Re: building openssh with openssl-fips: cygwin can't find libcrypto

[Steve Marquess]

Bryan wrote:
I am almost done here... I was able to symlink the headers to get past
the opensslv header files, but the build process fails because openssl
didn't build libcypto.  The problem is that when building openssl with
fips, it doesn't not appear to build libcrypto, and changing anything
in the ./Configure makes in non-FIPs compliant.
Is there something I can do here to get a FIPs compliant openssl with libcrypto?
  

A quick but hopefully helpful observation:  I built a "FIPS capable" 
openssl for a client a few months ago, and found that Cygwin wasn't a 
totally friendly environment due to some discrepancies in the macros 
that enable Unix-ish versus Windows-ish behavior (Cygwin being an 
uncomfortable blend of both).  In order to compile without modifying the 
OpenSSL v.12 source or the canonical build instructions I wound up doing 
the following:

$ diff -u /usr/include/cygwin/types.h.bak /usr/include/cygwin/types.h
--- /usr/include/cygwin/types.h.bak     2008-06-12 13:35:52.001000000 -0400
+++ /usr/include/cygwin/types.h 2009-12-07 09:46:21.528790900 -0500
@@ -21,6 +21,15 @@
#include <stdint.h>
#include <endian.h>

+#if defined(__CYGWIN__) && defined(OPENSSL_FIPS)
+  #define __MINGW32__
+  #define stricmp strcasecmp
+  #define strnicmp strncasecmp
+  #include <stdarg.h>
+  #include <w32api/windef.h>
+  #include <w32api/winbase.h>
+#endif
+
#ifndef __timespec_t_defined
#define __timespec_t_defined
typedef struct timespec timespec_t;

... which is arguably not spiritually pure in FIPS theology and clearly 
not Sound Programming Practice.  I documented it and my client is happy 
(that specific software was being generated from source code for largely 
frivolous reasons anyway).  Note I'm telling you what I did in one 
specific circumstance and I'm not recommending it as a general solution, 
or any solution at all.

We can't of course put a fix where it belongs, in the OpenSSL FIPS 
Object Module source.  If/when we do another validation we'll try to 
check the Cygwin platform.

-Steve M.

--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org