Tuesday, December 19, 2017

OpenSSL FIPS 140-2 - Part Three - Windows OS

Compiling OpenSSL with the special FIPS module on Windows is a little more complicated than on Unix. As before, we are not allowed to make source code or build process changes to the FIPS module. (See part one of this series for more information on the build restrictions.)

The OpenSSL FIPS module source code was created with symbolic links in the tarball. Extracting the file on a Windows environment will result in corrupted files that will prevent it from being compiled. Fixing this requires a Unix filesystem. I provide instructions below on how to extract the source code tarball on a Linux or Cygwin environment and then zip it back up.

I built this using Visual Studio 2010 and the current version of ActiveState Perl. Later versions of Visual Studio will also work fine. I was not able to build OpenSSL with NASM. Therefore, my instructions include the “no-asm” parameter throughout. I went through the trouble of compiling the 32-bit version on a 32-bit version of Windows. The FIPS module automatically detects and configures itself for 64-bit on 64-bit Windows OS, so there’s no way to force the compile to be 32-bit. (Building 32-bit OpenSSL with FIPS on a 64-bit OS does result in an executable that works on a 32-bit Windows OS, but I didn’t want to take any chances.)

It was necessary to move some of the built FIPS files around to get OpenSSL to build properly. “Hey! Isn’t that against the rules?” Nope. See page 66 in the User Guide for the OpenSSL FIPS Object Module v2.0:
Note that as a condition of the FIPS 140-2 validation no other user specified configuration options may be specified. This restriction means that an optional install prefix cannot be specified – however, there is no restriction on subsequent manual relocation of the generated files to the desired final location.
I have provided a link to the source code and build of my frontend. I have built Windows binaries of OpenSSL with the FIPS object module, but I won't post them since they might run afoul of U.S. export restrictions on cryptography.

Build instructions


The official Windows build instructions for the FIPS module and OpenSSL can be found in section 4.3 of the User Guide for the OpenSSL FIPS Object Module v2.0. However, I have found them lacking. I will summarize the process here.

Prepare the source code for Windows

  1. In a Unix file system environment (e.g., Linux or Cygwin), extract the files from the two tarballs
  2. $ tar -zxvf openssl-fips-2.0.16.tar.gz
    $ tar -zxvf openssl-1.0.2o.tar.gz
  3. Use zip to compress them. This will convert all the symlinks to regular files.
  4. $ zip -9 -r openssl-fips-2.0.16.zip openssl-fips-2.0.16
    $ zip -9 -r openssl-1.0.2o.zip openssl-1.0.2o
  5. Copy the zip files to the Windows build environment and extract them. Save the zip files in case you need to build again.

Build FIPS module

  1. Open the 32-bit or 64-bit developer command line depending on which kind of build you need and change into the FIPS source code directory. Build the FIPS libraries exactly as shown:
  2. > cd openssl-fips-2.0.16
    > ms\do_fips no­-asm
  3. OpenSSL is expecting some files to be in different locations within the FIPS folder. Make the following changes:
    1. Rename folder “out32dll” to “lib
    2. Rename folder “util” to “bin
    3. Move “fips_standalone_sha1.exe” from “lib” to “bin

Build OpenSSL


32-bit:

  1. Open the developer command line and change into the source code directory. Build and install OpenSSL.
  2. cd openssl-1.0.2o
    perl Configure VC-WIN32 no-asm fips
      --with-fipsdir=c:\path-to\openssl-fips-2.0.16
      --prefix=C:\OpenSSL-FIPS-VS2010-32
    ms\do_ms
    nmake -f ms\nt.mak
    nmake -f ms\nt.mak install
  3. The openssl.exe file will be in the C:\OpenSSL-FIPS-VS2010-32\bin directory.

64-bit:

  1. Open the developer command line and change into the source code directory. Build and install OpenSSL.
  2. cd openssl-1.0.2o
    perl Configure VC-WIN64A no-asm fips
      --with-fipsdir=c:\path-to\openssl-fips-2.0.16
      --prefix=C:\OpenSSL-FIPS-VS2010-64
    ms\do_win64a
    nmake -f ms\nt.mak
    nmake -f ms\nt.mak install
  3. The openssl.exe file will be in the C:\OpenSSL-FIPS-VS2010-64\bin directory. Optional: Rename the files in the lib folder from 32 to 64.

No comments:

Post a Comment