The OpenSSL FIPS module source code was created with symbolic links in the tarball. Extracting the file on a Windows environment will result in corrupted files that will prevent it from being compiled. Fixing this requires a Unix filesystem. I provide instructions below on how to extract the source code tarball on a Linux or Cygwin environment and then zip it back up.
I built this using Visual Studio 2010 and the current version of ActiveState Perl. Later versions of Visual Studio will also work fine. I was not able to build OpenSSL with NASM. Therefore, my instructions include the “no-asm” parameter throughout. I went through the trouble of compiling the 32-bit version on a 32-bit version of Windows. The FIPS module automatically detects and configures itself for 64-bit on 64-bit Windows OS, so there’s no way to force the compile to be 32-bit. (Building 32-bit OpenSSL with FIPS on a 64-bit OS does result in an executable that works on a 32-bit Windows OS, but I didn’t want to take any chances.)
It was necessary to move some of the built FIPS files around to get OpenSSL to build properly. “Hey! Isn’t that against the rules?” Nope. See page 66 in the User Guide for the OpenSSL FIPS Object Module v2.0:
Note that as a condition of the FIPS 140-2 validation no other user specified configuration options may be specified. This restriction means that an optional install prefix cannot be specified – however, there is no restriction on subsequent manual relocation of the generated files to the desired final location.I have provided a link to the source code and build of my frontend. I have built Windows binaries of OpenSSL with the FIPS object module, but I won't post them since they might run afoul of U.S. export restrictions on cryptography.
Build instructions
The official Windows build instructions for the FIPS module and OpenSSL can be found in section 4.3 of the User Guide for the OpenSSL FIPS Object Module v2.0. However, I have found them lacking. I will summarize the process here.
Prepare the source code for Windows
- In a Unix file system environment (e.g., Linux or Cygwin), extract the files from the two tarballs
- Use zip to compress them. This will convert all the symlinks to regular files.
- Copy the zip files to the Windows build environment and extract them. Save the zip files in case you need to build again.
$ tar -zxvf openssl-fips-2.0.16.tar.gz $ tar -zxvf openssl-1.0.2t.tar.gz
$ zip -9 -r openssl-fips-2.0.16.zip openssl-fips-2.0.16 $ zip -9 -r openssl-1.0.2t.zip openssl-1.0.2t
Build FIPS module
- Open the 32-bit or 64-bit developer command line depending on which kind of build you need and change into the FIPS source code directory. Build the FIPS libraries exactly as shown:
- OpenSSL is expecting some files to be in different locations within the FIPS folder. Make the following changes:
- Rename folder “out32dll” to “lib”
- Rename folder “util” to “bin”
- Move “fips_standalone_sha1.exe” from “lib” to “bin”
> cd openssl-fips-2.0.16 > ms\do_fips no-asm
Build OpenSSL
32-bit:
- Open the developer command line and change into the source code directory. Build and install OpenSSL.
- The openssl.exe file will be in the C:\OpenSSL-FIPS-VS2010-32\bin directory.
cd openssl-1.0.2t perl Configure VC-WIN32 no-asm fips --with-fipsdir=c:\path-to\openssl-fips-2.0.16 --prefix=C:\OpenSSL-FIPS-VS2010-32 ms\do_ms nmake -f ms\nt.mak nmake -f ms\nt.mak install
64-bit:
- Open the developer command line and change into the source code directory. Build and install OpenSSL.
- The openssl.exe file will be in the C:\OpenSSL-FIPS-VS2010-64\bin directory. Optional: Rename the files in the lib folder from 32 to 64.
cd openssl-1.0.2t perl Configure VC-WIN64A no-asm fips --with-fipsdir=c:\path-to\openssl-fips-2.0.16 --prefix=C:\OpenSSL-FIPS-VS2010-64 ms\do_win64a nmake -f ms\nt.mak nmake -f ms\nt.mak install
Many thanks! This saved me hours and hours of hunting and yelling at the screen.
ReplyDeleteAnd it worked here by extracting the files using the MSYS 64 bit command prompt and then following the rest using the Visual Studio native command prompt for 64-bit. I am also using Strawberry Perl.
Delete