Compiling OpenSSL 1.0.2l static library with FIPS -2.0.16 on Windows

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Compiling OpenSSL 1.0.2l static library with FIPS -2.0.16 on Windows

OpenSSL - User mailing list
Hi,

I have am trying to compile OpenSSL 1.0.2l static library using FIPS - 2.0.16 on Windows 2012 R2, Visual Studio 2015,  using reference from https://www.openssl.org/docs/fips/UserGuide-2.0.pdf , page #68.

Step 1:

- cd openssl-fips-2.0.16
- ms\do_fips

Step 2:

- cd openssl-1.0.2l
- set FIPSDIR=C:\usr\local\ssl\fips-2.0
- perl Configure       VC-WIN64A fips --with-fipsdir=%FIPSDIR% no-shared zlib no-idea no-mdc2 no-rc5 no-ssl2 no-ssl3
- nmake -f ms\nt.mak all

I see that ms\do_fips compile the code with /MD, and somehow step 2 (nmake -f ms\nt.mak all) also ends up compiling with /MD switch. The application now requires the dynamic runt time libraries and compile and run time. OpenSSL static libraries builds fine with /MT switch without FIPS module, so there's something with FIPS module that ends up setting /MD switch.

Has anyone else faced this problem? As per user guide, the FIPS module should build fine with static libraries, but looks like there is some issue with it. Is there any option that can be supplied to do_fips.bat, or a different build script that needs to be run?

Appreciate any help on this.

Thanks,
NG  

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Compiling OpenSSL 1.0.2l static library with FIPS -2.0.16 on Windows

OpenSSL - User mailing list
FYI, I came up with following manual solution to correctly build 1.0.2l static library with FIPS - 2.0.16 on Windows, using Visual Studio 2015. This seems to work, and I no longer need to carry run time DLLs along with the application. I feel this should be an acceptable solution. Does anyone see any problems with editing the switch from /MD to /MT in the generated Makefiles?
 
-          FIPS module:
o   Set VS environment on the Windows terminal, and change directory to  to unarchived FIPS module directory.
o   SET MFILE=nt.mak
o   SET TARGET=VC-WIN64A
o   SET ASM=nasm
o   perl Configure %TARGET% fipscheck
o   perl util\mkfiles.pl >MINFO
o   perl util\mk1mf.pl %ASM% %TARGET% >ms\%MFILE%
o   edit nt.mak to link static runtime library libcmt.lib to the executables that it generates.
 
-EX_LIBS=ws2_32.lib gdi32.lib advapi32.lib crypt32.lib user32.lib
+EX_LIBS=ws2_32.lib gdi32.lib advapi32.lib crypt32.lib user32.lib libcmt.lib
 
o   nmake -f ms\%MFILE% clean
o   nmake -f ms\%MFILE%
o   nmake -f ms\%MFILE% install
 
-          OpenSSL
 
o   perl Configure       VC-WIN64A no-shared zlib no-idea no-mdc2 no-rc5 no-ssl2 no-ssl3
o   edit ms\nt.mak
 
-CFLAG= /MD /Ox /O2 /Ob2 -DZLIB -DOPENSSL_THREADS  -DDSO_WIN32 -W3 -Gs0 ……………….
+CFLAG= /MT /Ox /O2 /Ob2 -DZLIB -DOPENSSL_THREADS  -DDSO_WIN32 -W3 -Gs0 ……………….
o     nmake -f ms\nt.mak all
 
-          Follow additional linking step 5.3.2 described in the document https://www.openssl.org/docs/fips/UserGuide-2.0.pdf, page #74 in the final executable.  


Thanks,
Naveen


On Monday, October 30, 2017 3:37 PM, naveen gupta via openssl-users <[hidden email]> wrote:


Hi,

I have am trying to compile OpenSSL 1.0.2l static library using FIPS - 2.0.16 on Windows 2012 R2, Visual Studio 2015,  using reference from https://www.openssl.org/docs/fips/UserGuide-2.0.pdf , page #68.

Step 1:

- cd openssl-fips-2.0.16
- ms\do_fips

Step 2:

- cd openssl-1.0.2l
- set FIPSDIR=C:\usr\local\ssl\fips-2.0
- perl Configure       VC-WIN64A fips --with-fipsdir=%FIPSDIR% no-shared zlib no-idea no-mdc2 no-rc5 no-ssl2 no-ssl3
- nmake -f ms\nt.mak all

I see that ms\do_fips compile the code with /MD, and somehow step 2 (nmake -f ms\nt.mak all) also ends up compiling with /MD switch. The application now requires the dynamic runt time libraries and compile and run time. OpenSSL static libraries builds fine with /MT switch without FIPS module, so there's something with FIPS module that ends up setting /MD switch.

Has anyone else faced this problem? As per user guide, the FIPS module should build fine with static libraries, but looks like there is some issue with it. Is there any option that can be supplied to do_fips.bat, or a different build script that needs to be run?

Appreciate any help on this.

Thanks,
NG  
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Compiling OpenSSL 1.0.2l static library with FIPS -2.0.16 on Windows

OpenSSL - User mailing list
  • FYI, I came up with following manual solution to correctly build 1.0.2l static library with FIPS - 2.0.16 on Windows, using Visual Studio 2015. This seems to work, and I no longer need to carry run time DLLs along with the application. I feel this should be an acceptable solution. Does anyone see any problems with editing the switch from /MD to /MT in the generated Makefiles?

 

If you edit the makefiles, then you are no longer officially FIPS validated.

 

See https://docs/fipsnotes.html

 

This may not be a problem for you, but you should know this info.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users