Jon,
I was able to get the sample from appendix C.1 to compile for me with the
following steps:
1. Build the fips module
2. Build openssl with --with-fipslibdir & --with-fipsdir
3. Create a Windows console application in Visual Studio 2008
4. Add the openssl\inc32 folder to the include path
5. Add the openssl\out32dll folder to the linker path
6. Add libeay32.lib to the linker's "Additional Dependencies". Note that this
project doesn't use ssl so it doesn't need ssleay32.lib.
7. Compile.
Below are the details from the build. I've noted some failures I'm getting in
the tests after I build the fips module and openssl using that module. I'd be
interested to know if you get the same.
Hope that helps,
LM
==============================================
Here is how I built the fips module and openssl:
Build the FIPS Module
//Open a Visual Studio 2008 cmd prompt window.
//Note: I was not able to get "ms\do_fips" to build without any command-line
params because I seem to be missing the nasm assembler.
//The compiled binaries end up here: C:\openssl-fips-2.0.2\out32dll
c:
cd openssl-fips-2.0.2
ms\do_fips no-asm
nmake -f ms\ntdll.mak test
//The tests fail for me with 'rsa_test' is not recognized as an internal or
external command. But I decided the next step was good enough with the test
suite that passed.
cd out32dll
fips_test_suite.exe
//The fips_test_suite takes a while run. I don't remember exactly but I think
it was about 10 min.
//***Fix Ups: These steps were needed to get openssl to compile with the fips
module I just built so it would find files in the right place
copy inc32\openssl include\openssl
md lib
copy out32dll lib
md bin
copy util bin
copy out32dll bin
Build OpenSSL using the Newly Created FIPS Module
c:
cd openssl-1.0.1c
perl Configure VC-WIN32 no-asm fips
--with-fipslibdir=C:\openssl-fips-2.0.2\out32dll
--with-fipsdir=C:\openssl-fips-2.0.2
ms\do_ms
nmake -f ms\ntdll.mak clean
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test
//Note: In my test it fails with the following:
Curve defined by Weierstrass equation
y^2 = x^3 + a*x + b (mod 0x17)
a = 0x1
b = 0x1
Point is not on curve: x = 0xD, y = 0xFFFFA41E
.\crypto\ec\ectest.c:318: ABORT
problems.....
While the ectest failed, I was able to get other things to work OK so for now
we're assuming things built well enough but still checking.
==============================================
Here's the code. I had to tweek a few things to get it to compile:
// FipsSample.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/err.h>
#include <openssl/hmac.h>
/*
Sample application using FIPS mode OpenSSL.
This application will qualify as FIPS 140-2 validated when built,
installed, and utilized as described in the "OpenSSL FIPS 140-2
Security Policy" manual.
This command calculates a HMAC-SHA-1 digest of a file or input data
stream using the same arbitrary hard-coded key as the FIPS 140-2
source file build-time integrity checks and runtime executable
file integrity check.
*/
static void dofile(FILE *fp)
{
HMAC_CTX ctx;
unsigned char hmac_value[EVP_MAX_MD_SIZE];
unsigned int hmac_len, i;
char key[] = "etaonrishdlcupfm";
unsigned char buf[256];
/* Initialise context */
HMAC_CTX_init(&ctx);
/* Set digest type and key in context */
if (!HMAC_Init_ex(&ctx, key, strlen(key), EVP_sha1(), NULL))
exit(5);
/* Process input stream */
while(i = fread(buf,sizeof(char),sizeof(buf),fp)) {
if(!HMAC_Update(&ctx, buf, i)) exit(3);
}
/* Generate digest */
if(!HMAC_Final(&ctx, hmac_value, &hmac_len))
exit(4);
HMAC_CTX_cleanup(&ctx);
/* Display digest in hex */
for(i = 0; i < hmac_len; i++)
printf("%02x", hmac_value[i]);
printf("\n");
return;
}
int _tmain(int argc, _TCHAR* argv[])
{
char *opt = NULL;
int verbose = 0;
int fipsmode = 1;
FILE *fp = stdin;
int i;
/* Process command line arguments */
i = 0;
while(++i < argc) {
opt = argv[i];
if (!strcmp(opt,"-v")) verbose = 1;
else if (!strcmp(opt,"-c")) fipsmode = 0;
else if ('-' == opt[0]) {
printf("Usage: %s <filename>\n", argv[0]);
puts("Options:");
puts("\t-c\tUse non-FIPS mode");
puts("\t-v\tVerbose output");
exit(1);
}
else break;
}
/* Enter FIPS mode by default */
if (fipsmode) {
if(FIPS_mode_set(1)) {
fputs("FIPS mode enabled\n",stderr);
fprintf(stderr, "Fips Mode: %d\n", FIPS_mode());
}
else {
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
exit(1);
}
}
if (i >= argc) {
dofile(fp);
}
else {
while(i < argc) {
opt = argv[i];
if ((fp = fopen(opt,"rb")) == NULL) {
fprintf(stderr,"Unable to open file \"%s\"\n",
opt);
exit(1);
}
dofile(fp);
fclose(fp);
i++;
}
}
exit(0);
}
==============================================
Here is the output log from the build:
Build Log Rebuild started: Project: FipsSample, Configuration:
Release|Win32
Command Lines Creating temporary file "c:\openssl-TestUtils\FipsSample -
Clean\FipsSample\Release\RSP000023100526616.rsp" with contents
[
/O2 /Oi /GL /I "C:\openssl-1.0.1c\inc32" /D "WIN32" /D "NDEBUG" /D "_CONSOLE"
/D "_MBCS" /FD /EHsc /MD /Gy /Fo"Release\\" /Fd"Release\vc90.pdb" /W3 /c /Zi
/TP ".\stdafx.cpp"
".\FipsSample.cpp"
]
Creating command line "cl.exe @"c:\openssl-TestUtils\FipsSample -
Clean\FipsSample\Release\RSP000023100526616.rsp" /nologo /errorReport:prompt"
Creating temporary file "c:\openssl-TestUtils\FipsSample -
Clean\FipsSample\Release\RSP000024100526616.rsp" with contents
[
/OUT:"C:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.exe"
/INCREMENTAL:NO /LIBPATH:"C:\openssl-1.0.1c\out32dll" /MANIFEST
/MANIFESTFILE:"Release\FipsSample.exe.intermediate.manifest"
/MANIFESTUAC:"level='asInvoker' uiAccess='false'" /DEBUG
/PDB:"C:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.pdb"
/SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG /DYNAMICBASE /NXCOMPAT /MACHINE:X86
libeay32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib
advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib
".\Release\FipsSample.obj"
".\Release\stdafx.obj"
]
Creating command line "link.exe @"c:\openssl-TestUtils\FipsSample -
Clean\FipsSample\Release\RSP000024100526616.rsp" /NOLOGO /ERRORREPORT:PROMPT"
Creating temporary file "c:\openssl-TestUtils\FipsSample -
Clean\FipsSample\Release\RSP000025100526616.rsp" with contents
[
/outputresource:"..\Release\FipsSample.exe;#1" /manifest
".\Release\FipsSample.exe.intermediate.manifest"
]
Creating command line "mt.exe @"c:\openssl-TestUtils\FipsSample -
Clean\FipsSample\Release\RSP000025100526616.rsp" /nologo"
Creating temporary file "c:\openssl-TestUtils\FipsSample -
Clean\FipsSample\Release\BAT000026100526616.bat" with contents
[
@echo Manifest resource last updated at %TIME% on %DATE% > ".\Release\mt.dep"
]
Creating command line """c:\openssl-TestUtils\FipsSample -
Clean\FipsSample\Release\BAT000026100526616.bat"""
Output Window Compiling...
stdafx.cpp
FipsSample.cpp
.\FipsSample.cpp(100) : warning C4996: 'fopen': This function or variable may
be unsafe. Consider using fopen_s instead. To disable deprecation, use
_CRT_SECURE_NO_WARNINGS. See online help for details.
C:\Program Files (x86)\Microsoft Visual Studio
9.0\VC\include\stdio.h(237) : see declaration of 'fopen'
Linking...
Generating code
Finished generating code
Embedding manifest...
Results Build log was saved at "file://c:\openssl-TestUtils\FipsSample -
Clean\FipsSample\Release\BuildLog.htm"
FipsSample - 0 error(s), 1 warning(s)
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jon Evers
Sent: Monday, February 04, 2013 4:34 PM
To: openssl-users@openssl.org
Subject: RE: Compiling openssl fips in Windows
Dave,
I am linking libeay32.lib. I did try the .dll and tried to make it a
"reference" in a VS2008 project, but that completely failed.
If I understand correctly "ssleay32" is needed to implement SSL/TLS protocols?
If so, I definitely need to include it. But, currently my linking issues don't
seem to be affected by this library being included or not.
My link issues are either :
1) Can't find FIPS symbols (FIPS_hmac_final, FIPS_hmac_init_ex) OR
2) with fipscanister.lib also linked - duplicate symbols int MSVCRT.lib and
LIBCMT.lib (like __exit, _raise and _malloc)
I think a simple, basic make file for a windows console application would
greatly help me track down my linker issues. I'm sure it is some simple
mismatch or mistake I make in the make file I sourced from nt.mak. I just
can't seem to pinpoint it.
Thanks,
-Jon
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
