如何在 Windows x64 上编译支持 fips 的 openssl?
How do I compile fips capable openssl on Windows x64?
我目前正在使用以下步骤,但在编译时遇到问题:
Add 64bit/32bit NASM to path: C:\Program Files\NASM for 64 bit
//On 32 bit simply switch to x86 native tool
Open native command prompt for VS2015 x64
or run "C:\Program Files (x86)\Microsoft Visual Studio
14.0\VC\bin\amd64\vcvars64.bat"
== Environment variables that need to be set ==
Set FPSDIR=C:\Dev\OpenSSL\x64\openssl-fips-ecp-2.0.16
Set PROCESSOR_ARCHITECTURE=AMD64
== Building Fips compliant module ==
cd openssl-fips-ecp-2.0.16
xcopy inc32\* include\* /O /X /E /H /K
=========
Open ms\do_fips.bat and remove "dll"
[Optional] add "debug" to same line
Open util\mk1mf.pl and add "libcmt.lib LIBCPMT.LIB libcmtd.lib LIBCPMTD.LIB" to EX_LIBS (Line 650 typically)
=========
ms\do_fips
mkdir lib
copy out32.dbg\* lib\*
mkdir bin
copy util\* bin\*
copy out32.dbg\fips_standalone_sha1.exe bin
== Building ==
cd openssl-1.0.2l
======
Open util\pl\VC-32.pl
remove "|| $fips " from line 48 and 133
[Optional]Open ms\do_win64a.bat and add "debug" to line 15 right before VC-WIN64A
======
perl Configure VC-WIN64A fips no-ec2m no-shared -DUNICODE -DOPENSSL_THREADS --with-fipsdir=C:\Dev\OpenSSL\x64\openssl-fips-ecp-2.0.16
ms\do_win64a
nmake -f ms\nt.mak clean
nmake -f ms\ntdll.mak clean
nmake -f ms\nt.mak
//On 32 bit be sure to do 32bit dir and
//Configure VC-WIN32
//ms\do_nasm (add debug here too)
编译器失败:
DOPENSSL_THREADS -DDSO_WIN32 -DOPENSSL_FIPS -DOPENSSL_NO_ERR -DUNICODE -DOPENSSL_THREADS -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -IC:\Dev\OpenSSL\x64\openssl-fips-ecp-2.0.16/include -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_SSL2 -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_WEAK_SSL_CIPHERS -DOPENSSL_NO_DYNAMIC_ENGINE /Zl /Zi /Fdtmp32/lib -c .\crypto\rand\rand_lib.c
rand_lib.c
.\crypto\rand\rand_lib.c(191): error C2143: syntax error: missing ')' before '*'
.\crypto\rand\rand_lib.c(191): error C2143: syntax error: missing '{' before '*'
.\crypto\rand\rand_lib.c(191): error C2059: syntax error: 'type'
.\crypto\rand\rand_lib.c(192): error C2059: syntax error: ')'
看了下代码,好像不知道是什么
DRBG_CTX
我搜索过它应该包含在 FIPS 目录中,但不是,我的构建步骤有什么问题吗?
找到了,由于某些原因默认情况下 "include" 目录似乎充满了 0kb 文件,我用 FIPS 文件夹中的 32 位包含 (inc32) 目录的内容覆盖到 "include" 一个,好像解决了问题
如果有人想知道如何构建它并通过 fips 自测。
Add 64bit/32bit NASM to path: C:\Program Files\NASM for 64 bit
//On 32 bit simply switch to x86 native tool and Set PROCESSOR_ARCHITECTURE=x86
Open native command prompt for VS2015 x64
or run "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\amd64\vcvars64.bat"
== Environment variables that need to be set ==
Set FPSDIR=C:\Dev\OpenSSL\x64\openssl-fips-ecp-2.0.16
Set PROCESSOR_ARCHITECTURE=AMD64
== Building Fips compliant module ==
cd openssl-fips-ecp-2.0.16
Open util\mk1mf.pl and add
$cflags.= " -DOPENSSL_FIPS_DEBUGGER";
after line 311
This will disable the fingerprint check for the module, whose purpose is to ensure that the source code hasn't been modified(but leave all other tests intact).
This is done because the fingerprint check appears to be broken for static libraries.
ms\do_fips
mkdir lib
copy out32dll\* lib\*
mkdir bin
copy util\* bin\*
copy out32dll\fips_standalone_sha1.exe bin
xcopy inc32\* include\* /O /X /E /H /K
== Building ==
cd openssl-1.0.2l
perl Configure VC-WIN64A fips no-ec2m no-shared -DUNICODE -DOPENSSL_FIPS_DEBUGGER -DOPENSSL_THREADS --with-fipsdir=C:\Dev\OpenSSL\openssl-fips-ecp-2.0.16
ms\do_win64a
nmake -f ms\nt.mak clean
nmake -f ms\ntdll.mak clean
nmake -f ms\nt.mak
//On 32 bit be sure to do 32bit dir and
//Configure VC-WIN32 ms\do_nasm
我目前正在使用以下步骤,但在编译时遇到问题:
Add 64bit/32bit NASM to path: C:\Program Files\NASM for 64 bit
//On 32 bit simply switch to x86 native tool
Open native command prompt for VS2015 x64
or run "C:\Program Files (x86)\Microsoft Visual Studio
14.0\VC\bin\amd64\vcvars64.bat"
== Environment variables that need to be set ==
Set FPSDIR=C:\Dev\OpenSSL\x64\openssl-fips-ecp-2.0.16
Set PROCESSOR_ARCHITECTURE=AMD64
== Building Fips compliant module ==
cd openssl-fips-ecp-2.0.16
xcopy inc32\* include\* /O /X /E /H /K
=========
Open ms\do_fips.bat and remove "dll"
[Optional] add "debug" to same line
Open util\mk1mf.pl and add "libcmt.lib LIBCPMT.LIB libcmtd.lib LIBCPMTD.LIB" to EX_LIBS (Line 650 typically)
=========
ms\do_fips
mkdir lib
copy out32.dbg\* lib\*
mkdir bin
copy util\* bin\*
copy out32.dbg\fips_standalone_sha1.exe bin
== Building ==
cd openssl-1.0.2l
======
Open util\pl\VC-32.pl
remove "|| $fips " from line 48 and 133
[Optional]Open ms\do_win64a.bat and add "debug" to line 15 right before VC-WIN64A
======
perl Configure VC-WIN64A fips no-ec2m no-shared -DUNICODE -DOPENSSL_THREADS --with-fipsdir=C:\Dev\OpenSSL\x64\openssl-fips-ecp-2.0.16
ms\do_win64a
nmake -f ms\nt.mak clean
nmake -f ms\ntdll.mak clean
nmake -f ms\nt.mak
//On 32 bit be sure to do 32bit dir and
//Configure VC-WIN32
//ms\do_nasm (add debug here too)
编译器失败:
DOPENSSL_THREADS -DDSO_WIN32 -DOPENSSL_FIPS -DOPENSSL_NO_ERR -DUNICODE -DOPENSSL_THREADS -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -IC:\Dev\OpenSSL\x64\openssl-fips-ecp-2.0.16/include -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_SSL2 -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_WEAK_SSL_CIPHERS -DOPENSSL_NO_DYNAMIC_ENGINE /Zl /Zi /Fdtmp32/lib -c .\crypto\rand\rand_lib.c
rand_lib.c
.\crypto\rand\rand_lib.c(191): error C2143: syntax error: missing ')' before '*'
.\crypto\rand\rand_lib.c(191): error C2143: syntax error: missing '{' before '*'
.\crypto\rand\rand_lib.c(191): error C2059: syntax error: 'type'
.\crypto\rand\rand_lib.c(192): error C2059: syntax error: ')'
看了下代码,好像不知道是什么
DRBG_CTX
我搜索过它应该包含在 FIPS 目录中,但不是,我的构建步骤有什么问题吗?
找到了,由于某些原因默认情况下 "include" 目录似乎充满了 0kb 文件,我用 FIPS 文件夹中的 32 位包含 (inc32) 目录的内容覆盖到 "include" 一个,好像解决了问题
如果有人想知道如何构建它并通过 fips 自测。
Add 64bit/32bit NASM to path: C:\Program Files\NASM for 64 bit
//On 32 bit simply switch to x86 native tool and Set PROCESSOR_ARCHITECTURE=x86
Open native command prompt for VS2015 x64
or run "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\amd64\vcvars64.bat"
== Environment variables that need to be set ==
Set FPSDIR=C:\Dev\OpenSSL\x64\openssl-fips-ecp-2.0.16
Set PROCESSOR_ARCHITECTURE=AMD64
== Building Fips compliant module ==
cd openssl-fips-ecp-2.0.16
Open util\mk1mf.pl and add
$cflags.= " -DOPENSSL_FIPS_DEBUGGER";
after line 311
This will disable the fingerprint check for the module, whose purpose is to ensure that the source code hasn't been modified(but leave all other tests intact).
This is done because the fingerprint check appears to be broken for static libraries.
ms\do_fips
mkdir lib
copy out32dll\* lib\*
mkdir bin
copy util\* bin\*
copy out32dll\fips_standalone_sha1.exe bin
xcopy inc32\* include\* /O /X /E /H /K
== Building ==
cd openssl-1.0.2l
perl Configure VC-WIN64A fips no-ec2m no-shared -DUNICODE -DOPENSSL_FIPS_DEBUGGER -DOPENSSL_THREADS --with-fipsdir=C:\Dev\OpenSSL\openssl-fips-ecp-2.0.16
ms\do_win64a
nmake -f ms\nt.mak clean
nmake -f ms\ntdll.mak clean
nmake -f ms\nt.mak
//On 32 bit be sure to do 32bit dir and
//Configure VC-WIN32 ms\do_nasm