`E-%,10P$@8#500*$PM!9&14<G5S="!!0C$F,"0&
M`U4$"Q,=061D5')U<W0@17AT97)N86P@5%10($YE='=O<FLQ(C @!@-5! ,3
M&4%D9%1R=7-T($5X=&5R;F%L($-!(%)O;W0P@@$B, T&"2J&2(;W#0$!`04`
M`X(!#P`P@@$*`H(!`0"W]QHSYO(`!"TYX$Y;[1^\; _-M?HCML[>FQ$SEZ0I
M3'V3G[U*O)/M`QKCC\_E;5!:UI<IE%J L$EZVRZ5_;C*OS<X+1X^D4&M<%;'
M\$\_Z#*>=,K(D%3IQE\/>)V:0#P.K&&J7A2/GH>A:E#<UYI.KP6SIG&4G'&S
M4& *QQ.=. >&`JCIJ&DF&)"K3+!/(ZLZ3X38W\Z?X6EON]="UVM$Y,>M[FU!
M7W):<0@WLWEEI%F@E#?W`"\-PI)RVM X<ML4J$7$72I]M[36Q.ZLS1-$M\DK
MW4,`)?IAN6EJ6",1MZ<SCU9U6?7-*==&MPHK9;;30F\5LKA[^^_I75/5-%HG
M`@,!``&C@=PP@=DP'08#51T.!!8$%*V]F'HTM";W^L0F5.\#O> DRU0:, L&
M`U4=#P0$`P(!!C /!@-5'1,!`?\$!3 #`0'_,(&9!@-5'2,$@9$P@8Z %*V]
MF'HTM";W^L0F5.\#O> DRU0:H7.D<3!O,0LP"08#500&$P)313$4,!(&`U4$
M"A,+061D5')U<W0@04(Q)C D!@-5! L3'4%D9%1R=7-T($5X=&5R;F%L(%14
M4"!.971W;W)K,2(P( 8#500#$QE!9&14<G5S="!%>'1E<FYA;"!#02!2;V]T
M@@$!, T&"2J&2(;W#0$!!04``X(!`0"PF^"%)<+6(^(/E@:2G4&8G-F$>8'9
M'EL4!R,V98^PV'>[K$%L1V"#4;#Y,CWG_/8F$\> %J6_6OR'SWAYB2&:XDP'
M"H8UO/+>4<32EK?<?D[N</T<.>L,`E$4+8Z]%N#!WT9UYR2M[/1"M(63<!!G
MNIT&-4H8TRMZS%%"H7ICT>:[H<4KPC:^$PWFO6-^>7NG"0U JVK=CXK#]O:,
M&D(%4=1%]9^G8B%H%2!#/)GG?+TDV*F1%W.(/U8;,3@8M'$/FLW(#IZ.+AOA
MC)B#RQ\Q\41,Q@1S279@#\?XO1> :R[IS$P.6IIY#R *+M6>8R8>59*4V((7
M6GO0O,>/3H8$,(($KS""`Y>@`P(!`@(1`. CRQ42@U.)K6%N>E1G:R$P#08)
M*H9(AO<-`0$+!0`P;S$+, D&`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T
M($%",28P) 8#500+$QU!9&14<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B
M," &`U4$`Q,9061D5')U<W0@17AT97)N86P@0T$@4F]O=# >%PTQ-#$R,C(P
M,# P,#!:%PTR,# U,S Q,#0X,SA:,(&;,0LP"08#500&$P)'0C$;,!D&`U4$
M"!,21W)E871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8#
M500*$Q%#3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR
M-38@0VQI96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$P
M@@$B, T&"2J&2(;W#0$!`04``X(!#P`P@@$*`H(!`0")L0W:>E,93G!2';Q6
MI@8FM[A)X);G4:OQ\%H3216CM(P;8+QZ44*G>8RD(M\784Z1U78C"A332@)_
MMAT)@&ZE!#W9NKL6_J&'J2Y#4D,6?*\R4,BF3UKI"-C/DR6<>XCH,&3FI/A6
M@/TJ)!0S%YFL1.5IBZ-&!DO",]3I0)\&L+&LDT"YM0B3.IPJ4Z,0VST@83Q5
M`X[93G8E`B$I^J-\<79/[N%?@>G[5(#;PWLU4K>$WB(]+# M,7]9O5(WL#-I
M+4/K^M:E\9=W9U&,V>XGZ[RE!SAVC*2I./_?C/4#K$F^RO=SF3H/,JN<E3H3
M/0Y&.E=T85"^QD _R^3BGZ(A`@,!``&C@@$7,((!$S ?!@-5'2,$&# 6@!2M
MO9AZ-+0F]_K$)E3O`[W@),M4&C =!@-5'0X$%@04DF%K@N&BH*I/[&?QPJ/W
MM( `P>PP#@8#51T/`0'_! 0#`@&&,!(&`U4=$P$!_P0(, 8!`?\"`0`P'08#
M51TE!!8P% 8(*P8!!04'`P(&""L&`04%!P,$,!$&`U4=( 0*, @P!@8$51T@
M`#!$!@-5'1\$/3 [,#F@-Z UAC-H='1P.B\O8W)L+G5S97)T<G5S="YC;VTO
M061D5')U<W1%>'1E<FYA;$-!4F]O="YC<FPP-08(*P8!!04'`0$$*3 G,"4&
M""L&`04%!S !AAEH='1P.B\O;V-S<"YU<V5R=')U<W0N8V]M, T&"2J&2(;W
M#0$!"P4``X(!`0`;*FZL5<$ZJXC%V.W-5?.J:V$KP D0(YD/Q69J;['UM+5W
M7@\"80#??07^$K.D@( `_/L=6VIR`@I!O 6ZP5C5)L+JU4V$^_Z"F,]8&^,B
M8YQ2^+L%-JM]6*7>JSMCY=K5<^_LX/M[XJ/_\$(CG,JVC4T^Y$L8`[*H+=38
MNT)+D&F%$-NF-S3H>^ !$*6<RCK'GT^(-&Z*9= :BKNIW,K*-M'T_,)D*36O
MUK&G<1'2`T.QCSZ:[)XR4_1VDLJ&- >Y+,KF'$K8F0W!AN*0DOM:0FHC(1#I
M9<?UU;M^ZHR%( )BZM$Z!RQ9Q9DS\CB)Y;;I%GH?>13V2A :)OI\BON;,((%
M(#""! B@`P(!`@(1`(+-2':;XZ#&U!G>^P&7OJPP#08)*H9(AO<-`0$+!0`P
M@9LQ"S )!@-5! 83`D=",1LP&08#500($Q)'<F5A=&5R($UA;F-H97-T97(Q
M$# .!@-5! <3!U-A;&9O<F0Q&C 8!@-5! H3$4-/34]$3R!#02!,:6UI=&5D
M,4$P/P8#500#$SA#3TU/1$\@4TA!+3(U-B!#;&EE;G0@075T:&5N=&EC871I
M;VX@86YD(%-E8W5R92!%;6%I;"!#03 >%PTQ-S Q,3@P,# P,#!:%PTR,# Q
M,3@R,S4Y-3E:," Q'C <!@DJADB&]PT!"0$6#VII;4!C87)R;VQL+F-O;3""
M`2(P#08)*H9(AO<-`0$!!0`#@@$/`#""`0H"@@$!`+>;EY]ERMD$,P;8"I7X
M?^ /F69VS8/L_HEV(J#N= $S];)Z)NSNCEKQQL*V\)X*[3:U#K&RT"]7`^(9
M/]<<)D]QC$]^CQB)W6&GH=]!S)"#BX#@1Q)ZRNK%`>L!^4T4%*7SH4#L9W*4
MT$5<*UR%\T_56N':G<DYHV-9.='BNEU"'%TY+[]LYZ=B>CA]ND5XQ(/B6G)$
M+.45284OBU4BNP&F^_G1,%^"$.,_`")HQ!K_IW :.=0"J38^R&!!*H#$V>"H
M\A*[L =HF*&;G2L'<8*^T%BY+7S.3D[>P=G4O*#;+C4>,]Q8'MX2A9@G$#LC
M'5]WL4$YZ?=VZ+H"B_33;&T"`P$``:."`=<P@@'3,!\&`U4=(P08,!: %))A
M:X+AHJ"J3^QG\<*C][2 `,'L,!T&`U4=#@06!!2S>P/T;X" O18ML(68VK@Z
M(7<123 .!@-5'0\!`?\$! ,"!: P# 8#51T3`0'_! (P`# =!@-5'24$%C 4
M!@@K!@$%!0<#! 8(*P8!!04'`P(P1@8#51T@!#\P/3 [!@PK!@$$`;(Q`0(!
M`P4P*S I!@@K!@$%!0<"`18=:'1T<',Z+R]S96-U<F4N8V]M;V1O+FYE="]#
M4%,P708#51T?!%8P5#!2H%"@3H9,:'1T<#HO+V-R;"YC;VUO9&]C82YC;VTO
M0T]-3T1/4TA!,C4V0VQI96YT075T:&5N=&EC871I;VYA;F1396-U<F5%;6%I
M;$-!+F-R;#"!D 8(*P8!!04'`0$$@8,P@8 P6 8(*P8!!04', *&3&AT=' Z
M+R]C<G0N8V]M;V1O8V$N8V]M+T-/34]$3U-(03(U-D-L:65N=$%U=&AE;G1I
M8V%T:6]N86YD4V5C=7)E16UA:6Q#02YC<G0P) 8(*P8!!04', &&&&AT=' Z
M+R]O8W-P+F-O;6]D;V-A+F-O;3 :!@-5'1$$$S 1@0]J:6U 8V%R<F]L;"YC
M;VTP#08)*H9(AO<-`0$+!0`#@@$!`'W33 4"-'Y3RQ+/>:PFSC@28531Y 1V
MH"=?*@"]NZ7+1X&;TMD)/=KS<3BZN1X<*%FAF5TT8@\9&Y)W7&M28.,GF/5,
MV'!"E<-"(+ZQU&<SFY>52)<8(H0D6.RB<5"5L#EHH-[8IB]:W7W0)9<VHV>A
M3OF,X]<-(XS5!1:<VY>/Q-+\ZA; \X:\/*#59:$JD)8S.TZ20:Q(!CUZ+E[A
M!-V6+Y9+9_#2CX G4C7LD,*>D_T?J?X.7^&M(*ZE=+5X$_)7^:4-5GJCO[GY
MC*7/4G($(0<G(B/8FO<=,%\M\-V**+[KKM<%HL@AR69,=HU Y_GU3PBE![J;
MWYTVZ97^?=PQ@@0C,(($'P(!`3"!L3"!FS$+, D&`U4$!A,"1T(Q&S 9!@-5
M! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,'4V%L9F]R9#$:,!@&
M`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3.$-/34]$3R!32$$M
M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C=7)E($5M86EL($-!
M`A$`@LU(=IOCH,;4&=[[`9>^K# )!@4K#@,"&@4`H(("1C 8!@DJADB&]PT!
M"0,Q"P8)*H9(AO<-`0<!,!P&"2J&2(;W#0$)!3$/%PTQ-S$R,#0R,3,Y,S5:
M,",&"2J&2(;W#0$)!#$6!!2 W"Z[N6]$X>O%<Z-AL86YD&DE73!;!@DJADB&
M]PT!"0\Q3C!,, H&""J&2(;W#0,', X&""J&2(;W#0,"`@(`@# -!@@JADB&
M]PT#`@(!0# '!@4K#@,"!S -!@@JADB&]PT#`@(!*# '!@4K#@,"&C"!P@8)
M*P8!! &"-Q $,8&T,(&Q,(&;,0LP"08#500&$P)'0C$;,!D&`U4$"!,21W)E
M871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8#500*$Q%#
M3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR-38@0VQI
M96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$"$0""S4AV
MF^.@QM09WOL!E[ZL,('$!@LJADB&]PT!"1 ""S&!M*"!L3"!FS$+, D&`U4$
M!A,"1T(Q&S 9!@-5! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,'
M4V%L9F]R9#$:,!@&`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3
M.$-/34]$3R!32$$M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C
M=7)E($5M86EL($-!`A$`@LU(=IOCH,;4&=[[`9>^K# -!@DJADB&]PT!`0$%
M``2"`0!0@O5XG-30SN:[D8:'N=B2PAO5M!*0A*Y9ZR*3-O+V@C811T=%TLY/
M%[S[$[2 \6I*%B52771FVL"5U^N/3K)%;50L]\@[-!AP@XS%.8 '%1]#1&9*
M/"#'L*O:7!=H,D>3;3CA>@-O1JFHC@O2[/RE;[MW4MQ:[;/'D8=XZ6"L3/QY
MGELK`T[R%3G@D-B<&[.P?6,,$GGJQ8SJLP_V)+R'%9-L@B%+@+8"@/D<9H\O
MXD[G)@-\:XLRXHHJU)0DC","/N_;3[;O>WW!8?U-%.%S@:3-36*G]V@4;T_[
JHK%9+OON+EWOJ'HQI'-T9@K>1P/^*49V*)GI96"^]I<(';7Y````````
`
end


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
David Sommerseth Dec. 4, 2017, 10:46 p.m. | #4
On 03/12/17 16:10, Jim Carroll wrote:
[...snip...]
> You asked:
> 
> 	>> +    * OpenSSL 1.0.2m
> 	>> +    * openssl-fips-2.0.2
> 
> 	> I think the points above are expected to be ">="?
> 	> Or are these versions strictly required?
> 
> These versions are strictly required. While the fips module is binary
> compatible with OpenSSL 1.0.1x, it would not include OpenSSL bug fixes
> available in 1.0.2m which is required by NIST SP 800-171. And because the
> fips module is only tested and lab certified up to 1.0.2, you cannot take
> the new 1.1.0x branch.  This leaves the user with a single choice 1.0.2m.

[...snip...]

> You commented:
> 
> 	> Some distro may even provide their own FIPS enabled packages.
> 
> This is a good point. It is possible that the distro already includes
> OpenSSL 1.0.2m. I should change the instructions to suggest they check for
> this module and then let them know they can skip the step if they already
> have OpenSSL 1.0.2m installed.

According to this knowledge base article from Red Hat, this is how you FIPS
enable a system:  <https://access.redhat.com/solutions/137833>  (Requires a
registered account; no paid subscription needed)

Now, to a detail regarding the OpenSSL version.  RHEL 6 ships with
openssl-1.0.1e and RHEL 7 shipds with openssl-1.0.2k.  And both distributions
when configured according to the document above are FIPS compliant installs.
I suspect when RHEL 8 comes in the future, it will ship with OpenSSL 1.1.x as
well and it would surprise me immensely if that distribution would not be FIPS
compliant as well (as Red Hat has a lot of government customers as well)

So I don't think the version is as strict as you say.  But it might be other
distributions have gone through the compliance certification on a different
version.

For OpenVPN's part, I don't think we should enforce any strict versions.  It
is up to admin to ensure a compliant OpenSSL library is installed and the
system is configured accordingly to be FIPS compliant.
Jim Carroll Dec. 5, 2017, 9:21 a.m. | #5
> So I don't think the version is as strict as you say.  But it might be
> other
> distributions have gone through the compliance certification on a
> different
> version.

This is true. Red Hat has gone through the compliance certification on 1.0.2k 
and their security policy is public 
https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3016

> For OpenVPN's part, I don't think we should enforce any strict
> versions.  It is up to admin to ensure a compliant OpenSSL library
> is installed and the system is configured accordingly to be FIPS compliant.

Agreed -- the INSTALL file text we had proposed was to document how they could 
install compliant modules. Here is the text we submitted in our proposed 
patch:

	These instructions describe the use of OpenSSL 1.0.2m.

	PRE-INSTALLATION CHECKUP:

		The INSTALLATION procedure describes how to install an OpenSSL library that
		is built with FIPS support. If your platform already provides a FIPS
		enabled library you can skip to step 6 (build OpenVPN).

But NIST 800-171 also requires that an organization assess systems for 
security deficiencies and remediate as appropriate:

	3.11.2 Scan for vulnerabilities in the information system and applications
	periodically and when new vulnerabilities affecting the system are 
identified.

	3.11.3 Remediate vulnerabilities in accordance with assessments of risk.

	3.12.1 Periodically assess the security controls in organizational 
information
	systems to determine if the controls are effective in their application.

	3.12.2 Develop and implement plans of action designed to correct deficiencies
	and reduce or eliminate vulnerabilities in organizational information 
systems.

Accordingly, there are quite a few published deficiencies for all versions of 
OpenSSL older than 1.0.2h. Installing anything less than 1.0.2h would cause an 
admin serious compliance trouble. It seemed useful to document how to install 
1.0.2m, thereby also getting the benefit of bug fixes of the five intermediate 
patch levels.

Jim C.



begin 666 smime.p7s
M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$'
M`0``H((.$3""!#8P@@,>H ,"`0("`0$P#08)*H9(AO<-`0$%!0`P;S$+, D&
M`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T($%",28P) 8#500+$QU!9&14
M<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B," &`U4$`Q,9061D5')U<W0@
M17AT97)N86P@0T$@4F]O=# >%PTP,# U,S Q,#0X,SA:%PTR,# U,S Q,#0X
M,SA:,&\Q"S )!@-5! 83`E-%,10P$@8#500*$PM!9&14<G5S="!!0C$F,"0&
M`U4$"Q,=061D5')U<W0@17AT97)N86P@5%10($YE='=O<FLQ(C @!@-5! ,3
M&4%D9%1R=7-T($5X=&5R;F%L($-!(%)O;W0P@@$B, T&"2J&2(;W#0$!`04`
M`X(!#P`P@@$*`H(!`0"W]QHSYO(`!"TYX$Y;[1^\; _-M?HCML[>FQ$SEZ0I
M3'V3G[U*O)/M`QKCC\_E;5!:UI<IE%J L$EZVRZ5_;C*OS<X+1X^D4&M<%;'
M\$\_Z#*>=,K(D%3IQE\/>)V:0#P.K&&J7A2/GH>A:E#<UYI.KP6SIG&4G'&S
M4& *QQ.=. >&`JCIJ&DF&)"K3+!/(ZLZ3X38W\Z?X6EON]="UVM$Y,>M[FU!
M7W):<0@WLWEEI%F@E#?W`"\-PI)RVM X<ML4J$7$72I]M[36Q.ZLS1-$M\DK
MW4,`)?IAN6EJ6",1MZ<SCU9U6?7-*==&MPHK9;;30F\5LKA[^^_I75/5-%HG
M`@,!``&C@=PP@=DP'08#51T.!!8$%*V]F'HTM";W^L0F5.\#O> DRU0:, L&
M`U4=#P0$`P(!!C /!@-5'1,!`?\$!3 #`0'_,(&9!@-5'2,$@9$P@8Z %*V]
MF'HTM";W^L0F5.\#O> DRU0:H7.D<3!O,0LP"08#500&$P)313$4,!(&`U4$
M"A,+061D5')U<W0@04(Q)C D!@-5! L3'4%D9%1R=7-T($5X=&5R;F%L(%14
M4"!.971W;W)K,2(P( 8#500#$QE!9&14<G5S="!%>'1E<FYA;"!#02!2;V]T
M@@$!, T&"2J&2(;W#0$!!04``X(!`0"PF^"%)<+6(^(/E@:2G4&8G-F$>8'9
M'EL4!R,V98^PV'>[K$%L1V"#4;#Y,CWG_/8F$\> %J6_6OR'SWAYB2&:XDP'
M"H8UO/+>4<32EK?<?D[N</T<.>L,`E$4+8Z]%N#!WT9UYR2M[/1"M(63<!!G
MNIT&-4H8TRMZS%%"H7ICT>:[H<4KPC:^$PWFO6-^>7NG"0U JVK=CXK#]O:,
M&D(%4=1%]9^G8B%H%2!#/)GG?+TDV*F1%W.(/U8;,3@8M'$/FLW(#IZ.+AOA
MC)B#RQ\Q\41,Q@1S279@#\?XO1> :R[IS$P.6IIY#R *+M6>8R8>59*4V((7
M6GO0O,>/3H8$,(($KS""`Y>@`P(!`@(1`. CRQ42@U.)K6%N>E1G:R$P#08)
M*H9(AO<-`0$+!0`P;S$+, D&`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T
M($%",28P) 8#500+$QU!9&14<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B
M," &`U4$`Q,9061D5')U<W0@17AT97)N86P@0T$@4F]O=# >%PTQ-#$R,C(P
M,# P,#!:%PTR,# U,S Q,#0X,SA:,(&;,0LP"08#500&$P)'0C$;,!D&`U4$
M"!,21W)E871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8#
M500*$Q%#3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR
M-38@0VQI96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$P
M@@$B, T&"2J&2(;W#0$!`04``X(!#P`P@@$*`H(!`0")L0W:>E,93G!2';Q6
MI@8FM[A)X);G4:OQ\%H3216CM(P;8+QZ44*G>8RD(M\784Z1U78C"A332@)_
MMAT)@&ZE!#W9NKL6_J&'J2Y#4D,6?*\R4,BF3UKI"-C/DR6<>XCH,&3FI/A6
M@/TJ)!0S%YFL1.5IBZ-&!DO",]3I0)\&L+&LDT"YM0B3.IPJ4Z,0VST@83Q5
M`X[93G8E`B$I^J-\<79/[N%?@>G[5(#;PWLU4K>$WB(]+# M,7]9O5(WL#-I
M+4/K^M:E\9=W9U&,V>XGZ[RE!SAVC*2I./_?C/4#K$F^RO=SF3H/,JN<E3H3
M/0Y&.E=T85"^QD _R^3BGZ(A`@,!``&C@@$7,((!$S ?!@-5'2,$&# 6@!2M
MO9AZ-+0F]_K$)E3O`[W@),M4&C =!@-5'0X$%@04DF%K@N&BH*I/[&?QPJ/W
MM( `P>PP#@8#51T/`0'_! 0#`@&&,!(&`U4=$P$!_P0(, 8!`?\"`0`P'08#
M51TE!!8P% 8(*P8!!04'`P(&""L&`04%!P,$,!$&`U4=( 0*, @P!@8$51T@
M`#!$!@-5'1\$/3 [,#F@-Z UAC-H='1P.B\O8W)L+G5S97)T<G5S="YC;VTO
M061D5')U<W1%>'1E<FYA;$-!4F]O="YC<FPP-08(*P8!!04'`0$$*3 G,"4&
M""L&`04%!S !AAEH='1P.B\O;V-S<"YU<V5R=')U<W0N8V]M, T&"2J&2(;W
M#0$!"P4``X(!`0`;*FZL5<$ZJXC%V.W-5?.J:V$KP D0(YD/Q69J;['UM+5W
M7@\"80#??07^$K.D@( `_/L=6VIR`@I!O 6ZP5C5)L+JU4V$^_Z"F,]8&^,B
M8YQ2^+L%-JM]6*7>JSMCY=K5<^_LX/M[XJ/_\$(CG,JVC4T^Y$L8`[*H+=38
MNT)+D&F%$-NF-S3H>^ !$*6<RCK'GT^(-&Z*9= :BKNIW,K*-M'T_,)D*36O
MUK&G<1'2`T.QCSZ:[)XR4_1VDLJ&- >Y+,KF'$K8F0W!AN*0DOM:0FHC(1#I
M9<?UU;M^ZHR%( )BZM$Z!RQ9Q9DS\CB)Y;;I%GH?>13V2A :)OI\BON;,((%
M(#""! B@`P(!`@(1`(+-2':;XZ#&U!G>^P&7OJPP#08)*H9(AO<-`0$+!0`P
M@9LQ"S )!@-5! 83`D=",1LP&08#500($Q)'<F5A=&5R($UA;F-H97-T97(Q
M$# .!@-5! <3!U-A;&9O<F0Q&C 8!@-5! H3$4-/34]$3R!#02!,:6UI=&5D
M,4$P/P8#500#$SA#3TU/1$\@4TA!+3(U-B!#;&EE;G0@075T:&5N=&EC871I
M;VX@86YD(%-E8W5R92!%;6%I;"!#03 >%PTQ-S Q,3@P,# P,#!:%PTR,# Q
M,3@R,S4Y-3E:," Q'C <!@DJADB&]PT!"0$6#VII;4!C87)R;VQL+F-O;3""
M`2(P#08)*H9(AO<-`0$!!0`#@@$/`#""`0H"@@$!`+>;EY]ERMD$,P;8"I7X
M?^ /F69VS8/L_HEV(J#N= $S];)Z)NSNCEKQQL*V\)X*[3:U#K&RT"]7`^(9
M/]<<)D]QC$]^CQB)W6&GH=]!S)"#BX#@1Q)ZRNK%`>L!^4T4%*7SH4#L9W*4
MT$5<*UR%\T_56N':G<DYHV-9.='BNEU"'%TY+[]LYZ=B>CA]ND5XQ(/B6G)$
M+.45284OBU4BNP&F^_G1,%^"$.,_`")HQ!K_IW :.=0"J38^R&!!*H#$V>"H
M\A*[L =HF*&;G2L'<8*^T%BY+7S.3D[>P=G4O*#;+C4>,]Q8'MX2A9@G$#LC
M'5]WL4$YZ?=VZ+H"B_33;&T"`P$``:."`=<P@@'3,!\&`U4=(P08,!: %))A
M:X+AHJ"J3^QG\<*C][2 `,'L,!T&`U4=#@06!!2S>P/T;X" O18ML(68VK@Z
M(7<123 .!@-5'0\!`?\$! ,"!: P# 8#51T3`0'_! (P`# =!@-5'24$%C 4
M!@@K!@$%!0<#! 8(*P8!!04'`P(P1@8#51T@!#\P/3 [!@PK!@$$`;(Q`0(!
M`P4P*S I!@@K!@$%!0<"`18=:'1T<',Z+R]S96-U<F4N8V]M;V1O+FYE="]#
M4%,P708#51T?!%8P5#!2H%"@3H9,:'1T<#HO+V-R;"YC;VUO9&]C82YC;VTO
M0T]-3T1/4TA!,C4V0VQI96YT075T:&5N=&EC871I;VYA;F1396-U<F5%;6%I
M;$-!+F-R;#"!D 8(*P8!!04'`0$$@8,P@8 P6 8(*P8!!04', *&3&AT=' Z
M+R]C<G0N8V]M;V1O8V$N8V]M+T-/34]$3U-(03(U-D-L:65N=$%U=&AE;G1I
M8V%T:6]N86YD4V5C=7)E16UA:6Q#02YC<G0P) 8(*P8!!04', &&&&AT=' Z
M+R]O8W-P+F-O;6]D;V-A+F-O;3 :!@-5'1$$$S 1@0]J:6U 8V%R<F]L;"YC
M;VTP#08)*H9(AO<-`0$+!0`#@@$!`'W33 4"-'Y3RQ+/>:PFSC@28531Y 1V
MH"=?*@"]NZ7+1X&;TMD)/=KS<3BZN1X<*%FAF5TT8@\9&Y)W7&M28.,GF/5,
MV'!"E<-"(+ZQU&<SFY>52)<8(H0D6.RB<5"5L#EHH-[8IB]:W7W0)9<VHV>A
M3OF,X]<-(XS5!1:<VY>/Q-+\ZA; \X:\/*#59:$JD)8S.TZ20:Q(!CUZ+E[A
M!-V6+Y9+9_#2CX G4C7LD,*>D_T?J?X.7^&M(*ZE=+5X$_)7^:4-5GJCO[GY
MC*7/4G($(0<G(B/8FO<=,%\M\-V**+[KKM<%HL@AR69,=HU Y_GU3PBE![J;
MWYTVZ97^?=PQ@@0C,(($'P(!`3"!L3"!FS$+, D&`U4$!A,"1T(Q&S 9!@-5
M! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,'4V%L9F]R9#$:,!@&
M`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3.$-/34]$3R!32$$M
M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C=7)E($5M86EL($-!
M`A$`@LU(=IOCH,;4&=[[`9>^K# )!@4K#@,"&@4`H(("1C 8!@DJADB&]PT!
M"0,Q"P8)*H9(AO<-`0<!,!P&"2J&2(;W#0$)!3$/%PTQ-S$R,#4P.3(Q,S-:
M,",&"2J&2(;W#0$)!#$6!!0$'0\;B"+B,KW_$T6F8E<3@8+CJS!;!@DJADB&
M]PT!"0\Q3C!,, H&""J&2(;W#0,', X&""J&2(;W#0,"`@(`@# -!@@JADB&
M]PT#`@(!0# '!@4K#@,"!S -!@@JADB&]PT#`@(!*# '!@4K#@,"&C"!P@8)
M*P8!! &"-Q $,8&T,(&Q,(&;,0LP"08#500&$P)'0C$;,!D&`U4$"!,21W)E
M871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8#500*$Q%#
M3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR-38@0VQI
M96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$"$0""S4AV
MF^.@QM09WOL!E[ZL,('$!@LJADB&]PT!"1 ""S&!M*"!L3"!FS$+, D&`U4$
M!A,"1T(Q&S 9!@-5! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,'
M4V%L9F]R9#$:,!@&`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3
M.$-/34]$3R!32$$M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C
M=7)E($5M86EL($-!`A$`@LU(=IOCH,;4&=[[`9>^K# -!@DJADB&]PT!`0$%
M``2"`0`WV)CAZ17,;P=Q*=W*B9CO3LV^4RQES7M2ZZX:DU0"'-2IHM*(*+VJ
M^W21`M-DFKTLU52XXJJ'[A1$T=031$(08?D:*^,Q#L&@+, 3YV8.*V^5K)(%
M7&FS?=8>/'[7L[@]'&X7DN1]\RK">9E/\C(B.+DDUXGDJ-=HV4M9=_3%,;P]
M[N?OQV5BW90`S(^1$SZ%4Z^O"@QW-+UPE[V O\AO![7GIY@8937>U'OEVW0_
MO@%4_1! %+:N,&G .0#,/Y)VW:C7B0H<,5R#R2[2@LK.!&4A7DS5,-;S^/DY
JEH9*_+U$(BC3<Y)\Q>BH129JC$5H,W8OUV?%!OA:BT"7#P2Q````````
`
end


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Jim Carroll Dec. 8, 2017, 12:34 p.m. | #6
I'm curious about the openvpn-devel process related to patch acceptance. Does 
the fact that the conversation has ended mean the patch is scheduled to be 
added -- or does it instead mean there is no interest and the patch is being 
denied?

Thanks
Jim


begin 666 smime.p7s
M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$'
M`0``H((.$3""!#8P@@,>H ,"`0("`0$P#08)*H9(AO<-`0$%!0`P;S$+, D&
M`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T($%",28P) 8#500+$QU!9&14
M<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B," &`U4$`Q,9061D5')U<W0@
M17AT97)N86P@0T$@4F]O=# >%PTP,# U,S Q,#0X,SA:%PTR,# U,S Q,#0X
M,SA:,&\Q"S )!@-5! 83`E-%,10P$@8#500*$PM!9&14<G5S="!!0C$F,"0&
M`U4$"Q,=061D5')U<W0@17AT97)N86P@5%10($YE='=O<FLQ(C @!@-5! ,3
M&4%D9%1R=7-T($5X=&5R;F%L($-!(%)O;W0P@@$B, T&"2J&2(;W#0$!`04`
M`X(!#P`P@@$*`H(!`0"W]QHSYO(`!"TYX$Y;[1^\; _-M?HCML[>FQ$SEZ0I
M3'V3G[U*O)/M`QKCC\_E;5!:UI<IE%J L$EZVRZ5_;C*OS<X+1X^D4&M<%;'
M\$\_Z#*>=,K(D%3IQE\/>)V:0#P.K&&J7A2/GH>A:E#<UYI.KP6SIG&4G'&S
M4& *QQ.=. >&`JCIJ&DF&)"K3+!/(ZLZ3X38W\Z?X6EON]="UVM$Y,>M[FU!
M7W):<0@WLWEEI%F@E#?W`"\-PI)RVM X<ML4J$7$72I]M[36Q.ZLS1-$M\DK
MW4,`)?IAN6EJ6",1MZ<SCU9U6?7-*==&MPHK9;;30F\5LKA[^^_I75/5-%HG
M`@,!``&C@=PP@=DP'08#51T.!!8$%*V]F'HTM";W^L0F5.\#O> DRU0:, L&
M`U4=#P0$`P(!!C /!@-5'1,!`?\$!3 #`0'_,(&9!@-5'2,$@9$P@8Z %*V]
MF'HTM";W^L0F5.\#O> DRU0:H7.D<3!O,0LP"08#500&$P)313$4,!(&`U4$
M"A,+061D5')U<W0@04(Q)C D!@-5! L3'4%D9%1R=7-T($5X=&5R;F%L(%14
M4"!.971W;W)K,2(P( 8#500#$QE!9&14<G5S="!%>'1E<FYA;"!#02!2;V]T
M@@$!, T&"2J&2(;W#0$!!04``X(!`0"PF^"%)<+6(^(/E@:2G4&8G-F$>8'9
M'EL4!R,V98^PV'>[K$%L1V"#4;#Y,CWG_/8F$\> %J6_6OR'SWAYB2&:XDP'
M"H8UO/+>4<32EK?<?D[N</T<.>L,`E$4+8Z]%N#!WT9UYR2M[/1"M(63<!!G
MNIT&-4H8TRMZS%%"H7ICT>:[H<4KPC:^$PWFO6-^>7NG"0U JVK=CXK#]O:,
M&D(%4=1%]9^G8B%H%2!#/)GG?+TDV*F1%W.(/U8;,3@8M'$/FLW(#IZ.+AOA
MC)B#RQ\Q\41,Q@1S279@#\?XO1> :R[IS$P.6IIY#R *+M6>8R8>59*4V((7
M6GO0O,>/3H8$,(($KS""`Y>@`P(!`@(1`. CRQ42@U.)K6%N>E1G:R$P#08)
M*H9(AO<-`0$+!0`P;S$+, D&`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T
M($%",28P) 8#500+$QU!9&14<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B
M," &`U4$`Q,9061D5')U<W0@17AT97)N86P@0T$@4F]O=# >%PTQ-#$R,C(P
M,# P,#!:%PTR,# U,S Q,#0X,SA:,(&;,0LP"08#500&$P)'0C$;,!D&`U4$
M"!,21W)E871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8#
M500*$Q%#3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR
M-38@0VQI96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$P
M@@$B, T&"2J&2(;W#0$!`04``X(!#P`P@@$*`H(!`0")L0W:>E,93G!2';Q6
MI@8FM[A)X);G4:OQ\%H3216CM(P;8+QZ44*G>8RD(M\784Z1U78C"A332@)_
MMAT)@&ZE!#W9NKL6_J&'J2Y#4D,6?*\R4,BF3UKI"-C/DR6<>XCH,&3FI/A6
M@/TJ)!0S%YFL1.5IBZ-&!DO",]3I0)\&L+&LDT"YM0B3.IPJ4Z,0VST@83Q5
M`X[93G8E`B$I^J-\<79/[N%?@>G[5(#;PWLU4K>$WB(]+# M,7]9O5(WL#-I
M+4/K^M:E\9=W9U&,V>XGZ[RE!SAVC*2I./_?C/4#K$F^RO=SF3H/,JN<E3H3
M/0Y&.E=T85"^QD _R^3BGZ(A`@,!``&C@@$7,((!$S ?!@-5'2,$&# 6@!2M
MO9AZ-+0F]_K$)E3O`[W@),M4&C =!@-5'0X$%@04DF%K@N&BH*I/[&?QPJ/W
MM( `P>PP#@8#51T/`0'_! 0#`@&&,!(&`U4=$P$!_P0(, 8!`?\"`0`P'08#
M51TE!!8P% 8(*P8!!04'`P(&""L&`04%!P,$,!$&`U4=( 0*, @P!@8$51T@
M`#!$!@-5'1\$/3 [,#F@-Z UAC-H='1P.B\O8W)L+G5S97)T<G5S="YC;VTO
M061D5')U<W1%>'1E<FYA;$-!4F]O="YC<FPP-08(*P8!!04'`0$$*3 G,"4&
M""L&`04%!S !AAEH='1P.B\O;V-S<"YU<V5R=')U<W0N8V]M, T&"2J&2(;W
M#0$!"P4``X(!`0`;*FZL5<$ZJXC%V.W-5?.J:V$KP D0(YD/Q69J;['UM+5W
M7@\"80#??07^$K.D@( `_/L=6VIR`@I!O 6ZP5C5)L+JU4V$^_Z"F,]8&^,B
M8YQ2^+L%-JM]6*7>JSMCY=K5<^_LX/M[XJ/_\$(CG,JVC4T^Y$L8`[*H+=38
MNT)+D&F%$-NF-S3H>^ !$*6<RCK'GT^(-&Z*9= :BKNIW,K*-M'T_,)D*36O
MUK&G<1'2`T.QCSZ:[)XR4_1VDLJ&- >Y+,KF'$K8F0W!AN*0DOM:0FHC(1#I
M9<?UU;M^ZHR%( )BZM$Z!RQ9Q9DS\CB)Y;;I%GH?>13V2A :)OI\BON;,((%
M(#""! B@`P(!`@(1`(+-2':;XZ#&U!G>^P&7OJPP#08)*H9(AO<-`0$+!0`P
M@9LQ"S )!@-5! 83`D=",1LP&08#500($Q)'<F5A=&5R($UA;F-H97-T97(Q
M$# .!@-5! <3!U-A;&9O<F0Q&C 8!@-5! H3$4-/34]$3R!#02!,:6UI=&5D
M,4$P/P8#500#$SA#3TU/1$\@4TA!+3(U-B!#;&EE;G0@075T:&5N=&EC871I
M;VX@86YD(%-E8W5R92!%;6%I;"!#03 >%PTQ-S Q,3@P,# P,#!:%PTR,# Q
M,3@R,S4Y-3E:," Q'C <!@DJADB&]PT!"0$6#VII;4!C87)R;VQL+F-O;3""
M`2(P#08)*H9(AO<-`0$!!0`#@@$/`#""`0H"@@$!`+>;EY]ERMD$,P;8"I7X
M?^ /F69VS8/L_HEV(J#N= $S];)Z)NSNCEKQQL*V\)X*[3:U#K&RT"]7`^(9
M/]<<)D]QC$]^CQB)W6&GH=]!S)"#BX#@1Q)ZRNK%`>L!^4T4%*7SH4#L9W*4
MT$5<*UR%\T_56N':G<DYHV-9.='BNEU"'%TY+[]LYZ=B>CA]ND5XQ(/B6G)$
M+.45284OBU4BNP&F^_G1,%^"$.,_`")HQ!K_IW :.=0"J38^R&!!*H#$V>"H
M\A*[L =HF*&;G2L'<8*^T%BY+7S.3D[>P=G4O*#;+C4>,]Q8'MX2A9@G$#LC
M'5]WL4$YZ?=VZ+H"B_33;&T"`P$``:."`=<P@@'3,!\&`U4=(P08,!: %))A
M:X+AHJ"J3^QG\<*C][2 `,'L,!T&`U4=#@06!!2S>P/T;X" O18ML(68VK@Z
M(7<123 .!@-5'0\!`?\$! ,"!: P# 8#51T3`0'_! (P`# =!@-5'24$%C 4
M!@@K!@$%!0<#! 8(*P8!!04'`P(P1@8#51T@!#\P/3 [!@PK!@$$`;(Q`0(!
M`P4P*S I!@@K!@$%!0<"`18=:'1T<',Z+R]S96-U<F4N8V]M;V1O+FYE="]#
M4%,P708#51T?!%8P5#!2H%"@3H9,:'1T<#HO+V-R;"YC;VUO9&]C82YC;VTO
M0T]-3T1/4TA!,C4V0VQI96YT075T:&5N=&EC871I;VYA;F1396-U<F5%;6%I
M;$-!+F-R;#"!D 8(*P8!!04'`0$$@8,P@8 P6 8(*P8!!04', *&3&AT=' Z
M+R]C<G0N8V]M;V1O8V$N8V]M+T-/34]$3U-(03(U-D-L:65N=$%U=&AE;G1I
M8V%T:6]N86YD4V5C=7)E16UA:6Q#02YC<G0P) 8(*P8!!04', &&&&AT=' Z
M+R]O8W-P+F-O;6]D;V-A+F-O;3 :!@-5'1$$$S 1@0]J:6U 8V%R<F]L;"YC
M;VTP#08)*H9(AO<-`0$+!0`#@@$!`'W33 4"-'Y3RQ+/>:PFSC@28531Y 1V
MH"=?*@"]NZ7+1X&;TMD)/=KS<3BZN1X<*%FAF5TT8@\9&Y)W7&M28.,GF/5,
MV'!"E<-"(+ZQU&<SFY>52)<8(H0D6.RB<5"5L#EHH-[8IB]:W7W0)9<VHV>A
M3OF,X]<-(XS5!1:<VY>/Q-+\ZA; \X:\/*#59:$JD)8S.TZ20:Q(!CUZ+E[A
M!-V6+Y9+9_#2CX G4C7LD,*>D_T?J?X.7^&M(*ZE=+5X$_)7^:4-5GJCO[GY
MC*7/4G($(0<G(B/8FO<=,%\M\-V**+[KKM<%HL@AR69,=HU Y_GU3PBE![J;
MWYTVZ97^?=PQ@@0C,(($'P(!`3"!L3"!FS$+, D&`U4$!A,"1T(Q&S 9!@-5
M! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,'4V%L9F]R9#$:,!@&
M`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3.$-/34]$3R!32$$M
M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C=7)E($5M86EL($-!
M`A$`@LU(=IOCH,;4&=[[`9>^K# )!@4K#@,"&@4`H(("1C 8!@DJADB&]PT!
M"0,Q"P8)*H9(AO<-`0<!,!P&"2J&2(;W#0$)!3$/%PTQ-S$R,#@Q,C,T-#E:
M,",&"2J&2(;W#0$)!#$6!!3Q(7\97V_)*Y^_3S@\J"=D9)@3ZC!;!@DJADB&
M]PT!"0\Q3C!,, H&""J&2(;W#0,', X&""J&2(;W#0,"`@(`@# -!@@JADB&
M]PT#`@(!0# '!@4K#@,"!S -!@@JADB&]PT#`@(!*# '!@4K#@,"&C"!P@8)
M*P8!! &"-Q $,8&T,(&Q,(&;,0LP"08#500&$P)'0C$;,!D&`U4$"!,21W)E
M871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8#500*$Q%#
M3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR-38@0VQI
M96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$"$0""S4AV
MF^.@QM09WOL!E[ZL,('$!@LJADB&]PT!"1 ""S&!M*"!L3"!FS$+, D&`U4$
M!A,"1T(Q&S 9!@-5! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,'
M4V%L9F]R9#$:,!@&`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3
M.$-/34]$3R!32$$M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C
M=7)E($5M86EL($-!`A$`@LU(=IOCH,;4&=[[`9>^K# -!@DJADB&]PT!`0$%
M``2"`0`DFGL?$I"_5WZ,A> 6R2C-T>PYX"KK0WC:I-YG+&\@VH#6,;LB;P4@
MC%Z8A??V0;=>78H[=F*L0(+,+@`/+Z_M]-5K73,"F32G4VT8:*,MP#VW2^J 
MNU<*6+IO*DK3">RA;%7BC[^SY5=-W]0+-80VX_'$00]P5+I B>Q$,J )5"1J
M&GQE_,WQ6>5Y,T=L27Z[TGAM\#2Z.7\X%L.1G!RA+EU.XRK[HL^RDF.KE#N5
M'HBX11D37NR62[N*KW+U'.A 2/6L!M>X<NP-$>!M1KVL<3^1R-0]K+C#7CF9
JF>ERD?,.L;PV1F&5_ YMX$G('0T%`])'%X2$0$QZ'S-N`I![````````
`
end


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Steffan Karger Dec. 8, 2017, 12:40 p.m. | #7
Hi,

On 08-12-17 13:34, Jim Carroll wrote:
> I'm curious about the openvpn-devel process related to patch acceptance. Does 
> the fact that the conversation has ended mean the patch is scheduled to be 
> added -- or does it instead mean there is no interest and the patch is being 
> denied?

It means no one had time to look at it yet.  Most of the developers
process patches in their spare cycles, and those can be scarce :(

In this case: it's on my todo list, but so are many other things.  We'll
get to it at some point, but I can't tell you when unfortunately.

-Steffan

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Patch

diff --git a/INSTALL b/INSTALL
index 3a31e6f..adb3df8 100644
--- a/INSTALL
+++ b/INSTALL
@@ -305,6 +305,78 @@  TUN/TAP Driver Configuration:
 
 *************************************************************************
 
+OpenSSL FIPS Object Module v2.0 Configuration:
+
+These instructions were adapted from 
+
+    https://www.openssl.org/docs/fipsnotes.html
+
+Requirements:
+
+    * OpenSSL 1.0.2m
+    * openssl-fips-2.0.2
+
+WARNING
+
+To install FIPS validated encryption, you must follow the instructions in the
+FIPS 2.0 User's Guide precisely. You are not permitted to modify any of the FIPS
+build artifacts, makefiles or scripts. The FIPS 2.0 module is only compatible with
+OpenSSL 1.0.1 and 1.0.2. 
+
+These instructions describe the use of OpenSSL 1.0.2m.
+
+INSTALLATION:
+
+    1. Surf to https://www.openssl.org/source/
+    2. Download source and validate the download (preferably using PGP)
+    3. Untar and uncompress tarball
+    4. You must build using this precise command (do NOT choose any other options):
+
+            # ./config && make install
+
+            (you may optionally pass 'no-asm' to config)
+
+       If the above procedure does not build on your system -- STOP. You are not
+       building on a FIPS supported platform, and therefore will not have a
+       FIPS validated encryption environment. See chapter 3 of the FIPS 2.0
+       User's Guide for the complete list of supported platforms:
+
+            https://openssl.org/docs/fips/UserGuide-2.0.pdf
+
+    5. Download, build & install openssl 1.0.2m (you are permitted to
+       modify this step to suite your preferences):
+
+            # git clone https://github.com/openssl/openssl.git
+            # (cd openssl && \
+                    git checkout OpenSSL_1_0_2m && \
+                    ./config fips && \
+                    make depend && \
+                    make install)
+
+    6. Now build openvpn and tell it where to find you recently installed OpenSSL
+
+            # ./configure --enable-fips-mode \
+                    OPENSSL_CFLAGS=-/usr/local/ss/include \
+                    OPENSSL_LIBS="-ldl -L/usr/local/ssl/lib -lssl -lcrypto"
+
+            # make install
+
+    7. You can confirm FIPS mode is available with the command
+
+            # ./openvpn --version | grep 'library version'
+            library versions: OpenSSL 1.0.2m-fips  2 Nov 2017, LZO 2.08
+
+USAGE:
+
+The above adds a new '--enable-fips-mode' command line option to OpenVPN. Add this to your
+invocation statement. If you've successfully configured OpenVPN for FIPS mode, check your
+OpenVPN logs for the statement:
+
+    *** FIPS MODE ENABLE ***
+
+
+*************************************************************************
+
 CAVEATS & BUGS:
 
 * I have noticed cases where TCP sessions tunneled over the Linux
diff --git a/Makefile.am b/Makefile.am
index 773b786..6d571ec 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -83,6 +83,11 @@  rootdir=$(prefix)
 root_DATA = version.sh
 endif
 
+if FIPSMODE
+export CC
+export FIPSLD_CC
+endif
+
 config-version.h:
 	@CONFIGURE_GIT_CHFILES="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-files --name-status -r --ignore-submodules --quiet -- || echo \"+\"`"; \
 	CONFIGURE_GIT_UNCOMMITTED="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-index --cached  --quiet --ignore-submodules HEAD || echo \"*\"`"; \
diff --git a/configure.ac b/configure.ac
index 7f2e34f..83ac18d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -293,6 +293,17 @@  AC_ARG_WITH(
 	[with_crypto_library="openssl"]
 )
 
+AC_ARG_ENABLE(
+    [fips-mode],
+    [AS_HELP_STRING([--enable-fips-mode], [OpenSSL FIPS Object Module 2.0 @<:@default=no@:>@])],
+    [
+        if test "${with_crypto_library}" != "openssl"; then
+            AC_MSG_ERROR([enable_fips_mode requires --with_crypto_library=openssl])
+        fi
+    ],
+    [enable_fips_mode="no"]
+)
+
 AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@])
 if test -n "${PLUGINDIR}"; then
 	plugindir="${PLUGINDIR}"
@@ -954,6 +965,35 @@  if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
 		]
 	)
 
+    if test "${enable_fips_mode}" = "yes"; then
+        AC_CHECK_FUNCS(
+            [ \
+                FIPS_mode \
+                FIPS_mode_set \
+                SSLeay_version
+            ],
+            [],
+            [AC_MSG_ERROR([Incorrect version of OpenSSL, require 1.0.2])]
+            )
+        AC_RUN_IFELSE(
+            [AC_LANG_PROGRAM(
+                [[#include <openssl/crypto.h>]],
+                [[printf("%s\n", SSLeay_version(SSLEAY_DIR));]])
+            ],
+            [AC_SUBST(OPENSSLDIR,
+                [[`./conftest$EXEEXT | $SED -n 's/.*"\(.*\)".*/\1/p'`]])
+            ]
+        )
+        if ! test -x "${OPENSSLDIR}/fips-2.0/bin/fipsld"; then
+            AC_MSG_ERROR([Incomplete OpenSSL FIPS installation; missing fipsld])
+        fi
+        AC_SUBST([FIPSLD_CC], ["${CC}"])
+        AC_SUBST([CC], ["${OPENSSLDIR}/fips-2.0/bin/fipsld"])
+        export CC
+        export FIPSLD_CC
+        AC_DEFINE([ENABLE_FIPS], [1], [Enable OpenSSL FIPS 2.0 Options])
+    fi
+
 	CFLAGS="${saved_CFLAGS}"
 	LIBS="${saved_LIBS}"
 
@@ -1373,6 +1413,7 @@  AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "ye
 AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"])
 AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"])
 AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = "yes"])
+AM_CONDITIONAL([FIPSMODE], [test "${enable_fips_mode}" = "yes"])
 
 sampledir="\$(docdir)/sample"
 AC_SUBST([plugindir])
@@ -1441,4 +1482,5 @@  AC_CONFIG_FILES([
 	sample/Makefile
 ])
 AC_CONFIG_FILES([tests/t_client.sh], [chmod +x tests/t_client.sh])
+
 AC_OUTPUT
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 3f3caa1..0c05859 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -854,7 +854,7 @@  init_key_ctx(struct key_ctx *ctx, const struct key *key,
     if (kt->digest && kt->hmac_length > 0)
     {
         ctx->hmac = hmac_ctx_new();
-        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
+        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, false);
 
         msg(D_HANDSHAKE,
             "%s: Using %d bit message hash '%s' for HMAC authentication",
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 567fd9b..d92ab7c 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -604,10 +604,11 @@  void hmac_ctx_free(hmac_ctx_t *ctx);
  * @param key           The key to use for the HMAC
  * @param key_len       The key length to use
  * @param kt            Static message digest parameters
+ * @param prf_use       Inteded use for PRF in TLS protocol
  *
  */
 void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
-                   const md_kt_t *kt);
+                   const md_kt_t *kt, bool prf_use);
 
 /*
  * Free the given HMAC context.
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 0134e55..caef17b 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -159,6 +159,17 @@  crypto_init_lib(void)
 #endif
 }
 
+int
+crypto_enable_fips_mode(int mode)
+{
+	if (!FIPS_mode_set(mode)) {
+		ERR_print_errors_fp(stderr);
+		return 1;
+		}
+	msg(M_INFO, "*** IN FIPS MODE ***\n");
+	return 0;
+}
+
 void
 crypto_uninit_lib(void)
 {
@@ -926,11 +937,13 @@  hmac_ctx_free(HMAC_CTX *ctx)
 
 void
 hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
-              const EVP_MD *kt)
+              const EVP_MD *kt, bool prf_use)
 {
     ASSERT(NULL != kt && NULL != ctx);
 
     HMAC_CTX_reset(ctx);
+	if (kt == EVP_md5() && prf_use)
+		HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
     HMAC_Init_ex(ctx, key, key_len, kt, NULL);
 
     /* make sure we used a big enough key */
diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index 60a2812..11f3378 100644
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
@@ -102,4 +102,12 @@  void crypto_print_openssl_errors(const unsigned int flags);
     } while (false)
 
 
+/**
+ * Enable FIPS Mode. Returns non-zero to indicate an error.
+ *
+ * @param mode         Should be 1. Future versions of OpenSSL FIPS
+ * 					   code are expected to accept extended modes.
+ */
+int crypto_enable_fips_mode(int mode);
+
 #endif /* CRYPTO_OPENSSL_H_ */
diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index 077fa3e..fe39ab1 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -88,7 +88,7 @@  gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key, int key_len,
     const md_kt_t *md5_kt = md_kt_get("MD5");
     hmac_ctx_t *hmac_ctx = hmac_ctx_new();
 
-    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
+    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, false);
     hmac_ctx_update(hmac_ctx, data, data_len);
     hmac_ctx_final(hmac_ctx, result);
     hmac_ctx_cleanup(hmac_ctx);
diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
index e237ee5..beb1d2a 100644
--- a/src/openvpn/openvpn.c
+++ b/src/openvpn/openvpn.c
@@ -210,6 +210,13 @@  openvpn_main(int argc, char *argv[])
             /* parse command line options, and read configuration file */
             parse_argv(&c.options, argc, argv, M_USAGE, OPT_P_DEFAULT, NULL, c.es);
 
+#if ENABLE_FIPS
+			if (c.options.fips_mode) {
+				if (enable_fips_mode(c.options.fips_mode)) {
+					break;
+					}
+				}
+#endif
 #ifdef ENABLE_PLUGIN
             /* plugins may contribute options configuration */
             init_verb_mute(&c, IVM_LEVEL_1);
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 8e5cdf7..8a1501c 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -522,6 +522,11 @@  static const char usage_message[] =
     "\n"
     "Data Channel Encryption Options (must be compatible between peers):\n"
     "(These options are meaningful for both Static Key & TLS-mode)\n"
+#ifdef ENABLE_FIPS
+	"--enable-fips-mode : Enable OpenSSL FIPS Object Module v2.0.\n"
+	"                  Setting this on the server will enforce FIPS validated\n"
+	"                  encryption on both client and server.\n"
+#endif
     "--secret f [d]  : Enable Static Key encryption mode (non-TLS).\n"
     "                  Use shared secret file f, generate with --genkey.\n"
     "                  The optional d parameter controls key directionality.\n"
@@ -854,6 +859,9 @@  init_options(struct options *o, const bool init_gc)
 #endif
 #ifdef ENABLE_CRYPTO
     o->ciphername = "BF-CBC";
+#ifdef ENABLE_FIPS
+	o->fips_mode = 0;
+#endif
 #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
     o->ncp_enabled = true;
 #else
@@ -1561,6 +1569,7 @@  show_settings(const struct options *o)
 #endif
 
 #ifdef ENABLE_CRYPTO
+	SHOW_INT(fips_mode);
     SHOW_BOOL(show_ciphers);
     SHOW_BOOL(show_digests);
     SHOW_BOOL(show_engines);
@@ -7442,6 +7451,13 @@  add_option(struct options *options,
     }
 #endif /* USE_COMP */
 #ifdef ENABLE_CRYPTO
+#ifdef ENABLE_FIPS
+	else if (streq(p[0], "enable-fips-mode") && !p[1])
+	{
+        VERIFY_PERMISSION(OPT_P_GENERAL);
+		options->fips_mode = 1;
+	}
+#endif
     else if (streq(p[0], "show-ciphers") && !p[1])
     {
         VERIFY_PERMISSION(OPT_P_GENERAL);
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 035c6d1..55d2248 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -189,6 +189,7 @@  struct options
     int persist_mode;
 
 #ifdef ENABLE_CRYPTO
+	int fips_mode;
     const char *key_pass_file;
     bool show_ciphers;
     bool show_digests;
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 843bc39..6a212b8 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -354,6 +354,14 @@  init_ssl_lib(void)
     crypto_init_lib();
 }
 
+#if ENABLE_FIPS
+int
+enable_fips_mode(int mode)
+{
+	return crypto_enable_fips_mode(mode);
+}
+#endif
+
 void
 free_ssl_lib(void)
 {
@@ -1640,8 +1648,8 @@  tls1_P_hash(const md_kt_t *md_kt,
     chunk = md_kt_size(md_kt);
     A1_len = md_kt_size(md_kt);
 
-    hmac_ctx_init(ctx, sec, sec_len, md_kt);
-    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
+    hmac_ctx_init(ctx, sec, sec_len, md_kt, true);
+    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, true);
 
     hmac_ctx_update(ctx,seed,seed_len);
     hmac_ctx_final(ctx, A1);
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 0e0f68f..ae23423 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -600,6 +600,10 @@  bool is_hard_reset(int op, int key_method);
 
 void delayed_auth_pass_purge(void);
 
+#if ENABLE_FIPS
+int enable_fips_mode(int mode);
+#endif
+
 #endif /* ENABLE_CRYPTO */
 
 #endif /* ifndef OPENVPN_SSL_H */