Cross-Compiling w/ FIPS Support from Linux to Windows
Bradley Gannon
bradley at bradleygannon.com
Tue Mar 9 00:48:06 UTC 2021
Hi there:
I'm trying to cross-compile FIPS-capable OpenSSL from Linux to Windows.
I already have a working native Linux build system, and I want to
extend it to support Windows targets without standing up a new host.
My cross-compile process follows the FOM User Guide to the best of my
understanding:
```
export MACHINE="MINGW64"
export SYSTEM="mingw64"
export CROSS_COMPILE="x86_64-w64-mingw32-"
export HOSTCC="gcc"
export FIPS_SIG="${FIPS_HOME}/src/util/msincore"
# build FIPS Object Module
cd ${FIPS_HOME}/src
./config
make
make install
# build OpenSSL
cd ${OPENSSL_HOME}/src
./config fips --prefix=${OPENSSL_FIPS} --with-fipsdir=${OPENSSL_FIPS}
make depend
make
make install
```
`FIPS_HOME`, `OPENSSL_HOME`, and `OPENSSL_FIPS` are the locations of
the FOM source tree, the OpenSSL source tree, and the output directory,
respectively.
The first failure occurs during the FOM `make install` step. The error
is:
```
cp: cannot stat 'fips_standalone_sha1': No such file or directory
```
It turns out that the build steps I've written above produce
`fips_standalone_sha1.exe`, which `make install` can't find. That's a
problem for me, because I know it's against the FIPS certification to
modify anything in the work area, but I can't seem to proceed without
changing that file name.
Just to expose another issue let me violate the certification
temporarily to bypass the problem. When I insert this command before
`make install`:
```
mv ./fips/fips_standalone_sha1.exe ./fips/fips_standalone_sha1
```
the build continues through the FOM and into OpenSSL. In fact, it seems
to get either nearly or completely through `make` before failing at the
incore digest step:
```
no fipstx section at ${FIPS_HOME}/src/util/msincore line 132.
```
This seems to indicate that `msincore` is not getting the kind of
executable it expects, but I'm not sure how to resolve that. I can't
turn up anything interesting on the Web, since most cross-compilation
discussions seem to target Android or iOS. If anyone has any guidance,
I'd appreciate it.
Thank you,
Bradley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210308/89ded8a5/attachment.sig>
More information about the openssl-users
mailing list