Message ID | 1511554982-875-1-git-send-email-jim@carroll.com |
---|---|
State | Superseded |
Headers | show |
Series | [Openvpn-devel] Added OpenSSL FIPS 2.0 support to OpenVPN | expand |
Hi, On 25/11/17 04:23, jim@carroll.com wrote: > From: JimC <jim@carroll.com> > > Modified the autoconf, automake and code to support building OpenVPN with > OpenSSL FIPS Object Module v2.0 validated encryption. > > * Adds: --enable-fips-mode switch to configure.ac > * Adds: --enable-fips-mode command line switch to openvpn Please make sure your patch includes the Signed-off-by line (I think Gert mentioned that already? sorry for repeating). You should actually add that to your commit message when creating it. Git can help you with that by just adding the '-s' argument to the 'git commit' command. Make sure you have configured your name and email in the git config so that it can pick them up. Speaking about the name: it should be your full name (nicknames like JimC are not really legally accepted). > --- > INSTALL | 72 ++++++++++++++++++++++++++++++++++++++++++++ > Makefile.am | 5 +++ > configure.ac | 42 ++++++++++++++++++++++++++ > src/openvpn/crypto.c | 2 +- > src/openvpn/crypto_backend.h | 3 +- > src/openvpn/crypto_openssl.c | 15 ++++++++- > src/openvpn/crypto_openssl.h | 8 +++++ > src/openvpn/ntlm.c | 2 +- > src/openvpn/openvpn.c | 7 +++++ > src/openvpn/options.c | 16 ++++++++++ > src/openvpn/options.h | 1 + > src/openvpn/ssl.c | 12 ++++++-- > src/openvpn/ssl.h | 4 +++ > 13 files changed, 183 insertions(+), 6 deletions(-) > > diff --git a/INSTALL b/INSTALL > index 3a31e6f..adb3df8 100644 > --- a/INSTALL > +++ b/INSTALL > @@ -305,6 +305,78 @@ TUN/TAP Driver Configuration: > > ************************************************************************* > > +OpenSSL FIPS Object Module v2.0 Configuration: > + > +These instructions were adapted from > + > + https://www.openssl.org/docs/fipsnotes.html > + > +Requirements: > + > + * OpenSSL 1.0.2m > + * openssl-fips-2.0.2 I think the points above are expected to be ">="? Or are these versions strictly required? > + > +WARNING > + > +To install FIPS validated encryption, you must follow the instructions in the > +FIPS 2.0 User's Guide precisely. You are not permitted to modify any of the FIPS > +build artifacts, makefiles or scripts. The FIPS 2.0 module is only compatible with > +OpenSSL 1.0.1 and 1.0.2. > + > +These instructions describe the use of OpenSSL 1.0.2m. > + This is more a general thought: do you think it is reasonable to have the instructions about how to compile OpenSSL into the OpenVPN package? Things may change on the OpenSSL side and we'd need to keep our instructions up to date, even though we are not modifying the OpenVPN code. Including a link to the openssl website may make sense, but imho we should just tell the user to get a FIPS certified openssl module before moving on. After all, as you say below, it's the entire platform that needs to be FIPS supported, thus I don't believe it's OpenVPN duty to instruct the users about how building all the different components. Some distro may even provide their own FIPS enabled packages. Thoughts? > +INSTALLATION: > + > + 1. Surf to https://www.openssl.org/source/ > + 2. Download source and validate the download (preferably using PGP) > + 3. Untar and uncompress tarball > + 4. You must build using this precise command (do NOT choose any other options): > + > + # ./config && make install > + > + (you may optionally pass 'no-asm' to config) > + > + If the above procedure does not build on your system -- STOP. You are not > + building on a FIPS supported platform, and therefore will not have a > + FIPS validated encryption environment. See chapter 3 of the FIPS 2.0 > + User's Guide for the complete list of supported platforms: > + > + https://openssl.org/docs/fips/UserGuide-2.0.pdf > + > + 5. Download, build & install openssl 1.0.2m (you are permitted to > + modify this step to suite your preferences): > + > + # git clone https://github.com/openssl/openssl.git > + # (cd openssl && \ > + git checkout OpenSSL_1_0_2m && \ > + ./config fips && \ > + make depend && \ > + make install) > + > + 6. Now build openvpn and tell it where to find you recently installed OpenSSL > + > + # ./configure --enable-fips-mode \ > + OPENSSL_CFLAGS=-/usr/local/ss/include \ > + OPENSSL_LIBS="-ldl -L/usr/local/ssl/lib -lssl -lcrypto" > + > + # make install > + > + 7. You can confirm FIPS mode is available with the command > + > + # ./openvpn --version | grep 'library version' > + library versions: OpenSSL 1.0.2m-fips 2 Nov 2017, LZO 2.08 > + > +USAGE: > + > +The above adds a new '--enable-fips-mode' command line option to OpenVPN. Add this to your > +invocation statement. If you've successfully configured OpenVPN for FIPS mode, check your > +OpenVPN logs for the statement: > + > + *** FIPS MODE ENABLE *** > + > + > +************************************************************************* > + > CAVEATS & BUGS: > > * I have noticed cases where TCP sessions tunneled over the Linux > diff --git a/Makefile.am b/Makefile.am > index 773b786..6d571ec 100644 > --- a/Makefile.am > +++ b/Makefile.am > @@ -83,6 +83,11 @@ rootdir=$(prefix) > root_DATA = version.sh > endif > > +if FIPSMODE > +export CC > +export FIPSLD_CC > +endif > + > config-version.h: > @CONFIGURE_GIT_CHFILES="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-files --name-status -r --ignore-submodules --quiet -- || echo \"+\"`"; \ > CONFIGURE_GIT_UNCOMMITTED="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-index --cached --quiet --ignore-submodules HEAD || echo \"*\"`"; \ > diff --git a/configure.ac b/configure.ac > index 7f2e34f..83ac18d 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -293,6 +293,17 @@ AC_ARG_WITH( > [with_crypto_library="openssl"] > ) > > +AC_ARG_ENABLE( > + [fips-mode], > + [AS_HELP_STRING([--enable-fips-mode], [OpenSSL FIPS Object Module 2.0 @<:@default=no@:>@])], > + [ > + if test "${with_crypto_library}" != "openssl"; then > + AC_MSG_ERROR([enable_fips_mode requires --with_crypto_library=openssl]) > + fi > + ], > + [enable_fips_mode="no"] > +) > + > AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) > if test -n "${PLUGINDIR}"; then > plugindir="${PLUGINDIR}" > @@ -954,6 +965,35 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then > ] > ) > > + if test "${enable_fips_mode}" = "yes"; then > + AC_CHECK_FUNCS( > + [ \ > + FIPS_mode \ > + FIPS_mode_set \ > + SSLeay_version > + ], > + [], > + [AC_MSG_ERROR([Incorrect version of OpenSSL, require 1.0.2])] > + ) > + AC_RUN_IFELSE( > + [AC_LANG_PROGRAM( > + [[#include <openssl/crypto.h>]], > + [[printf("%s\n", SSLeay_version(SSLEAY_DIR));]]) > + ], > + [AC_SUBST(OPENSSLDIR, > + [[`./conftest$EXEEXT | $SED -n 's/.*"\(.*\)".*/\1/p'`]]) > + ] > + ) > + if ! test -x "${OPENSSLDIR}/fips-2.0/bin/fipsld"; then > + AC_MSG_ERROR([Incomplete OpenSSL FIPS installation; missing fipsld]) > + fi > + AC_SUBST([FIPSLD_CC], ["${CC}"]) > + AC_SUBST([CC], ["${OPENSSLDIR}/fips-2.0/bin/fipsld"]) > + export CC > + export FIPSLD_CC > + AC_DEFINE([ENABLE_FIPS], [1], [Enable OpenSSL FIPS 2.0 Options]) > + fi > + > CFLAGS="${saved_CFLAGS}" > LIBS="${saved_LIBS}" > > @@ -1373,6 +1413,7 @@ AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "ye > AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"]) > AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"]) > AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = "yes"]) > +AM_CONDITIONAL([FIPSMODE], [test "${enable_fips_mode}" = "yes"]) > > sampledir="\$(docdir)/sample" > AC_SUBST([plugindir]) > @@ -1441,4 +1482,5 @@ AC_CONFIG_FILES([ > sample/Makefile > ]) > AC_CONFIG_FILES([tests/t_client.sh], [chmod +x tests/t_client.sh]) > + random empty line? shouldn't be part of this patch I think. > AC_OUTPUT > diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c > index 3f3caa1..0c05859 100644 > --- a/src/openvpn/crypto.c > +++ b/src/openvpn/crypto.c > @@ -854,7 +854,7 @@ init_key_ctx(struct key_ctx *ctx, const struct key *key, > if (kt->digest && kt->hmac_length > 0) > { > ctx->hmac = hmac_ctx_new(); > - hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest); > + hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, false); > > msg(D_HANDSHAKE, > "%s: Using %d bit message hash '%s' for HMAC authentication", > diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h > index 567fd9b..d92ab7c 100644 > --- a/src/openvpn/crypto_backend.h > +++ b/src/openvpn/crypto_backend.h > @@ -604,10 +604,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx); > * @param key The key to use for the HMAC > * @param key_len The key length to use > * @param kt Static message digest parameters > + * @param prf_use Inteded use for PRF in TLS protocol little typ0 above: 'Inteded' - > 'Intended' > * > */ > void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, > - const md_kt_t *kt); > + const md_kt_t *kt, bool prf_use); > > /* > * Free the given HMAC context. > diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c > index 0134e55..caef17b 100644 > --- a/src/openvpn/crypto_openssl.c > +++ b/src/openvpn/crypto_openssl.c > @@ -159,6 +159,17 @@ crypto_init_lib(void) > #endif > } > > +int > +crypto_enable_fips_mode(int mode) > +{ > + if (!FIPS_mode_set(mode)) { opening '{' should be on a new line (like for functions) > + ERR_print_errors_fp(stderr); > + return 1; > + } this '}' is not indented properly > + msg(M_INFO, "*** IN FIPS MODE ***\n"); do we really need another '\n' ? msg() will put one on its own already. > + return 0; > +} > + > void > crypto_uninit_lib(void) > { > @@ -926,11 +937,13 @@ hmac_ctx_free(HMAC_CTX *ctx) > > void > hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, > - const EVP_MD *kt) > + const EVP_MD *kt, bool prf_use) > { > ASSERT(NULL != kt && NULL != ctx); > > HMAC_CTX_reset(ctx); > + if (kt == EVP_md5() && prf_use) bad indentation? (we don't use tabs, but spaces only) > + HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); > HMAC_Init_ex(ctx, key, key_len, kt, NULL); > > /* make sure we used a big enough key */ > diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h > index 60a2812..11f3378 100644 > --- a/src/openvpn/crypto_openssl.h > +++ b/src/openvpn/crypto_openssl.h > @@ -102,4 +102,12 @@ void crypto_print_openssl_errors(const unsigned int flags); > } while (false) > > > +/** > + * Enable FIPS Mode. Returns non-zero to indicate an error. > + * > + * @param mode Should be 1. Future versions of OpenSSL FIPS > + * code are expected to accept extended modes. same here: don't use tabs > + */ > +int crypto_enable_fips_mode(int mode); > + > #endif /* CRYPTO_OPENSSL_H_ */ > diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c > index 077fa3e..fe39ab1 100644 > --- a/src/openvpn/ntlm.c > +++ b/src/openvpn/ntlm.c > @@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key, int key_len, > const md_kt_t *md5_kt = md_kt_get("MD5"); > hmac_ctx_t *hmac_ctx = hmac_ctx_new(); > > - hmac_ctx_init(hmac_ctx, key, key_len, md5_kt); > + hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, false); > hmac_ctx_update(hmac_ctx, data, data_len); > hmac_ctx_final(hmac_ctx, result); > hmac_ctx_cleanup(hmac_ctx); > diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c > index e237ee5..beb1d2a 100644 > --- a/src/openvpn/openvpn.c > +++ b/src/openvpn/openvpn.c > @@ -210,6 +210,13 @@ openvpn_main(int argc, char *argv[]) > /* parse command line options, and read configuration file */ > parse_argv(&c.options, argc, argv, M_USAGE, OPT_P_DEFAULT, NULL, c.es); > > +#if ENABLE_FIPS > + if (c.options.fips_mode) { > + if (enable_fips_mode(c.options.fips_mode)) { > + break; > + } > + } more indentation. Then, if openvpn has been compiled with FIPS support, is it "allowed" to have this binary run with FIPS mode disabled? Shouldn't it be enabled all the time? And generally speaking: what would be a use case for not using FIPS on a FIPS enabled platform? > +#endif > #ifdef ENABLE_PLUGIN > /* plugins may contribute options configuration */ > init_verb_mute(&c, IVM_LEVEL_1); > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index 8e5cdf7..8a1501c 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -522,6 +522,11 @@ static const char usage_message[] = > "\n" > "Data Channel Encryption Options (must be compatible between peers):\n" > "(These options are meaningful for both Static Key & TLS-mode)\n" > +#ifdef ENABLE_FIPS > + "--enable-fips-mode : Enable OpenSSL FIPS Object Module v2.0.\n" > + " Setting this on the server will enforce FIPS validated\n" > + " encryption on both client and server.\n" > +#endif > "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n" > " Use shared secret file f, generate with --genkey.\n" > " The optional d parameter controls key directionality.\n" > @@ -854,6 +859,9 @@ init_options(struct options *o, const bool init_gc) > #endiffips > #ifdef ENABLE_CRYPTO > o->ciphername = "BF-CBC"; > +#ifdef ENABLE_FIPS > + o->fips_mode = 0; why not bool? > +#endif > #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */ > o->ncp_enabled = true; > #else > @@ -1561,6 +1569,7 @@ show_settings(const struct options *o) > #endif > > #ifdef ENABLE_CRYPTO > + SHOW_INT(fips_mode); > SHOW_BOOL(show_ciphers); > SHOW_BOOL(show_digests); > SHOW_BOOL(show_engines); > @@ -7442,6 +7451,13 @@ add_option(struct options *options, > } > #endif /* USE_COMP */ > #ifdef ENABLE_CRYPTO > +#ifdef ENABLE_FIPS > + else if (streq(p[0], "enable-fips-mode") && !p[1]) > + { > + VERIFY_PERMISSION(OPT_P_GENERAL); > + options->fips_mode = 1; > + } > +#endif > else if (streq(p[0], "show-ciphers") && !p[1]) > { > VERIFY_PERMISSION(OPT_P_GENERAL); > diff --git a/src/openvpn/options.h b/src/openvpn/options.h > index 035c6d1..55d2248 100644 > --- a/src/openvpn/options.h > +++ b/src/openvpn/options.h > @@ -189,6 +189,7 @@ struct options > int persist_mode; > > #ifdef ENABLE_CRYPTO > + int fips_mode; > const char *key_pass_file; > bool show_ciphers; > bool show_digests; > diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c > index 843bc39..6a212b8 100644 > --- a/src/openvpn/ssl.c > +++ b/src/openvpn/ssl.c > @@ -354,6 +354,14 @@ init_ssl_lib(void) > crypto_init_lib(); > } > > +#if ENABLE_FIPS > +int > +enable_fips_mode(int mode) > +{ > + return crypto_enable_fips_mode(mode); > +} > +#endif > + > void > free_ssl_lib(void) > { > @@ -1640,8 +1648,8 @@ tls1_P_hash(const md_kt_t *md_kt, > chunk = md_kt_size(md_kt); > A1_len = md_kt_size(md_kt); > > - hmac_ctx_init(ctx, sec, sec_len, md_kt); > - hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); > + hmac_ctx_init(ctx, sec, sec_len, md_kt, true); > + hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, true); > > hmac_ctx_update(ctx,seed,seed_len); > hmac_ctx_final(ctx, A1); > diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h > index 0e0f68f..ae23423 100644 > --- a/src/openvpn/ssl.h > +++ b/src/openvpn/ssl.h > @@ -600,6 +600,10 @@ bool is_hard_reset(int op, int key_method); > > void delayed_auth_pass_purge(void); > > +#if ENABLE_FIPS > +int enable_fips_mode(int mode); > +#endif > + > #endif /* ENABLE_CRYPTO */ > > #endif /* ifndef OPENVPN_SSL_H */ > In general, you can check if the code is compliant with the codestyle by running uncrustify with the configuration stored in dev-tools/ Cheers,
Hi Antonio, Thanks for reviewing. If you don’t mind, I'm going to answer your comments and questions a bit out of order. First, you suggested a series of coding-style changes and the removal of extra whitespace. I have no comment about these. I'll make all the changes you described and resubmit. You asked: > Then, if openvpn has been compiled with FIPS support, is it "allowed" to > have this binary run with FIPS mode disabled? Shouldn't it be enabled > all the time? The short answer is no. FIPS is only required when an entity is engaged in processing, storing or transmitting Controlled Unclassified Information (CUI). Furthermore, FIPS mode encryption is only required when "encryption" is called for controls. The government rules on this are quite byzantine and described in NIST SP 800-171 and NIST 800-53. There are plenty of times an entity will choose to relax these rules when engaged in non-FIPS required activity (eg: when trying to support older technology used for non CUI access). And you asked: > And generally speaking: what would be a use case for not using FIPS on a > FIPS enabled platform? The best is a service provider with mixed clients. Those customers who require FIPS encryption would be given access to OpenVPN running with FIPS restrictions activated, while others would connect to an instance of the OpenVPN running without the restriction. The '--enable-fips' command line option makes this a simple matter from a single binary on the same server. You asked: >> + * OpenSSL 1.0.2m >> + * openssl-fips-2.0.2 > I think the points above are expected to be ">="? > Or are these versions strictly required? These versions are strictly required. While the fips module is binary compatible with OpenSSL 1.0.1x, it would not include OpenSSL bug fixes available in 1.0.2m which is required by NIST SP 800-171. And because the fips module is only tested and lab certified up to 1.0.2, you cannot take the new 1.1.0x branch. This leaves the user with a single choice 1.0.2m. If I can belabor this slightly (to frame my next answer). In order to understand this issue, an Admin would need to read and digest the FIPS 2.0 User's Guide and the security policy document and read and digest the NIST SP 800-171 document. The 800-171 is a tailoring document, which means it draws controls from another which is the NIST 800-53 security catalog of controls. The point I'm trying to make is that if you are an Admin who's company has tasked you with deploying FIPS mode encryption for protecting CUI and you wander into the OpenVPN project, you will have something like a month+ of reading to make all the correct choices about which software bits to grab and how to build them. In the end, you will discover you are forced to make the precise choices as laid out in the INSTALL document. You asked / commented: > This is more a general thought: do you think it is reasonable to have > the instructions about how to compile OpenSSL into the OpenVPN package? > Things may change on the OpenSSL side and we'd need to keep our > instructions up to date, even though we are not modifying the OpenVPN code. > > After all, as you say below, it's the entire platform that needs to be > FIPS supported, thus I don't believe it's OpenVPN duty to instruct the > users about how building all the different components. There is only one way to achieve FIPS compliance using OpenSSL. Any variance, and the user is not-compliant. It seemed like a "mercy" to offer them the 8 or 10 lines of instructions that will get them to the only valid path for compliance. You commented: > Some distro may even provide their own FIPS enabled packages. This is a good point. It is possible that the distro already includes OpenSSL 1.0.2m. I should change the instructions to suggest they check for this module and then let them know they can skip the step if they already have OpenSSL 1.0.2m installed. Jim C. begin 666 smime.p7s M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$' M`0``H((.$3""!#8P@@,>H ,"`0("`0$P#08)*H9(AO<-`0$%!0`P;S$+, D& M`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T($%",28P) 8#500+$QU!9&14 M<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B," &`U4$`Q,9061D5')U<W0@ M17AT97)N86P@0T$@4F]O=# >%PTP,# U,S Q,#0X,SA:%PTR,# U,S Q,#0X M,SA:,&\Q"S )!@-5! 83`E-%,10P$@8#500*$PM!9&14<G5S="!!0C$F,"0& M`U4$"Q,=061D5')U<W0@17AT97)N86P@5%10($YE='=O<FLQ(C @!@-5! ,3 M&4%D9%1R=7-T($5X=&5R;F%L($-!(%)O;W0P@@$B, T&"2J&2(;W#0$!`04` M`X(!#P`P@@$*`H(!`0"W]QHSYO(`!"TYX$Y;[1^\; _-M?HCML[>FQ$SEZ0I M3'V3G[U*O)/M`QKCC\_E;5!:UI<IE%J L$EZVRZ5_;C*OS<X+1X^D4&M<%;' M\$\_Z#*>=,K(D%3IQE\/>)V:0#P.K&&J7A2/GH>A:E#<UYI.KP6SIG&4G'&S M4& *QQ.=. >&`JCIJ&DF&)"K3+!/(ZLZ3X38W\Z?X6EON]="UVM$Y,>M[FU! M7W):<0@WLWEEI%F@E#?W`"\-PI)RVM X<ML4J$7$72I]M[36Q.ZLS1-$M\DK MW4,`)?IAN6EJ6",1MZ<SCU9U6?7-*==&MPHK9;;30F\5LKA[^^_I75/5-%HG M`@,!``&C@=PP@=DP'08#51T.!!8$%*V]F'HTM";W^L0F5.\#O> DRU0:, L& M`U4=#P0$`P(!!C /!@-5'1,!`?\$!3 #`0'_,(&9!@-5'2,$@9$P@8Z %*V] MF'HTM";W^L0F5.\#O> DRU0:H7.D<3!O,0LP"08#500&$P)313$4,!(&`U4$ M"A,+061D5')U<W0@04(Q)C D!@-5! L3'4%D9%1R=7-T($5X=&5R;F%L(%14 M4"!.971W;W)K,2(P( 8#500#$QE!9&14<G5S="!%>'1E<FYA;"!#02!2;V]T M@@$!, T&"2J&2(;W#0$!!04``X(!`0"PF^"%)<+6(^(/E@:2G4&8G-F$>8'9 M'EL4!R,V98^PV'>[K$%L1V"#4;#Y,CWG_/8F$\> %J6_6OR'SWAYB2&:XDP' M"H8UO/+>4<32EK?<?D[N</T<.>L,`E$4+8Z]%N#!WT9UYR2M[/1"M(63<!!G MNIT&-4H8TRMZS%%"H7ICT>:[H<4KPC:^$PWFO6-^>7NG"0U JVK=CXK#]O:, M&D(%4=1%]9^G8B%H%2!#/)GG?+TDV*F1%W.(/U8;,3@8M'$/FLW(#IZ.+AOA MC)B#RQ\Q\41,Q@1S279@#\?XO1> :R[IS$P.6IIY#R *+M6>8R8>59*4V((7 M6GO0O,>/3H8$,(($KS""`Y>@`P(!`@(1`. CRQ42@U.)K6%N>E1G:R$P#08) M*H9(AO<-`0$+!0`P;S$+, D&`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T M($%",28P) 8#500+$QU!9&14<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B M," &`U4$`Q,9061D5')U<W0@17AT97)N86P@0T$@4F]O=# >%PTQ-#$R,C(P M,# P,#!:%PTR,# U,S Q,#0X,SA:,(&;,0LP"08#500&$P)'0C$;,!D&`U4$ M"!,21W)E871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8# M500*$Q%#3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR M-38@0VQI96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$P M@@$B, T&"2J&2(;W#0$!`04``X(!#P`P@@$*`H(!`0")L0W:>E,93G!2';Q6 MI@8FM[A)X);G4:OQ\%H3216CM(P;8+QZ44*G>8RD(M\784Z1U78C"A332@)_ MMAT)@&ZE!#W9NKL6_J&'J2Y#4D,6?*\R4,BF3UKI"-C/DR6<>XCH,&3FI/A6 M@/TJ)!0S%YFL1.5IBZ-&!DO",]3I0)\&L+&LDT"YM0B3.IPJ4Z,0VST@83Q5 M`X[93G8E`B$I^J-\<79/[N%?@>G[5(#;PWLU4K>$WB(]+# M,7]9O5(WL#-I M+4/K^M:E\9=W9U&,V>XGZ[RE!SAVC*2I./_?C/4#K$F^RO=SF3H/,JN<E3H3 M/0Y&.E=T85"^QD _R^3BGZ(A`@,!``&C@@$7,((!$S ?!@-5'2,$&# 6@!2M MO9AZ-+0F]_K$)E3O`[W@),M4&C =!@-5'0X$%@04DF%K@N&BH*I/[&?QPJ/W MM( `P>PP#@8#51T/`0'_! 0#`@&&,!(&`U4=$P$!_P0(, 8!`?\"`0`P'08# M51TE!!8P% 8(*P8!!04'`P(&""L&`04%!P,$,!$&`U4=( 0*, @P!@8$51T@ M`#!$!@-5'1\$/3 [,#F@-Z UAC-H='1P.B\O8W)L+G5S97)T<G5S="YC;VTO M061D5')U<W1%>'1E<FYA;$-!4F]O="YC<FPP-08(*P8!!04'`0$$*3 G,"4& M""L&`04%!S !AAEH='1P.B\O;V-S<"YU<V5R=')U<W0N8V]M, T&"2J&2(;W M#0$!"P4``X(!`0`;*FZL5<$ZJXC%V.W-5?.J:V$KP D0(YD/Q69J;['UM+5W M7@\"80#??07^$K.D@( `_/L=6VIR`@I!O 6ZP5C5)L+JU4V$^_Z"F,]8&^,B M8YQ2^+L%-JM]6*7>JSMCY=K5<^_LX/M[XJ/_\$(CG,JVC4T^Y$L8`[*H+=38 MNT)+D&F%$-NF-S3H>^ !$*6<RCK'GT^(-&Z*9= :BKNIW,K*-M'T_,)D*36O MUK&G<1'2`T.QCSZ:[)XR4_1VDLJ&- >Y+,KF'$K8F0W!AN*0DOM:0FHC(1#I M9<?UU;M^ZHR%( )BZM$Z!RQ9Q9DS\CB)Y;;I%GH?>13V2A :)OI\BON;,((% M(#""! B@`P(!`@(1`(+-2':;XZ#&U!G>^P&7OJPP#08)*H9(AO<-`0$+!0`P M@9LQ"S )!@-5! 83`D=",1LP&08#500($Q)'<F5A=&5R($UA;F-H97-T97(Q M$# .!@-5! <3!U-A;&9O<F0Q&C 8!@-5! H3$4-/34]$3R!#02!,:6UI=&5D M,4$P/P8#500#$SA#3TU/1$\@4TA!+3(U-B!#;&EE;G0@075T:&5N=&EC871I M;VX@86YD(%-E8W5R92!%;6%I;"!#03 >%PTQ-S Q,3@P,# P,#!:%PTR,# Q M,3@R,S4Y-3E:," Q'C <!@DJADB&]PT!"0$6#VII;4!C87)R;VQL+F-O;3"" M`2(P#08)*H9(AO<-`0$!!0`#@@$/`#""`0H"@@$!`+>;EY]ERMD$,P;8"I7X M?^ /F69VS8/L_HEV(J#N= $S];)Z)NSNCEKQQL*V\)X*[3:U#K&RT"]7`^(9 M/]<<)D]QC$]^CQB)W6&GH=]!S)"#BX#@1Q)ZRNK%`>L!^4T4%*7SH4#L9W*4 MT$5<*UR%\T_56N':G<DYHV-9.='BNEU"'%TY+[]LYZ=B>CA]ND5XQ(/B6G)$ M+.45284OBU4BNP&F^_G1,%^"$.,_`")HQ!K_IW :.=0"J38^R&!!*H#$V>"H M\A*[L =HF*&;G2L'<8*^T%BY+7S.3D[>P=G4O*#;+C4>,]Q8'MX2A9@G$#LC M'5]WL4$YZ?=VZ+H"B_33;&T"`P$``:."`=<P@@'3,!\&`U4=(P08,!: %))A M:X+AHJ"J3^QG\<*C][2 `,'L,!T&`U4=#@06!!2S>P/T;X" O18ML(68VK@Z M(7<123 .!@-5'0\!`?\$! ,"!: P# 8#51T3`0'_! (P`# =!@-5'24$%C 4 M!@@K!@$%!0<#! 8(*P8!!04'`P(P1@8#51T@!#\P/3 [!@PK!@$$`;(Q`0(! M`P4P*S I!@@K!@$%!0<"`18=:'1T<',Z+R]S96-U<F4N8V]M;V1O+FYE="]# M4%,P708#51T?!%8P5#!2H%"@3H9,:'1T<#HO+V-R;"YC;VUO9&]C82YC;VTO M0T]-3T1/4TA!,C4V0VQI96YT075T:&5N=&EC871I;VYA;F1396-U<F5%;6%I M;$-!+F-R;#"!D 8(*P8!!04'`0$$@8,P@8 P6 8(*P8!!04', *&3&AT=' Z M+R]C<G0N8V]M;V1O8V$N8V]M+T-/34]$3U-(03(U-D-L:65N=$%U=&AE;G1I M8V%T:6]N86YD4V5C=7)E16UA:6Q#02YC<G0P) 8(*P8!!04', &&&&AT=' Z M+R]O8W-P+F-O;6]D;V-A+F-O;3 :!@-5'1$$$S 1@0]J:6U 8V%R<F]L;"YC M;VTP#08)*H9(AO<-`0$+!0`#@@$!`'W33 4"-'Y3RQ+/>:PFSC@28531Y 1V MH"=?*@"]NZ7+1X&;TMD)/=KS<3BZN1X<*%FAF5TT8@\9&Y)W7&M28.,GF/5, MV'!"E<-"(+ZQU&<SFY>52)<8(H0D6.RB<5"5L#EHH-[8IB]:W7W0)9<VHV>A M3OF,X]<-(XS5!1:<VY>/Q-+\ZA; \X:\/*#59:$JD)8S.TZ20:Q(!CUZ+E[A M!-V6+Y9+9_#2CX G4C7LD,*>D_T?J?X.7^&M(*ZE=+5X$_)7^:4-5GJCO[GY MC*7/4G($(0<G(B/8FO<=,%\M\-V**+[KKM<%HL@AR69,=HU Y_GU3PBE![J; MWYTVZ97^?=PQ@@0C,(($'P(!`3"!L3"!FS$+, D&`U4$!A,"1T(Q&S 9!@-5 M! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,'4V%L9F]R9#$:,!@& M`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3.$-/34]$3R!32$$M M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C=7)E($5M86EL($-! M`A$`@LU(=IOCH,;4&=[[`9>^K# )!@4K#@,"&@4`H(("1C 8!@DJADB&]PT! M"0,Q"P8)*H9(AO<-`0<!,!P&"2J&2(;W#0$)!3$/%PTQ-S$R,#,Q-3$P,SE: M,",&"2J&2(;W#0$)!#$6!!2I0+@OEGD%EQA0_/A_^1D]U][T1C!;!@DJADB& M]PT!"0\Q3C!,, H&""J&2(;W#0,', X&""J&2(;W#0,"`@(`@# -!@@JADB& M]PT#`@(!0# '!@4K#@,"!S -!@@JADB&]PT#`@(!*# '!@4K#@,"&C"!P@8) M*P8!! &"-Q $,8&T,(&Q,(&;,0LP"08#500&$P)'0C$;,!D&`U4$"!,21W)E M871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8#500*$Q%# M3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR-38@0VQI M96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$"$0""S4AV MF^.@QM09WOL!E[ZL,('$!@LJADB&]PT!"1 ""S&!M*"!L3"!FS$+, D&`U4$ M!A,"1T(Q&S 9!@-5! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,' M4V%L9F]R9#$:,!@&`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3 M.$-/34]$3R!32$$M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C M=7)E($5M86EL($-!`A$`@LU(=IOCH,;4&=[[`9>^K# -!@DJADB&]PT!`0$% M``2"`0!85*Y/("3Q%W@:>M##(#H^4KGLA4=<'"+T[G\GHKWZ/FVC@I\/`_<= MG!#.8CRGQ<Y'HD;3I0FKN6H-VQ&ZKMJ=7S]!8<ZB-EO'B(.J0^5A&%UV'_S1 MN.OK02B4VCU"F,E)6,B$=60I+1!8ZSQ9[X A64QJ4/T06D4A3T^T52%SW#E% M-0UG#6&NT/ 9.=FOWC1^L?=QB<;IR4Z;V>@:I6<J,RM-%(JXP"IS\F"#)*W, MN.C-9["1;W;P=-O,-2Q7D12J-;,^2K>6#>0P+(?)^AI,RW6 0@ZQU^J!C8RG JH,3B5QF$XJ'NU8O ^OR1U#NZ[1ULV!:#'<+-@E1L?\4I/^@J```````` ` end ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Hi Antonio, I've resubmitted our patch(s) for FIPS support. While re-reading your message, I see you asked a question I neglected to answer. In options.h, we declared an integer option 'fips_mode', and you asked: "why not bool?" The reason is extendibility for planned changes in OpenSSL. According to https://wiki.openssl.org/index.php/FIPS_mode_set(): ...Currently all non-zero values of ONOFF enable FIPS mode. In the future other values may specify additional actions beyond enabling FIPS mode, such as a value of 2 to designate an additional restriction to Suite B algorithms.... My thought is it would make it easier to modify the code if we introduce an integer to start with. Jim C. begin 666 smime.p7s M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$' M`0``H((.$3""!#8P@@,>H ,"`0("`0$P#08)*H9(AO<-`0$%!0`P;S$+, D& M`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T($%",28P) 8#500+$QU!9&14 M<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B," &`U4$`Q,9061D5')U<W0@ M17AT97)N86P@0T$@4F]O=# >%PTP,# U,S Q,#0X,SA:%PTR,# U,S Q,#0X M,SA:,&\Q"S )!@-5! 83`E-%,10P$@8#500*$PM!9&14<G5S="!!0C$F,"0& M`U4$"Q,=061D5')U<W0@17AT97)N86P@5%10($YE='=O<FLQ(C @!@-5! ,3 M&4%D9%1R=7-T($5X=&5R;F%L($-!(%)O;W0P@@$B, T&"2J&2(;W#0$!`04` M`X(!#P`P@@$*`H(!`0"W]QHSYO(`!"TYX$Y;[1^\; _-M?HCML[>FQ$SEZ0I M3'V3G[U*O)/M`QKCC\_E;5!:UI<IE%J L$EZVRZ5_;C*OS<X+1X^D4&M<%;' M\$\_Z#*>=,K(D%3IQE\/>)V:0#P.K&&J7A2/GH>A:E#<UYI.KP6SIG&4G'&S M4& *QQ.=. >&`JCIJ&DF&)"K3+!/(ZLZ3X38W\Z?X6EON]="UVM$Y,>M[FU! M7W):<0@WLWEEI%F@E#?W`"\-PI)RVM X<ML4J$7$72I]M[36Q.ZLS1-$M\DK MW4,`)?IAN6EJ6",1MZ<SCU9U6?7-*==&MPHK9;;30F\5LKA[^^_I75/5-%HG M`@,!``&C@=PP@=DP'08#51T.!!8$%*V]F'HTM";W^L0F5.\#O> DRU0:, L& M`U4=#P0$`P(!!C /!@-5'1,!`?\$!3 #`0'_,(&9!@-5'2,$@9$P@8Z %*V] MF'HTM";W^L0F5.\#O> DRU0:H7.D<3!O,0LP"08#500&$P)313$4,!(&`U4$ M"A,+061D5')U<W0@04(Q)C D!@-5! L3'4%D9%1R=7-T($5X=&5R;F%L(%14 M4"!.971W;W)K,2(P( 8#500#$QE!9&14<G5S="!%>'1E<FYA;"!#02!2;V]T M@@$!, T&"2J&2(;W#0$!!04``X(!`0"PF^"%)<+6(^(/E@:2G4&8G-F$>8'9 M'EL4!R,V98^PV'>[K$%L1V"#4;#Y,CWG_/8F$\> %J6_6OR'SWAYB2&:XDP' M"H8UO/+>4<32EK?<?D[N</T<.>L,`E$4+8Z]%N#!WT9UYR2M[/1"M(63<!!G MNIT&-4H8TRMZS%%"H7ICT>:[H<4KPC:^$PWFO6-^>7NG"0U JVK=CXK#]O:, M&D(%4=1%]9^G8B%H%2!#/)GG?+TDV*F1%W.(/U8;,3@8M'$/FLW(#IZ.+AOA MC)B#RQ\Q\41,Q@1S279@#\?XO1> :R[IS$P.6IIY#R *+M6>8R8>59*4V((7 M6GO0O,>/3H8$,(($KS""`Y>@`P(!`@(1`. CRQ42@U.)K6%N>E1G:R$P#08) M*H9(AO<-`0$+!0`P;S$+, D&`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T M($%",28P) 8#500+$QU!9&14<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B M," &`U4$`Q,9061D5')U<W0@17AT97)N86P@0T$@4F]O=# >%PTQ-#$R,C(P M,# P,#!:%PTR,# U,S Q,#0X,SA:,(&;,0LP"08#500&$P)'0C$;,!D&`U4$ M"!,21W)E871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8# M500*$Q%#3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR M-38@0VQI96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$P M@@$B, T&"2J&2(;W#0$!`04``X(!#P`P@@$*`H(!`0")L0W:>E,93G!2';Q6 MI@8FM[A)X);G4:OQ\%H3216CM(P;8+QZ44*G>8RD(M\784Z1U78C"A332@)_ MMAT)@&ZE!#W9NKL6_J&'J2Y#4D,6?*\R4,BF3UKI"-C/DR6<>XCH,&3FI/A6 M@/TJ)!0S%YFL1.5IBZ-&!DO",]3I0)\&L+&LDT"YM0B3.IPJ4Z,0VST@83Q5 M`X[93G8E`B$I^J-\<79/[N%?@>G[5(#;PWLU4K>$WB(]+# M,7]9O5(WL#-I M+4/K^M:E\9=W9U&,V>XGZ[RE!SAVC*2I./_?C/4#K$F^RO=SF3H/,JN<E3H3 M/0Y&.E=T85"^QD _R^3BGZ(A`@,!``&C@@$7,((!$S ?!@-5'2,$&# 6@!2M MO9AZ-+0F]_K$)E3O`[W@),M4&C =!@-5'0X$%@04DF%K@N&BH*I/[&?QPJ/W MM( `P>PP#@8#51T/`0'_! 0#`@&&,!(&`U4=$P$!_P0(, 8!`?\"`0`P'08# M51TE!!8P% 8(*P8!!04'`P(&""L&`04%!P,$,!$&`U4=( 0*, @P!@8$51T@ M`#!$!@-5'1\$/3 [,#F@-Z UAC-H='1P.B\O8W)L+G5S97)T<G5S="YC;VTO M061D5')U<W1%>'1E<FYA;$-!4F]O="YC<FPP-08(*P8!!04'`0$$*3 G,"4& M""L&`04%!S !AAEH='1P.B\O;V-S<"YU<V5R=')U<W0N8V]M, T&"2J&2(;W M#0$!"P4``X(!`0`;*FZL5<$ZJXC%V.W-5?.J:V$KP D0(YD/Q69J;['UM+5W M7@\"80#??07^$K.D@( `_/L=6VIR`@I!O 6ZP5C5)L+JU4V$^_Z"F,]8&^,B M8YQ2^+L%-JM]6*7>JSMCY=K5<^_LX/M[XJ/_\$(CG,JVC4T^Y$L8`[*H+=38 MNT)+D&F%$-NF-S3H>^ !$*6<RCK'GT^(-&Z*9= :BKNIW,K*-M'T_,)D*36O MUK&G<1'2`T.QCSZ:[)XR4_1VDLJ&- >Y+,KF'$K8F0W!AN*0DOM:0FHC(1#I M9<?UU;M^ZHR%( )BZM$Z!RQ9Q9DS\CB)Y;;I%GH?>13V2A :)OI\BON;,((% M(#""! B@`P(!`@(1`(+-2':;XZ#&U!G>^P&7OJPP#08)*H9(AO<-`0$+!0`P M@9LQ"S )!@-5! 83`D=",1LP&08#500($Q)'<F5A=&5R($UA;F-H97-T97(Q M$# .!@-5! <3!U-A;&9O<F0Q&C 8!@-5! H3$4-/34]$3R!#02!,:6UI=&5D M,4$P/P8#500#$SA#3TU/1$\@4TA!+3(U-B!#;&EE;G0@075T:&5N=&EC871I M;VX@86YD(%-E8W5R92!%;6%I;"!#03 >%PTQ-S Q,3@P,# P,#!:%PTR,# Q M,3@R,S4Y-3E:," Q'C <!@DJADB&]PT!"0$6#VII;4!C87)R;VQL+F-O;3"" M`2(P#08)*H9(AO<-`0$!!0`#@@$/`#""`0H"@@$!`+>;EY]ERMD$,P;8"I7X M?^ /F69VS8/L_HEV(J#N= $S];)Z)NSNCEKQQL*V\)X*[3:U#K&RT"]7`^(9 M/]<<)D]QC$]^CQB)W6&GH=]!S)"#BX#@1Q)ZRNK%`>L!^4T4%*7SH4#L9W*4 MT$5<*UR%\T_56N':G<DYHV-9.='BNEU"'%TY+[]LYZ=B>CA]ND5XQ(/B6G)$ M+.45284OBU4BNP&F^_G1,%^"$.,_`")HQ!K_IW :.=0"J38^R&!!*H#$V>"H M\A*[L =HF*&;G2L'<8*^T%BY+7S.3D[>P=G4O*#;+C4>,]Q8'MX2A9@G$#LC M'5]WL4$YZ?=VZ+H"B_33;&T"`P$``:."`=<P@@'3,!\&`U4=(P08,!: %))A M:X+AHJ"J3^QG\<*C][2 `,'L,!T&`U4=#@06!!2S>P/T;X" O18ML(68VK@Z M(7<123 .!@-5'0\!`?\$! ,"!: P# 8#51T3`0'_! (P`# =!@-5'24$%C 4 M!@@K!@$%!0<#! 8(*P8!!04'`P(P1@8#51T@!#\P/3 [!@PK!@$$`;(Q`0(! M`P4P*S I!@@K!@$%!0<"`18=:'1T<',Z+R]S96-U<F4N8V]M;V1O+FYE="]# M4%,P708#51T?!%8P5#!2H%"@3H9,:'1T<#HO+V-R;"YC;VUO9&]C82YC;VTO M0T]-3T1/4TA!,C4V0VQI96YT075T:&5N=&EC871I;VYA;F1396-U<F5%;6%I M;$-!+F-R;#"!D 8(*P8!!04'`0$$@8,P@8 P6 8(*P8!!04', *&3&AT=' Z M+R]C<G0N8V]M;V1O8V$N8V]M+T-/34]$3U-(03(U-D-L:65N=$%U=&AE;G1I M8V%T:6]N86YD4V5C=7)E16UA:6Q#02YC<G0P) 8(*P8!!04', &&&&AT=' Z M+R]O8W-P+F-O;6]D;V-A+F-O;3 :!@-5'1$$$S 1@0]J:6U 8V%R<F]L;"YC M;VTP#08)*H9(AO<-`0$+!0`#@@$!`'W33 4"-'Y3RQ+/>:PFSC@28531Y 1V MH"=?*@"]NZ7+1X&;TMD)/=KS<3BZN1X<*%FAF5TT8@\9&Y)W7&M28.,GF/5, MV'!"E<-"(+ZQU&<SFY>52)<8(H0D6.RB<5"5L#EHH-[8IB]:W7W0)9<VHV>A M3OF,X]<-(XS5!1:<VY>/Q-+\ZA; \X:\/*#59:$JD)8S.TZ20:Q(!CUZ+E[A M!-V6+Y9+9_#2CX G4C7LD,*>D_T?J?X.7^&M(*ZE=+5X$_)7^:4-5GJCO[GY MC*7/4G($(0<G(B/8FO<=,%\M\-V**+[KKM<%HL@AR69,=HU Y_GU3PBE![J; MWYTVZ97^?=PQ@@0C,(($'P(!`3"!L3"!FS$+, D&`U4$!A,"1T(Q&S 9!@-5 M! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,'4V%L9F]R9#$:,!@& M`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3.$-/34]$3R!32$$M M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C=7)E($5M86EL($-! M`A$`@LU(=IOCH,;4&=[[`9>^K# )!@4K#@,"&@4`H(("1C 8!@DJADB&]PT! M"0,Q"P8)*H9(AO<-`0<!,!P&"2J&2(;W#0$)!3$/%PTQ-S$R,#0R,3,Y,S5: M,",&"2J&2(;W#0$)!#$6!!2 W"Z[N6]$X>O%<Z-AL86YD&DE73!;!@DJADB& M]PT!"0\Q3C!,, H&""J&2(;W#0,', X&""J&2(;W#0,"`@(`@# -!@@JADB& M]PT#`@(!0# '!@4K#@,"!S -!@@JADB&]PT#`@(!*# '!@4K#@,"&C"!P@8) M*P8!! &"-Q $,8&T,(&Q,(&;,0LP"08#500&$P)'0C$;,!D&`U4$"!,21W)E M871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8#500*$Q%# M3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR-38@0VQI M96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$"$0""S4AV MF^.@QM09WOL!E[ZL,('$!@LJADB&]PT!"1 ""S&!M*"!L3"!FS$+, D&`U4$ M!A,"1T(Q&S 9!@-5! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,' M4V%L9F]R9#$:,!@&`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3 M.$-/34]$3R!32$$M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C M=7)E($5M86EL($-!`A$`@LU(=IOCH,;4&=[[`9>^K# -!@DJADB&]PT!`0$% M``2"`0!0@O5XG-30SN:[D8:'N=B2PAO5M!*0A*Y9ZR*3-O+V@C811T=%TLY/ M%[S[$[2 \6I*%B52771FVL"5U^N/3K)%;50L]\@[-!AP@XS%.8 '%1]#1&9* M/"#'L*O:7!=H,D>3;3CA>@-O1JFHC@O2[/RE;[MW4MQ:[;/'D8=XZ6"L3/QY MGELK`T[R%3G@D-B<&[.P?6,,$GGJQ8SJLP_V)+R'%9-L@B%+@+8"@/D<9H\O MXD[G)@-\:XLRXHHJU)0DC","/N_;3[;O>WW!8?U-%.%S@:3-36*G]V@4;T_[ JHK%9+OON+EWOJ'HQI'-T9@K>1P/^*49V*)GI96"^]I<(';7Y```````` ` end ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
On 03/12/17 16:10, Jim Carroll wrote: [...snip...] > You asked: > > >> + * OpenSSL 1.0.2m > >> + * openssl-fips-2.0.2 > > > I think the points above are expected to be ">="? > > Or are these versions strictly required? > > These versions are strictly required. While the fips module is binary > compatible with OpenSSL 1.0.1x, it would not include OpenSSL bug fixes > available in 1.0.2m which is required by NIST SP 800-171. And because the > fips module is only tested and lab certified up to 1.0.2, you cannot take > the new 1.1.0x branch. This leaves the user with a single choice 1.0.2m. [...snip...] > You commented: > > > Some distro may even provide their own FIPS enabled packages. > > This is a good point. It is possible that the distro already includes > OpenSSL 1.0.2m. I should change the instructions to suggest they check for > this module and then let them know they can skip the step if they already > have OpenSSL 1.0.2m installed. According to this knowledge base article from Red Hat, this is how you FIPS enable a system: <https://access.redhat.com/solutions/137833> (Requires a registered account; no paid subscription needed) Now, to a detail regarding the OpenSSL version. RHEL 6 ships with openssl-1.0.1e and RHEL 7 shipds with openssl-1.0.2k. And both distributions when configured according to the document above are FIPS compliant installs. I suspect when RHEL 8 comes in the future, it will ship with OpenSSL 1.1.x as well and it would surprise me immensely if that distribution would not be FIPS compliant as well (as Red Hat has a lot of government customers as well) So I don't think the version is as strict as you say. But it might be other distributions have gone through the compliance certification on a different version. For OpenVPN's part, I don't think we should enforce any strict versions. It is up to admin to ensure a compliant OpenSSL library is installed and the system is configured accordingly to be FIPS compliant.
> So I don't think the version is as strict as you say. But it might be > other > distributions have gone through the compliance certification on a > different > version. This is true. Red Hat has gone through the compliance certification on 1.0.2k and their security policy is public https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3016 > For OpenVPN's part, I don't think we should enforce any strict > versions. It is up to admin to ensure a compliant OpenSSL library > is installed and the system is configured accordingly to be FIPS compliant. Agreed -- the INSTALL file text we had proposed was to document how they could install compliant modules. Here is the text we submitted in our proposed patch: These instructions describe the use of OpenSSL 1.0.2m. PRE-INSTALLATION CHECKUP: The INSTALLATION procedure describes how to install an OpenSSL library that is built with FIPS support. If your platform already provides a FIPS enabled library you can skip to step 6 (build OpenVPN). But NIST 800-171 also requires that an organization assess systems for security deficiencies and remediate as appropriate: 3.11.2 Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified. 3.11.3 Remediate vulnerabilities in accordance with assessments of risk. 3.12.1 Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application. 3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems. Accordingly, there are quite a few published deficiencies for all versions of OpenSSL older than 1.0.2h. Installing anything less than 1.0.2h would cause an admin serious compliance trouble. It seemed useful to document how to install 1.0.2m, thereby also getting the benefit of bug fixes of the five intermediate patch levels. Jim C. begin 666 smime.p7s M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$' M`0``H((.$3""!#8P@@,>H ,"`0("`0$P#08)*H9(AO<-`0$%!0`P;S$+, D& M`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T($%",28P) 8#500+$QU!9&14 M<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B," &`U4$`Q,9061D5')U<W0@ M17AT97)N86P@0T$@4F]O=# >%PTP,# U,S Q,#0X,SA:%PTR,# U,S Q,#0X M,SA:,&\Q"S )!@-5! 83`E-%,10P$@8#500*$PM!9&14<G5S="!!0C$F,"0& M`U4$"Q,=061D5')U<W0@17AT97)N86P@5%10($YE='=O<FLQ(C @!@-5! ,3 M&4%D9%1R=7-T($5X=&5R;F%L($-!(%)O;W0P@@$B, T&"2J&2(;W#0$!`04` M`X(!#P`P@@$*`H(!`0"W]QHSYO(`!"TYX$Y;[1^\; _-M?HCML[>FQ$SEZ0I M3'V3G[U*O)/M`QKCC\_E;5!:UI<IE%J L$EZVRZ5_;C*OS<X+1X^D4&M<%;' M\$\_Z#*>=,K(D%3IQE\/>)V:0#P.K&&J7A2/GH>A:E#<UYI.KP6SIG&4G'&S M4& *QQ.=. >&`JCIJ&DF&)"K3+!/(ZLZ3X38W\Z?X6EON]="UVM$Y,>M[FU! M7W):<0@WLWEEI%F@E#?W`"\-PI)RVM X<ML4J$7$72I]M[36Q.ZLS1-$M\DK MW4,`)?IAN6EJ6",1MZ<SCU9U6?7-*==&MPHK9;;30F\5LKA[^^_I75/5-%HG M`@,!``&C@=PP@=DP'08#51T.!!8$%*V]F'HTM";W^L0F5.\#O> DRU0:, L& M`U4=#P0$`P(!!C /!@-5'1,!`?\$!3 #`0'_,(&9!@-5'2,$@9$P@8Z %*V] MF'HTM";W^L0F5.\#O> DRU0:H7.D<3!O,0LP"08#500&$P)313$4,!(&`U4$ M"A,+061D5')U<W0@04(Q)C D!@-5! L3'4%D9%1R=7-T($5X=&5R;F%L(%14 M4"!.971W;W)K,2(P( 8#500#$QE!9&14<G5S="!%>'1E<FYA;"!#02!2;V]T M@@$!, T&"2J&2(;W#0$!!04``X(!`0"PF^"%)<+6(^(/E@:2G4&8G-F$>8'9 M'EL4!R,V98^PV'>[K$%L1V"#4;#Y,CWG_/8F$\> %J6_6OR'SWAYB2&:XDP' M"H8UO/+>4<32EK?<?D[N</T<.>L,`E$4+8Z]%N#!WT9UYR2M[/1"M(63<!!G MNIT&-4H8TRMZS%%"H7ICT>:[H<4KPC:^$PWFO6-^>7NG"0U JVK=CXK#]O:, M&D(%4=1%]9^G8B%H%2!#/)GG?+TDV*F1%W.(/U8;,3@8M'$/FLW(#IZ.+AOA MC)B#RQ\Q\41,Q@1S279@#\?XO1> :R[IS$P.6IIY#R *+M6>8R8>59*4V((7 M6GO0O,>/3H8$,(($KS""`Y>@`P(!`@(1`. CRQ42@U.)K6%N>E1G:R$P#08) M*H9(AO<-`0$+!0`P;S$+, D&`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T M($%",28P) 8#500+$QU!9&14<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B M," &`U4$`Q,9061D5')U<W0@17AT97)N86P@0T$@4F]O=# >%PTQ-#$R,C(P M,# P,#!:%PTR,# U,S Q,#0X,SA:,(&;,0LP"08#500&$P)'0C$;,!D&`U4$ M"!,21W)E871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8# M500*$Q%#3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR M-38@0VQI96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$P M@@$B, T&"2J&2(;W#0$!`04``X(!#P`P@@$*`H(!`0")L0W:>E,93G!2';Q6 MI@8FM[A)X);G4:OQ\%H3216CM(P;8+QZ44*G>8RD(M\784Z1U78C"A332@)_ MMAT)@&ZE!#W9NKL6_J&'J2Y#4D,6?*\R4,BF3UKI"-C/DR6<>XCH,&3FI/A6 M@/TJ)!0S%YFL1.5IBZ-&!DO",]3I0)\&L+&LDT"YM0B3.IPJ4Z,0VST@83Q5 M`X[93G8E`B$I^J-\<79/[N%?@>G[5(#;PWLU4K>$WB(]+# M,7]9O5(WL#-I M+4/K^M:E\9=W9U&,V>XGZ[RE!SAVC*2I./_?C/4#K$F^RO=SF3H/,JN<E3H3 M/0Y&.E=T85"^QD _R^3BGZ(A`@,!``&C@@$7,((!$S ?!@-5'2,$&# 6@!2M MO9AZ-+0F]_K$)E3O`[W@),M4&C =!@-5'0X$%@04DF%K@N&BH*I/[&?QPJ/W MM( `P>PP#@8#51T/`0'_! 0#`@&&,!(&`U4=$P$!_P0(, 8!`?\"`0`P'08# M51TE!!8P% 8(*P8!!04'`P(&""L&`04%!P,$,!$&`U4=( 0*, @P!@8$51T@ M`#!$!@-5'1\$/3 [,#F@-Z UAC-H='1P.B\O8W)L+G5S97)T<G5S="YC;VTO M061D5')U<W1%>'1E<FYA;$-!4F]O="YC<FPP-08(*P8!!04'`0$$*3 G,"4& M""L&`04%!S !AAEH='1P.B\O;V-S<"YU<V5R=')U<W0N8V]M, T&"2J&2(;W M#0$!"P4``X(!`0`;*FZL5<$ZJXC%V.W-5?.J:V$KP D0(YD/Q69J;['UM+5W M7@\"80#??07^$K.D@( `_/L=6VIR`@I!O 6ZP5C5)L+JU4V$^_Z"F,]8&^,B M8YQ2^+L%-JM]6*7>JSMCY=K5<^_LX/M[XJ/_\$(CG,JVC4T^Y$L8`[*H+=38 MNT)+D&F%$-NF-S3H>^ !$*6<RCK'GT^(-&Z*9= :BKNIW,K*-M'T_,)D*36O MUK&G<1'2`T.QCSZ:[)XR4_1VDLJ&- >Y+,KF'$K8F0W!AN*0DOM:0FHC(1#I M9<?UU;M^ZHR%( )BZM$Z!RQ9Q9DS\CB)Y;;I%GH?>13V2A :)OI\BON;,((% M(#""! B@`P(!`@(1`(+-2':;XZ#&U!G>^P&7OJPP#08)*H9(AO<-`0$+!0`P M@9LQ"S )!@-5! 83`D=",1LP&08#500($Q)'<F5A=&5R($UA;F-H97-T97(Q M$# .!@-5! <3!U-A;&9O<F0Q&C 8!@-5! H3$4-/34]$3R!#02!,:6UI=&5D M,4$P/P8#500#$SA#3TU/1$\@4TA!+3(U-B!#;&EE;G0@075T:&5N=&EC871I M;VX@86YD(%-E8W5R92!%;6%I;"!#03 >%PTQ-S Q,3@P,# P,#!:%PTR,# Q M,3@R,S4Y-3E:," Q'C <!@DJADB&]PT!"0$6#VII;4!C87)R;VQL+F-O;3"" M`2(P#08)*H9(AO<-`0$!!0`#@@$/`#""`0H"@@$!`+>;EY]ERMD$,P;8"I7X M?^ /F69VS8/L_HEV(J#N= $S];)Z)NSNCEKQQL*V\)X*[3:U#K&RT"]7`^(9 M/]<<)D]QC$]^CQB)W6&GH=]!S)"#BX#@1Q)ZRNK%`>L!^4T4%*7SH4#L9W*4 MT$5<*UR%\T_56N':G<DYHV-9.='BNEU"'%TY+[]LYZ=B>CA]ND5XQ(/B6G)$ M+.45284OBU4BNP&F^_G1,%^"$.,_`")HQ!K_IW :.=0"J38^R&!!*H#$V>"H M\A*[L =HF*&;G2L'<8*^T%BY+7S.3D[>P=G4O*#;+C4>,]Q8'MX2A9@G$#LC M'5]WL4$YZ?=VZ+H"B_33;&T"`P$``:."`=<P@@'3,!\&`U4=(P08,!: %))A M:X+AHJ"J3^QG\<*C][2 `,'L,!T&`U4=#@06!!2S>P/T;X" O18ML(68VK@Z M(7<123 .!@-5'0\!`?\$! ,"!: P# 8#51T3`0'_! (P`# =!@-5'24$%C 4 M!@@K!@$%!0<#! 8(*P8!!04'`P(P1@8#51T@!#\P/3 [!@PK!@$$`;(Q`0(! M`P4P*S I!@@K!@$%!0<"`18=:'1T<',Z+R]S96-U<F4N8V]M;V1O+FYE="]# M4%,P708#51T?!%8P5#!2H%"@3H9,:'1T<#HO+V-R;"YC;VUO9&]C82YC;VTO M0T]-3T1/4TA!,C4V0VQI96YT075T:&5N=&EC871I;VYA;F1396-U<F5%;6%I M;$-!+F-R;#"!D 8(*P8!!04'`0$$@8,P@8 P6 8(*P8!!04', *&3&AT=' Z M+R]C<G0N8V]M;V1O8V$N8V]M+T-/34]$3U-(03(U-D-L:65N=$%U=&AE;G1I M8V%T:6]N86YD4V5C=7)E16UA:6Q#02YC<G0P) 8(*P8!!04', &&&&AT=' Z M+R]O8W-P+F-O;6]D;V-A+F-O;3 :!@-5'1$$$S 1@0]J:6U 8V%R<F]L;"YC M;VTP#08)*H9(AO<-`0$+!0`#@@$!`'W33 4"-'Y3RQ+/>:PFSC@28531Y 1V MH"=?*@"]NZ7+1X&;TMD)/=KS<3BZN1X<*%FAF5TT8@\9&Y)W7&M28.,GF/5, MV'!"E<-"(+ZQU&<SFY>52)<8(H0D6.RB<5"5L#EHH-[8IB]:W7W0)9<VHV>A M3OF,X]<-(XS5!1:<VY>/Q-+\ZA; \X:\/*#59:$JD)8S.TZ20:Q(!CUZ+E[A M!-V6+Y9+9_#2CX G4C7LD,*>D_T?J?X.7^&M(*ZE=+5X$_)7^:4-5GJCO[GY MC*7/4G($(0<G(B/8FO<=,%\M\-V**+[KKM<%HL@AR69,=HU Y_GU3PBE![J; MWYTVZ97^?=PQ@@0C,(($'P(!`3"!L3"!FS$+, D&`U4$!A,"1T(Q&S 9!@-5 M! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,'4V%L9F]R9#$:,!@& M`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3.$-/34]$3R!32$$M M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C=7)E($5M86EL($-! M`A$`@LU(=IOCH,;4&=[[`9>^K# )!@4K#@,"&@4`H(("1C 8!@DJADB&]PT! M"0,Q"P8)*H9(AO<-`0<!,!P&"2J&2(;W#0$)!3$/%PTQ-S$R,#4P.3(Q,S-: M,",&"2J&2(;W#0$)!#$6!!0$'0\;B"+B,KW_$T6F8E<3@8+CJS!;!@DJADB& M]PT!"0\Q3C!,, H&""J&2(;W#0,', X&""J&2(;W#0,"`@(`@# -!@@JADB& M]PT#`@(!0# '!@4K#@,"!S -!@@JADB&]PT#`@(!*# '!@4K#@,"&C"!P@8) M*P8!! &"-Q $,8&T,(&Q,(&;,0LP"08#500&$P)'0C$;,!D&`U4$"!,21W)E M871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8#500*$Q%# M3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR-38@0VQI M96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$"$0""S4AV MF^.@QM09WOL!E[ZL,('$!@LJADB&]PT!"1 ""S&!M*"!L3"!FS$+, D&`U4$ M!A,"1T(Q&S 9!@-5! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,' M4V%L9F]R9#$:,!@&`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3 M.$-/34]$3R!32$$M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C M=7)E($5M86EL($-!`A$`@LU(=IOCH,;4&=[[`9>^K# -!@DJADB&]PT!`0$% M``2"`0`WV)CAZ17,;P=Q*=W*B9CO3LV^4RQES7M2ZZX:DU0"'-2IHM*(*+VJ M^W21`M-DFKTLU52XXJJ'[A1$T=031$(08?D:*^,Q#L&@+, 3YV8.*V^5K)(% M7&FS?=8>/'[7L[@]'&X7DN1]\RK">9E/\C(B.+DDUXGDJ-=HV4M9=_3%,;P] M[N?OQV5BW90`S(^1$SZ%4Z^O"@QW-+UPE[V O\AO![7GIY@8937>U'OEVW0_ MO@%4_1! %+:N,&G .0#,/Y)VW:C7B0H<,5R#R2[2@LK.!&4A7DS5,-;S^/DY JEH9*_+U$(BC3<Y)\Q>BH129JC$5H,W8OUV?%!OA:BT"7#P2Q```````` ` end ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
I'm curious about the openvpn-devel process related to patch acceptance. Does the fact that the conversation has ended mean the patch is scheduled to be added -- or does it instead mean there is no interest and the patch is being denied? Thanks Jim begin 666 smime.p7s M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$' M`0``H((.$3""!#8P@@,>H ,"`0("`0$P#08)*H9(AO<-`0$%!0`P;S$+, D& M`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T($%",28P) 8#500+$QU!9&14 M<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B," &`U4$`Q,9061D5')U<W0@ M17AT97)N86P@0T$@4F]O=# >%PTP,# U,S Q,#0X,SA:%PTR,# U,S Q,#0X M,SA:,&\Q"S )!@-5! 83`E-%,10P$@8#500*$PM!9&14<G5S="!!0C$F,"0& M`U4$"Q,=061D5')U<W0@17AT97)N86P@5%10($YE='=O<FLQ(C @!@-5! ,3 M&4%D9%1R=7-T($5X=&5R;F%L($-!(%)O;W0P@@$B, T&"2J&2(;W#0$!`04` M`X(!#P`P@@$*`H(!`0"W]QHSYO(`!"TYX$Y;[1^\; _-M?HCML[>FQ$SEZ0I M3'V3G[U*O)/M`QKCC\_E;5!:UI<IE%J L$EZVRZ5_;C*OS<X+1X^D4&M<%;' M\$\_Z#*>=,K(D%3IQE\/>)V:0#P.K&&J7A2/GH>A:E#<UYI.KP6SIG&4G'&S M4& *QQ.=. >&`JCIJ&DF&)"K3+!/(ZLZ3X38W\Z?X6EON]="UVM$Y,>M[FU! M7W):<0@WLWEEI%F@E#?W`"\-PI)RVM X<ML4J$7$72I]M[36Q.ZLS1-$M\DK MW4,`)?IAN6EJ6",1MZ<SCU9U6?7-*==&MPHK9;;30F\5LKA[^^_I75/5-%HG M`@,!``&C@=PP@=DP'08#51T.!!8$%*V]F'HTM";W^L0F5.\#O> DRU0:, L& M`U4=#P0$`P(!!C /!@-5'1,!`?\$!3 #`0'_,(&9!@-5'2,$@9$P@8Z %*V] MF'HTM";W^L0F5.\#O> DRU0:H7.D<3!O,0LP"08#500&$P)313$4,!(&`U4$ M"A,+061D5')U<W0@04(Q)C D!@-5! L3'4%D9%1R=7-T($5X=&5R;F%L(%14 M4"!.971W;W)K,2(P( 8#500#$QE!9&14<G5S="!%>'1E<FYA;"!#02!2;V]T M@@$!, T&"2J&2(;W#0$!!04``X(!`0"PF^"%)<+6(^(/E@:2G4&8G-F$>8'9 M'EL4!R,V98^PV'>[K$%L1V"#4;#Y,CWG_/8F$\> %J6_6OR'SWAYB2&:XDP' M"H8UO/+>4<32EK?<?D[N</T<.>L,`E$4+8Z]%N#!WT9UYR2M[/1"M(63<!!G MNIT&-4H8TRMZS%%"H7ICT>:[H<4KPC:^$PWFO6-^>7NG"0U JVK=CXK#]O:, M&D(%4=1%]9^G8B%H%2!#/)GG?+TDV*F1%W.(/U8;,3@8M'$/FLW(#IZ.+AOA MC)B#RQ\Q\41,Q@1S279@#\?XO1> :R[IS$P.6IIY#R *+M6>8R8>59*4V((7 M6GO0O,>/3H8$,(($KS""`Y>@`P(!`@(1`. CRQ42@U.)K6%N>E1G:R$P#08) M*H9(AO<-`0$+!0`P;S$+, D&`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T M($%",28P) 8#500+$QU!9&14<G5S="!%>'1E<FYA;"!45% @3F5T=V]R:S$B M," &`U4$`Q,9061D5')U<W0@17AT97)N86P@0T$@4F]O=# >%PTQ-#$R,C(P M,# P,#!:%PTR,# U,S Q,#0X,SA:,(&;,0LP"08#500&$P)'0C$;,!D&`U4$ M"!,21W)E871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8# M500*$Q%#3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR M-38@0VQI96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$P M@@$B, T&"2J&2(;W#0$!`04``X(!#P`P@@$*`H(!`0")L0W:>E,93G!2';Q6 MI@8FM[A)X);G4:OQ\%H3216CM(P;8+QZ44*G>8RD(M\784Z1U78C"A332@)_ MMAT)@&ZE!#W9NKL6_J&'J2Y#4D,6?*\R4,BF3UKI"-C/DR6<>XCH,&3FI/A6 M@/TJ)!0S%YFL1.5IBZ-&!DO",]3I0)\&L+&LDT"YM0B3.IPJ4Z,0VST@83Q5 M`X[93G8E`B$I^J-\<79/[N%?@>G[5(#;PWLU4K>$WB(]+# M,7]9O5(WL#-I M+4/K^M:E\9=W9U&,V>XGZ[RE!SAVC*2I./_?C/4#K$F^RO=SF3H/,JN<E3H3 M/0Y&.E=T85"^QD _R^3BGZ(A`@,!``&C@@$7,((!$S ?!@-5'2,$&# 6@!2M MO9AZ-+0F]_K$)E3O`[W@),M4&C =!@-5'0X$%@04DF%K@N&BH*I/[&?QPJ/W MM( `P>PP#@8#51T/`0'_! 0#`@&&,!(&`U4=$P$!_P0(, 8!`?\"`0`P'08# M51TE!!8P% 8(*P8!!04'`P(&""L&`04%!P,$,!$&`U4=( 0*, @P!@8$51T@ M`#!$!@-5'1\$/3 [,#F@-Z UAC-H='1P.B\O8W)L+G5S97)T<G5S="YC;VTO M061D5')U<W1%>'1E<FYA;$-!4F]O="YC<FPP-08(*P8!!04'`0$$*3 G,"4& M""L&`04%!S !AAEH='1P.B\O;V-S<"YU<V5R=')U<W0N8V]M, T&"2J&2(;W M#0$!"P4``X(!`0`;*FZL5<$ZJXC%V.W-5?.J:V$KP D0(YD/Q69J;['UM+5W M7@\"80#??07^$K.D@( `_/L=6VIR`@I!O 6ZP5C5)L+JU4V$^_Z"F,]8&^,B M8YQ2^+L%-JM]6*7>JSMCY=K5<^_LX/M[XJ/_\$(CG,JVC4T^Y$L8`[*H+=38 MNT)+D&F%$-NF-S3H>^ !$*6<RCK'GT^(-&Z*9= :BKNIW,K*-M'T_,)D*36O MUK&G<1'2`T.QCSZ:[)XR4_1VDLJ&- >Y+,KF'$K8F0W!AN*0DOM:0FHC(1#I M9<?UU;M^ZHR%( )BZM$Z!RQ9Q9DS\CB)Y;;I%GH?>13V2A :)OI\BON;,((% M(#""! B@`P(!`@(1`(+-2':;XZ#&U!G>^P&7OJPP#08)*H9(AO<-`0$+!0`P M@9LQ"S )!@-5! 83`D=",1LP&08#500($Q)'<F5A=&5R($UA;F-H97-T97(Q M$# .!@-5! <3!U-A;&9O<F0Q&C 8!@-5! H3$4-/34]$3R!#02!,:6UI=&5D M,4$P/P8#500#$SA#3TU/1$\@4TA!+3(U-B!#;&EE;G0@075T:&5N=&EC871I M;VX@86YD(%-E8W5R92!%;6%I;"!#03 >%PTQ-S Q,3@P,# P,#!:%PTR,# Q M,3@R,S4Y-3E:," Q'C <!@DJADB&]PT!"0$6#VII;4!C87)R;VQL+F-O;3"" M`2(P#08)*H9(AO<-`0$!!0`#@@$/`#""`0H"@@$!`+>;EY]ERMD$,P;8"I7X M?^ /F69VS8/L_HEV(J#N= $S];)Z)NSNCEKQQL*V\)X*[3:U#K&RT"]7`^(9 M/]<<)D]QC$]^CQB)W6&GH=]!S)"#BX#@1Q)ZRNK%`>L!^4T4%*7SH4#L9W*4 MT$5<*UR%\T_56N':G<DYHV-9.='BNEU"'%TY+[]LYZ=B>CA]ND5XQ(/B6G)$ M+.45284OBU4BNP&F^_G1,%^"$.,_`")HQ!K_IW :.=0"J38^R&!!*H#$V>"H M\A*[L =HF*&;G2L'<8*^T%BY+7S.3D[>P=G4O*#;+C4>,]Q8'MX2A9@G$#LC M'5]WL4$YZ?=VZ+H"B_33;&T"`P$``:."`=<P@@'3,!\&`U4=(P08,!: %))A M:X+AHJ"J3^QG\<*C][2 `,'L,!T&`U4=#@06!!2S>P/T;X" O18ML(68VK@Z M(7<123 .!@-5'0\!`?\$! ,"!: P# 8#51T3`0'_! (P`# =!@-5'24$%C 4 M!@@K!@$%!0<#! 8(*P8!!04'`P(P1@8#51T@!#\P/3 [!@PK!@$$`;(Q`0(! M`P4P*S I!@@K!@$%!0<"`18=:'1T<',Z+R]S96-U<F4N8V]M;V1O+FYE="]# M4%,P708#51T?!%8P5#!2H%"@3H9,:'1T<#HO+V-R;"YC;VUO9&]C82YC;VTO M0T]-3T1/4TA!,C4V0VQI96YT075T:&5N=&EC871I;VYA;F1396-U<F5%;6%I M;$-!+F-R;#"!D 8(*P8!!04'`0$$@8,P@8 P6 8(*P8!!04', *&3&AT=' Z M+R]C<G0N8V]M;V1O8V$N8V]M+T-/34]$3U-(03(U-D-L:65N=$%U=&AE;G1I M8V%T:6]N86YD4V5C=7)E16UA:6Q#02YC<G0P) 8(*P8!!04', &&&&AT=' Z M+R]O8W-P+F-O;6]D;V-A+F-O;3 :!@-5'1$$$S 1@0]J:6U 8V%R<F]L;"YC M;VTP#08)*H9(AO<-`0$+!0`#@@$!`'W33 4"-'Y3RQ+/>:PFSC@28531Y 1V MH"=?*@"]NZ7+1X&;TMD)/=KS<3BZN1X<*%FAF5TT8@\9&Y)W7&M28.,GF/5, MV'!"E<-"(+ZQU&<SFY>52)<8(H0D6.RB<5"5L#EHH-[8IB]:W7W0)9<VHV>A M3OF,X]<-(XS5!1:<VY>/Q-+\ZA; \X:\/*#59:$JD)8S.TZ20:Q(!CUZ+E[A M!-V6+Y9+9_#2CX G4C7LD,*>D_T?J?X.7^&M(*ZE=+5X$_)7^:4-5GJCO[GY MC*7/4G($(0<G(B/8FO<=,%\M\-V**+[KKM<%HL@AR69,=HU Y_GU3PBE![J; MWYTVZ97^?=PQ@@0C,(($'P(!`3"!L3"!FS$+, D&`U4$!A,"1T(Q&S 9!@-5 M! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,'4V%L9F]R9#$:,!@& M`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3.$-/34]$3R!32$$M M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C=7)E($5M86EL($-! M`A$`@LU(=IOCH,;4&=[[`9>^K# )!@4K#@,"&@4`H(("1C 8!@DJADB&]PT! M"0,Q"P8)*H9(AO<-`0<!,!P&"2J&2(;W#0$)!3$/%PTQ-S$R,#@Q,C,T-#E: M,",&"2J&2(;W#0$)!#$6!!3Q(7\97V_)*Y^_3S@\J"=D9)@3ZC!;!@DJADB& M]PT!"0\Q3C!,, H&""J&2(;W#0,', X&""J&2(;W#0,"`@(`@# -!@@JADB& M]PT#`@(!0# '!@4K#@,"!S -!@@JADB&]PT#`@(!*# '!@4K#@,"&C"!P@8) M*P8!! &"-Q $,8&T,(&Q,(&;,0LP"08#500&$P)'0C$;,!D&`U4$"!,21W)E M871E<B!-86YC:&5S=&5R,1 P#@8#500'$P=386QF;W)D,1HP& 8#500*$Q%# M3TU/1$\@0T$@3&EM:71E9#%!,#\&`U4$`Q,X0T]-3T1/(%-(02TR-38@0VQI M96YT($%U=&AE;G1I8V%T:6]N(&%N9"!396-U<F4@16UA:6P@0T$"$0""S4AV MF^.@QM09WOL!E[ZL,('$!@LJADB&]PT!"1 ""S&!M*"!L3"!FS$+, D&`U4$ M!A,"1T(Q&S 9!@-5! @3$D=R96%T97(@36%N8VAE<W1E<C$0, X&`U4$!Q,' M4V%L9F]R9#$:,!@&`U4$"A,10T]-3T1/($-!($QI;6ET960Q03 _!@-5! ,3 M.$-/34]$3R!32$$M,C4V($-L:65N="!!=71H96YT:6-A=&EO;B!A;F0@4V5C M=7)E($5M86EL($-!`A$`@LU(=IOCH,;4&=[[`9>^K# -!@DJADB&]PT!`0$% M``2"`0`DFGL?$I"_5WZ,A> 6R2C-T>PYX"KK0WC:I-YG+&\@VH#6,;LB;P4@ MC%Z8A??V0;=>78H[=F*L0(+,+@`/+Z_M]-5K73,"F32G4VT8:*,MP#VW2^J MNU<*6+IO*DK3">RA;%7BC[^SY5=-W]0+-80VX_'$00]P5+I B>Q$,J )5"1J M&GQE_,WQ6>5Y,T=L27Z[TGAM\#2Z.7\X%L.1G!RA+EU.XRK[HL^RDF.KE#N5 M'HBX11D37NR62[N*KW+U'.A 2/6L!M>X<NP-$>!M1KVL<3^1R-0]K+C#7CF9 JF>ERD?,.L;PV1F&5_ YMX$G('0T%`])'%X2$0$QZ'S-N`I![```````` ` end ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Hi, On 08-12-17 13:34, Jim Carroll wrote: > I'm curious about the openvpn-devel process related to patch acceptance. Does > the fact that the conversation has ended mean the patch is scheduled to be > added -- or does it instead mean there is no interest and the patch is being > denied? It means no one had time to look at it yet. Most of the developers process patches in their spare cycles, and those can be scarce :( In this case: it's on my todo list, but so are many other things. We'll get to it at some point, but I can't tell you when unfortunately. -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
diff --git a/INSTALL b/INSTALL index 3a31e6f..adb3df8 100644 --- a/INSTALL +++ b/INSTALL @@ -305,6 +305,78 @@ TUN/TAP Driver Configuration: ************************************************************************* +OpenSSL FIPS Object Module v2.0 Configuration: + +These instructions were adapted from + + https://www.openssl.org/docs/fipsnotes.html + +Requirements: + + * OpenSSL 1.0.2m + * openssl-fips-2.0.2 + +WARNING + +To install FIPS validated encryption, you must follow the instructions in the +FIPS 2.0 User's Guide precisely. You are not permitted to modify any of the FIPS +build artifacts, makefiles or scripts. The FIPS 2.0 module is only compatible with +OpenSSL 1.0.1 and 1.0.2. + +These instructions describe the use of OpenSSL 1.0.2m. + +INSTALLATION: + + 1. Surf to https://www.openssl.org/source/ + 2. Download source and validate the download (preferably using PGP) + 3. Untar and uncompress tarball + 4. You must build using this precise command (do NOT choose any other options): + + # ./config && make install + + (you may optionally pass 'no-asm' to config) + + If the above procedure does not build on your system -- STOP. You are not + building on a FIPS supported platform, and therefore will not have a + FIPS validated encryption environment. See chapter 3 of the FIPS 2.0 + User's Guide for the complete list of supported platforms: + + https://openssl.org/docs/fips/UserGuide-2.0.pdf + + 5. Download, build & install openssl 1.0.2m (you are permitted to + modify this step to suite your preferences): + + # git clone https://github.com/openssl/openssl.git + # (cd openssl && \ + git checkout OpenSSL_1_0_2m && \ + ./config fips && \ + make depend && \ + make install) + + 6. Now build openvpn and tell it where to find you recently installed OpenSSL + + # ./configure --enable-fips-mode \ + OPENSSL_CFLAGS=-/usr/local/ss/include \ + OPENSSL_LIBS="-ldl -L/usr/local/ssl/lib -lssl -lcrypto" + + # make install + + 7. You can confirm FIPS mode is available with the command + + # ./openvpn --version | grep 'library version' + library versions: OpenSSL 1.0.2m-fips 2 Nov 2017, LZO 2.08 + +USAGE: + +The above adds a new '--enable-fips-mode' command line option to OpenVPN. Add this to your +invocation statement. If you've successfully configured OpenVPN for FIPS mode, check your +OpenVPN logs for the statement: + + *** FIPS MODE ENABLE *** + + +************************************************************************* + CAVEATS & BUGS: * I have noticed cases where TCP sessions tunneled over the Linux diff --git a/Makefile.am b/Makefile.am index 773b786..6d571ec 100644 --- a/Makefile.am +++ b/Makefile.am @@ -83,6 +83,11 @@ rootdir=$(prefix) root_DATA = version.sh endif +if FIPSMODE +export CC +export FIPSLD_CC +endif + config-version.h: @CONFIGURE_GIT_CHFILES="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-files --name-status -r --ignore-submodules --quiet -- || echo \"+\"`"; \ CONFIGURE_GIT_UNCOMMITTED="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-index --cached --quiet --ignore-submodules HEAD || echo \"*\"`"; \ diff --git a/configure.ac b/configure.ac index 7f2e34f..83ac18d 100644 --- a/configure.ac +++ b/configure.ac @@ -293,6 +293,17 @@ AC_ARG_WITH( [with_crypto_library="openssl"] ) +AC_ARG_ENABLE( + [fips-mode], + [AS_HELP_STRING([--enable-fips-mode], [OpenSSL FIPS Object Module 2.0 @<:@default=no@:>@])], + [ + if test "${with_crypto_library}" != "openssl"; then + AC_MSG_ERROR([enable_fips_mode requires --with_crypto_library=openssl]) + fi + ], + [enable_fips_mode="no"] +) + AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" @@ -954,6 +965,35 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then ] ) + if test "${enable_fips_mode}" = "yes"; then + AC_CHECK_FUNCS( + [ \ + FIPS_mode \ + FIPS_mode_set \ + SSLeay_version + ], + [], + [AC_MSG_ERROR([Incorrect version of OpenSSL, require 1.0.2])] + ) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM( + [[#include <openssl/crypto.h>]], + [[printf("%s\n", SSLeay_version(SSLEAY_DIR));]]) + ], + [AC_SUBST(OPENSSLDIR, + [[`./conftest$EXEEXT | $SED -n 's/.*"\(.*\)".*/\1/p'`]]) + ] + ) + if ! test -x "${OPENSSLDIR}/fips-2.0/bin/fipsld"; then + AC_MSG_ERROR([Incomplete OpenSSL FIPS installation; missing fipsld]) + fi + AC_SUBST([FIPSLD_CC], ["${CC}"]) + AC_SUBST([CC], ["${OPENSSLDIR}/fips-2.0/bin/fipsld"]) + export CC + export FIPSLD_CC + AC_DEFINE([ENABLE_FIPS], [1], [Enable OpenSSL FIPS 2.0 Options]) + fi + CFLAGS="${saved_CFLAGS}" LIBS="${saved_LIBS}" @@ -1373,6 +1413,7 @@ AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "ye AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"]) AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"]) AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = "yes"]) +AM_CONDITIONAL([FIPSMODE], [test "${enable_fips_mode}" = "yes"]) sampledir="\$(docdir)/sample" AC_SUBST([plugindir]) @@ -1441,4 +1482,5 @@ AC_CONFIG_FILES([ sample/Makefile ]) AC_CONFIG_FILES([tests/t_client.sh], [chmod +x tests/t_client.sh]) + AC_OUTPUT diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 3f3caa1..0c05859 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -854,7 +854,7 @@ init_key_ctx(struct key_ctx *ctx, const struct key *key, if (kt->digest && kt->hmac_length > 0) { ctx->hmac = hmac_ctx_new(); - hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest); + hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, false); msg(D_HANDSHAKE, "%s: Using %d bit message hash '%s' for HMAC authentication", diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index 567fd9b..d92ab7c 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -604,10 +604,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx); * @param key The key to use for the HMAC * @param key_len The key length to use * @param kt Static message digest parameters + * @param prf_use Inteded use for PRF in TLS protocol * */ void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, - const md_kt_t *kt); + const md_kt_t *kt, bool prf_use); /* * Free the given HMAC context. diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 0134e55..caef17b 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -159,6 +159,17 @@ crypto_init_lib(void) #endif } +int +crypto_enable_fips_mode(int mode) +{ + if (!FIPS_mode_set(mode)) { + ERR_print_errors_fp(stderr); + return 1; + } + msg(M_INFO, "*** IN FIPS MODE ***\n"); + return 0; +} + void crypto_uninit_lib(void) { @@ -926,11 +937,13 @@ hmac_ctx_free(HMAC_CTX *ctx) void hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, - const EVP_MD *kt) + const EVP_MD *kt, bool prf_use) { ASSERT(NULL != kt && NULL != ctx); HMAC_CTX_reset(ctx); + if (kt == EVP_md5() && prf_use) + HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); HMAC_Init_ex(ctx, key, key_len, kt, NULL); /* make sure we used a big enough key */ diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index 60a2812..11f3378 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -102,4 +102,12 @@ void crypto_print_openssl_errors(const unsigned int flags); } while (false) +/** + * Enable FIPS Mode. Returns non-zero to indicate an error. + * + * @param mode Should be 1. Future versions of OpenSSL FIPS + * code are expected to accept extended modes. + */ +int crypto_enable_fips_mode(int mode); + #endif /* CRYPTO_OPENSSL_H_ */ diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 077fa3e..fe39ab1 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key, int key_len, const md_kt_t *md5_kt = md_kt_get("MD5"); hmac_ctx_t *hmac_ctx = hmac_ctx_new(); - hmac_ctx_init(hmac_ctx, key, key_len, md5_kt); + hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, false); hmac_ctx_update(hmac_ctx, data, data_len); hmac_ctx_final(hmac_ctx, result); hmac_ctx_cleanup(hmac_ctx); diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index e237ee5..beb1d2a 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -210,6 +210,13 @@ openvpn_main(int argc, char *argv[]) /* parse command line options, and read configuration file */ parse_argv(&c.options, argc, argv, M_USAGE, OPT_P_DEFAULT, NULL, c.es); +#if ENABLE_FIPS + if (c.options.fips_mode) { + if (enable_fips_mode(c.options.fips_mode)) { + break; + } + } +#endif #ifdef ENABLE_PLUGIN /* plugins may contribute options configuration */ init_verb_mute(&c, IVM_LEVEL_1); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 8e5cdf7..8a1501c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -522,6 +522,11 @@ static const char usage_message[] = "\n" "Data Channel Encryption Options (must be compatible between peers):\n" "(These options are meaningful for both Static Key & TLS-mode)\n" +#ifdef ENABLE_FIPS + "--enable-fips-mode : Enable OpenSSL FIPS Object Module v2.0.\n" + " Setting this on the server will enforce FIPS validated\n" + " encryption on both client and server.\n" +#endif "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n" " Use shared secret file f, generate with --genkey.\n" " The optional d parameter controls key directionality.\n" @@ -854,6 +859,9 @@ init_options(struct options *o, const bool init_gc) #endif #ifdef ENABLE_CRYPTO o->ciphername = "BF-CBC"; +#ifdef ENABLE_FIPS + o->fips_mode = 0; +#endif #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */ o->ncp_enabled = true; #else @@ -1561,6 +1569,7 @@ show_settings(const struct options *o) #endif #ifdef ENABLE_CRYPTO + SHOW_INT(fips_mode); SHOW_BOOL(show_ciphers); SHOW_BOOL(show_digests); SHOW_BOOL(show_engines); @@ -7442,6 +7451,13 @@ add_option(struct options *options, } #endif /* USE_COMP */ #ifdef ENABLE_CRYPTO +#ifdef ENABLE_FIPS + else if (streq(p[0], "enable-fips-mode") && !p[1]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + options->fips_mode = 1; + } +#endif else if (streq(p[0], "show-ciphers") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 035c6d1..55d2248 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -189,6 +189,7 @@ struct options int persist_mode; #ifdef ENABLE_CRYPTO + int fips_mode; const char *key_pass_file; bool show_ciphers; bool show_digests; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 843bc39..6a212b8 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -354,6 +354,14 @@ init_ssl_lib(void) crypto_init_lib(); } +#if ENABLE_FIPS +int +enable_fips_mode(int mode) +{ + return crypto_enable_fips_mode(mode); +} +#endif + void free_ssl_lib(void) { @@ -1640,8 +1648,8 @@ tls1_P_hash(const md_kt_t *md_kt, chunk = md_kt_size(md_kt); A1_len = md_kt_size(md_kt); - hmac_ctx_init(ctx, sec, sec_len, md_kt); - hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); + hmac_ctx_init(ctx, sec, sec_len, md_kt, true); + hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, true); hmac_ctx_update(ctx,seed,seed_len); hmac_ctx_final(ctx, A1); diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 0e0f68f..ae23423 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -600,6 +600,10 @@ bool is_hard_reset(int op, int key_method); void delayed_auth_pass_purge(void); +#if ENABLE_FIPS +int enable_fips_mode(int mode); +#endif + #endif /* ENABLE_CRYPTO */ #endif /* ifndef OPENVPN_SSL_H */
From: JimC <jim@carroll.com> Modified the autoconf, automake and code to support building OpenVPN with OpenSSL FIPS Object Module v2.0 validated encryption. * Adds: --enable-fips-mode switch to configure.ac * Adds: --enable-fips-mode command line switch to openvpn --- INSTALL | 72 ++++++++++++++++++++++++++++++++++++++++++++ Makefile.am | 5 +++ configure.ac | 42 ++++++++++++++++++++++++++ src/openvpn/crypto.c | 2 +- src/openvpn/crypto_backend.h | 3 +- src/openvpn/crypto_openssl.c | 15 ++++++++- src/openvpn/crypto_openssl.h | 8 +++++ src/openvpn/ntlm.c | 2 +- src/openvpn/openvpn.c | 7 +++++ src/openvpn/options.c | 16 ++++++++++ src/openvpn/options.h | 1 + src/openvpn/ssl.c | 12 ++++++-- src/openvpn/ssl.h | 4 +++ 13 files changed, 183 insertions(+), 6 deletions(-)