cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: A FIPS-capable libcurl - How To Mod libcurl to Incorporate OpenSSL built with the OSSI FIPS Object Module

From: Welling, Conrad Gerhart <CONRAD.GERHART.WELLING_at_saic.com>
Date: Tue, 24 Apr 2007 20:39:44 -0700

Not sure if this is helpful, but, who cares. If I can help just one person in this crazy world, my life will have been fulfilled.
Here are my mods to the curl library to incorporate the OSSI FIPS Object Module (FOM) in OpenSSL and the curl library (I'm developing a FIPS-capable Windows service using HTTPS). This is a terse posting of the changes I made to libcurl to incorporate the OSSI FOM, which meant adding the option OSSL_FIPS_MODE_ENABLE for CURL_EASY_SETOPT() which, when set, throws the FIPS switch FIPS_mode_set(). I did a quick bunch of diffs between my modded libcurl files and the origina and I think I covered everything. However, even if I missed something, build errors pretty clearly indicate what's missing. Of course, an OpenSSL built with the FOM must be linked to libcurl. As far as building OpenSSL with the FOM, Steve Marquess has edited a good guide to do so in the "OpenSSL FIPS 140-2 User Guide" at http://www.oss-institute.org/FIPS_733/UserGuide-1.1.1.pdf I used the MinGW/msys approach.

To make, provide, as the argument, the appropriate output desired (ex: "vc-dll-ssl_fips-dll")

   nmake vc-dll-ssl_fips-dll > nmake.vc-dll-ssl_fips-dll.3.log 2>&1

-------------------------------------------------------------------------------------------------------------------------
curl-7.16.1\lib\urldata.h

#ifdef USE_OPENSSL_FIPS
#define OSSL_FIPS_MODE_DISABLE 0
#define OSSL_FIPS_MODE_ENABLE 1
#endif

-------------------------------------------------------------------------------------------------------------------------
\include\curl.h

Line 1057: Inserted following

   /* cgw - Add FIPS */
  CINIT(OPENSSL_FIPS, LONG, 155),

-------------------------------------------------------------------------------------------------------------------------
curl-7.16.1\lib\url.c

#ifdef USE_OPENSSL_FIPS
  case CURLOPT_OPENSSL_FIPS:
    /*
     * Enable FIPS mode for openssl built with FIPS object module.
     */
    data->set.ssl.fips.pre_state = va_arg(param, long);
    break;
#endif

-------------------------------------------------------------------------------------------------------------------------
curl-7.16.1\lib\transfer.c

#ifdef USE_OPENSSL_FIPS
  /* FIPS_mode_set() enables the FIPS mode of operation for apps that have
  complied with all the provisions of the OpenSSL FIPS 140-2 Security Policy.*/
  if(1 == (data->set.ssl.fips.cur_state ^ data->set.ssl.fips.pre_state)) {
    unsigned long fipscode; unsigned long code;
    if(0 == (fipscode = FIPS_mode_set(data->set.ssl.fips.pre_state))) {
      char err_msg[256+1];
      int flags, line; char *report_data, *file;
      code = ERR_get_error_line_data(&file, &line, &report_data, &flags);
      ERR_error_string_n(code, err_msg, 256);
      failf(data, "SSL: %lu:%lu:%s:%d:%d:%s", fipscode, code, file, line, flags, err_msg);
      failf(data, "FIPS_mode_set(%ld) failed", data->set.ssl.fips.pre_state);
      return CURLE_ABORTED_BY_CALLBACK;
    } else {
      infof(data, "FIPS_mode_set(%ld) succeeded\n", data->set.ssl.fips.pre_state);
      data->set.ssl.fips.cur_state = data->set.ssl.fips.pre_state;
    }
  }
#endif

-------------------------------------------------------------------------------------------------------------------------
lib\easy.c

704 /*
705 * libcurl 7.10 introduced SSL verification *by default*! This needs to be
706 * switched off unless wanted.
707 */
=======
708 <! data->set.ssl.fips.cur_state = 0; data->set.ssl.fips.pre_state = 0;
=======
709 data->set.ssl.verifypeer = TRUE;
710 data->set.ssl.verifyhost = 2;

-------------------------------------------------------------------------------------------------------------------------
lib\Makefile.vc6
1. Note that new entries are solely for generation of DLLs. Obviously, entries for other combinations, including static
   libs, will have to be added, as desired.
2. Note that the actual directory path for openssl 0.9.7m includes \out32dll, not out32
3. The following represents a diff between modded Makefile.vc6 and original, packaged with unmodded openssl-0.9.7m

Changed 9.7.e to 9.7.m
=======
37 * OPENSSL_PATH = ../../openssl-0.9.7m
            * OPENSSL_PATH = ../../openssl-0.9.7e
=======

97 !IFDEF WINDOWS_SSPI
98 CFLAGS = $(CFLAGS) /DUSE_WINDOWS_SSPI /I$(WINDOWS_SDK_PATH)\include
99 !ENDIF
100
=======
101 <! # cgw - Add FIPS macro
102 <! CFLAGSSSLFIPS = /DUSE_OPENSSL_FIPS
=======
103
104 ##############################################################
105 # Runtime library configuration

203 ######################
=======
204 <! # release-dll-ssl_fips-dll
205 <! # cgw - Added for openssl fips build
=======
206
=======
207 <! !IF "$(CFG)" == "release-dll-ssl_fips-dll"
208 <! TARGET = $(LIB_NAME).dll
209 <! DIROBJ = $(CFG)
210 <! LFLAGSSSL = "/LIBPATH:$(OPENSSL_PATH)\out32dll"
211 <! LNK = $(LNKDLL) $(WINLIBS) $(SSLLIBS) $(LFLAGSSSL) /out:$(DIROBJ)\$(TARGET) /IMPLIB:$(DIROBJ)\$(IMPLIB_NAME).lib
212 <! CC = $(CCNODBG) $(RTLIB) $(CFLAGSSSLFIPS) $(CFLAGSSSL)
213 <! CFGSET = TRUE
214 <! RESOURCE = $(DIROBJ)\libcurl.res
215 <! !ENDIF
=======
216

418 !MESSAGE release-ssl-dll-zlib-dll - release static library with dynamic ssl and dynamic zlib
419 !MESSAGE release-dll - release dynamic library
420 !MESSAGE release-dll-ssl-dll - release dynamic library with dynamic ssl
=======
421 <! !MESSAGE release-dll-ssl_fips-dll - release dynamic library with dynamic ssl with fips
=======
422 !MESSAGE release-dll-zlib-dll - release dynamic library with dynamic zlib
423 !MESSAGE release-dll-ssl-dll-zlib-dll - release dynamic library with dynamic ssl and dynamic zlib
424 !MESSAGE debug - debug static library

543 release-dll\libcurl.res \
544 release-dll-ssl-dll\libcurl.res \
=======
545 <! release-dll-ssl_fips-dll\libcurl.res \
=======
546 release-dll-zlib-dll\libcurl.res \
547 release-dll-ssl-dll-zlib-dll\libcurl.res: libcurl.rc
Received on 2007-04-25