3

I'm currently using the following steps but I'm having trouble compiling:

Add 64bit/32bit NASM to path: C:\Program Files\NASM for 64 bit

//On 32 bit simply switch to x86 native tool
Open native command prompt for VS2015 x64

or run "C:\Program Files (x86)\Microsoft Visual Studio 
14.0\VC\bin\amd64\vcvars64.bat"

== Environment variables that need to be set ==
Set FPSDIR=C:\Dev\OpenSSL\x64\openssl-fips-ecp-2.0.16
Set PROCESSOR_ARCHITECTURE=AMD64

== Building Fips compliant module ==
cd openssl-fips-ecp-2.0.16
xcopy inc32\* include\* /O /X /E /H /K 
=========
Open ms\do_fips.bat and remove "dll"

[Optional] add "debug" to same line

Open util\mk1mf.pl and add "libcmt.lib LIBCPMT.LIB libcmtd.lib LIBCPMTD.LIB" to EX_LIBS (Line 650 typically)
=========

ms\do_fips
mkdir lib
copy out32.dbg\* lib\*
mkdir bin
copy util\* bin\*
copy out32.dbg\fips_standalone_sha1.exe bin

== Building ==
cd openssl-1.0.2l

======
Open util\pl\VC-32.pl
remove "|| $fips " from line 48 and 133

[Optional]Open ms\do_win64a.bat and add "debug" to line 15 right before VC-WIN64A
======

perl Configure VC-WIN64A fips no-ec2m no-shared -DUNICODE -DOPENSSL_THREADS --with-fipsdir=C:\Dev\OpenSSL\x64\openssl-fips-ecp-2.0.16
ms\do_win64a
nmake -f ms\nt.mak clean
nmake -f ms\ntdll.mak clean
nmake -f ms\nt.mak


//On 32 bit be sure to do 32bit dir and
//Configure VC-WIN32
//ms\do_nasm (add debug here too)

Compiler is failing:

DOPENSSL_THREADS  -DDSO_WIN32 -DOPENSSL_FIPS -DOPENSSL_NO_ERR -DUNICODE -DOPENSSL_THREADS -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -IC:\Dev\OpenSSL\x64\openssl-fips-ecp-2.0.16/include -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_SSL2 -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_WEAK_SSL_CIPHERS -DOPENSSL_NO_DYNAMIC_ENGINE /Zl /Zi /Fdtmp32/lib -c .\crypto\rand\rand_lib.c

rand_lib.c

.\crypto\rand\rand_lib.c(191): error C2143: syntax error: missing ')' before     '*'
.\crypto\rand\rand_lib.c(191): error C2143: syntax error: missing '{' before '*'
.\crypto\rand\rand_lib.c(191): error C2059: syntax error: 'type'
.\crypto\rand\rand_lib.c(192): error C2059: syntax error: ')'

I looked at the code and it seems that it doesn't know what

DRBG_CTX

I searched and it should be included from FIPS directory, but it isn't, what is wrong with my build steps?

Akumaburn
  • 530
  • 1
  • 5
  • 17

2 Answers2

3

Found it, it seems by default the "include" directory is filled with 0kb files for some reason, I overwrited with the 32 bit include (inc32) directory's contents in the FIPS folder to the "include" one, and it seems to have solved the issue.

Akumaburn
  • 530
  • 1
  • 5
  • 17
  • Assuming you followed the published procedure for FIPS on Windows and assuming the platform is supported, then this sounds like a bug. You should probably report it at [OpenSSL GitHub](https://github.com/openssl/openssl). – jww Aug 22 '17 at 23:05
  • There is no published standard procedure (afaik) for building FIPS statically(the nt.mak will generate a fipscontainer.lib static library but it will have dynamic symbols!), only as a DLL, and even then it doesn't work as is, because of the blank files and the bad make script for windows. – Akumaburn Aug 23 '17 at 13:08
  • 1
    The scenario you experienced is because the Neanderthals at OpenSSL.org published the openssl-fips tarball with symlinks to some files that will not properly expand with windows basic archiving built-ins. If you take the compressed tarball to a unix (LInux, MacOS, whatever) OR a Cygwin rig, extract it with `tar -xzvf` (which will resolve the symlinks), then turn right around and zip it (which will copy the symlinks as files rather than links) then bring it to your Windows environment, all those 0KB files will be the proper copies they should be. Yet another fly in the OpenSSL ointment. – WhozCraig Nov 29 '20 at 11:15
1

In case someone is wondering how to build it and pass the fips self-test.

 Add 64bit/32bit NASM to path: C:\Program Files\NASM for 64 bit

//On 32 bit simply switch to x86 native tool and Set PROCESSOR_ARCHITECTURE=x86
Open native command prompt for VS2015 x64
or run "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\amd64\vcvars64.bat"

== Environment variables that need to be set ==
Set FPSDIR=C:\Dev\OpenSSL\x64\openssl-fips-ecp-2.0.16
Set PROCESSOR_ARCHITECTURE=AMD64

== Building Fips compliant module ==
cd openssl-fips-ecp-2.0.16

Open util\mk1mf.pl and add
$cflags.= " -DOPENSSL_FIPS_DEBUGGER";
after line 311

This will disable the fingerprint check for the module, whose purpose is to ensure that the source code hasn't been modified(but leave all other tests intact). 
This is done because the fingerprint check appears to be broken for static libraries.

ms\do_fips
mkdir lib
copy out32dll\* lib\*
mkdir bin
copy util\* bin\*
copy out32dll\fips_standalone_sha1.exe bin
xcopy inc32\* include\* /O /X /E /H /K 

== Building ==
cd openssl-1.0.2l
perl Configure VC-WIN64A fips no-ec2m no-shared -DUNICODE -DOPENSSL_FIPS_DEBUGGER -DOPENSSL_THREADS --with-fipsdir=C:\Dev\OpenSSL\openssl-fips-ecp-2.0.16
ms\do_win64a
nmake -f ms\nt.mak clean
nmake -f ms\ntdll.mak clean
nmake -f ms\nt.mak


//On 32 bit be sure to do 32bit dir and
//Configure VC-WIN32 ms\do_nasm
Akumaburn
  • 530
  • 1
  • 5
  • 17
  • 1
    Doesn't disabling the fingerprint check to make static linking work violate security policy? What's the point? – Timothy John Laird Dec 11 '17 at 22:14
  • The point is all the actual FIPS tests are preserved, it does violate the broken security policy but it DOES produce FIPS compliant encryption. – Akumaburn Dec 20 '17 at 16:34
  • @TimothyJohnLaird Just figured I'd post this update, a while back this passed FIPS certification testing by a certain government agency. Just figured I'd mention it. – Akumaburn Dec 23 '21 at 17:59