[openssl-dev] Windows x86_64 build broken -- RE: [openssl-users] OpenSSL version 1.0.1q released (corrected download)
Carl Tietjen
Carl.Tietjen at microfocus.com
Fri Dec 4 09:55:53 UTC 2015
>>What version of VC++ are you using?
We are using Visual Studio 2010 Professional SP1 + security Hotfixes
Version 10.0.40219.1 SP1Rel
FYI -- We are using the older compiler because VS 2010 is what was used for the FIPS evaluations.
I tired setting the FIPSDIR environment variable, building the FIPS object module, and then trying to build the FIPS capable OpenSSL, however it failed exactly the same.
__________________________________
On a minor note, now, as previously, when I tried using the --with-fipsdir option, the build fails quite early because it cannot find the fipscanister.lib. I followed the instructions in The User Guide for OpenSSL FIPS Object Module v2.0:
4.3.2 Installing and Protecting the FIPS Object Module
The system administrator should install the generated fipscanister.lib, fipscanister.lib.sha1, and fips_premain.c files in a location protected by the host operating system security features. ...
4.3.3 Building a FIPS Capable OpenSSL
...
do:
perl Configure VC-WIN32 fips --with-fipsdir=c:\fips\path
where "c:\fips\path" is wherever the FIPS module from the first stage was installed. ...
However, the build is expecting fipscanister.lib to be in a "lib" subdirectory, off of the specified fipsdir path, which is contrary to the instructions above. When I first ran into this issue, I figured out (from the make files) that if I used the fipslibdir instead of fipsdir, then the build would work.
Thanks,
Carl
-----Original Message-----
From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Thursday, December 03, 2015 7:57 PM
To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] Windows x86_64 build broken -- RE: [openssl-users] OpenSSL version 1.0.1q released (corrected download)
On Fri, Dec 04, 2015, Carl Tietjen wrote:
> Folks,
>
> It looks like the Windows x86_64 build for OpenSSL version 1.0.1q is broken.
>
> I am building a FIPS capable version, and have verified that I have the corrected download build: SHA1 checksum: c65a7bec49b72092d7ebb97a263c496cc1e1d6af
> FYI - I have successfully built on 3 Linux platforms with this tar file.
>
> Build steps:
> 1) perl Configure VC-WIN64A fips --with-fipslibdir=c:\FIPS\openssl-fips-ecp-2.0.9 no-ec2m no-idea no-mdc2 no-rc5
> 2) ms\do_win64a
> 3) nmake -f ms\nt.mak
> ...
> NMAKE : fatal error U1073: don't know how to make 'tmp32\applink.obj'
>
> ____________
>
> It looks like the nt.mak file ends up different than the one from 1.0.1p. The relevant changes are:
>
> 1.0.1p:
> ...
> $(PREMAIN_DSO_EXE): $(OBJ_D)\$(E_PREMAIN_DSO).obj $(CRYPTOOBJ) $(O_FIPSCANISTER)
> $(LINK) $(LFLAGS) /out:$(PREMAIN_DSO_EXE) @<<
> $(EX_LIBS) $(OBJ_D)\$(E_PREMAIN_DSO).obj $(CRYPTOOBJ) $(O_FIPSCANISTER) $(EX_LIBS)
> ...
>
> 1.0.1q
> $(PREMAIN_DSO_EXE): $(OBJ_D)\$(E_PREMAIN_DSO).obj $(CRYPTOOBJ) $(O_FIPSCANISTER) $(OBJ_D)\applink.obj
> $(LINK) $(LFLAGS) /out:$(PREMAIN_DSO_EXE) @<<
> $(EX_LIBS) $(OBJ_D)\applink.obj $(OBJ_D)\$(E_PREMAIN_DSO).obj $(CRYPTOOBJ) $(O_FIPSCANISTER) $(EX_LIBS)
>
> _______________
>
> I have tried to find any changes in the perl scripts that would cause this change, but have been unsuccessful so far.
>
> Thanks in advance for any help
>
That update was to fix a linker error in some versions of VC++. I just tried
that on the latest 1.0.1 branch and can't reproduce your problem. What version
of VC++ are you using?
However you need to use --with-fipsdir not --with-fipslibdir and it need to
point to wherever the FIPS module was installed, not the source directory.
Alternatively you can set the FIPSDIR environment variable before building the
FIPS module and it will be installed to that location and the FIPS capable
OpenSSL will use that without the need to use --with-fipsdir.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
More information about the openssl-dev
mailing list