On Thu, Jul 29, 2010 at 13:08, Steve Marquess <marqu...@opensslfoundation.com> wrote: > Bryan wrote: >> >> I am almost done here... I was able to symlink the headers to get past >> the opensslv header files, but the build process fails because openssl >> didn't build libcypto. The problem is that when building openssl with >> fips, it doesn't not appear to build libcrypto, and changing anything >> in the ./Configure makes in non-FIPs compliant. >> >> Is there something I can do here to get a FIPs compliant openssl with >> libcrypto? >> > > A quick but hopefully helpful observation: I built a "FIPS capable" openssl > for a client a few months ago, and found that Cygwin wasn't a totally > friendly environment due to some discrepancies in the macros that enable > Unix-ish versus Windows-ish behavior (Cygwin being an uncomfortable blend of > both). In order to compile without modifying the OpenSSL v.12 source or the > canonical build instructions I wound up doing the following: >
I was able to build OpenSSL with FIPS, the problem comes that it doesn't build the libcrypto library. There just isn't one. Unless it gets named differently by windows (e.g. crypt.dll or something like that maybe) And when I try to build OpenSSH binaries, which require this file, I get the following: configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) *** I can install the openssl-devel packages for cygwin, and it compiles my OpenSSH binaries just fine, but I don't think that the OpenSSH would be FIPs-compliant then, right? I was able to point the "includes" to the right directory to allow OpenSSH to find openssl/opensslv.h, but the above error is right after it, and it's the last major hurdle... Have I missed a setting in OpenSSL that would allow me to build OpenSSL and get a libcrypto? > $ diff -u /usr/include/cygwin/types.h.bak /usr/include/cygwin/types.h > --- /usr/include/cygwin/types.h.bak 2008-06-12 13:35:52.001000000 -0400 > +++ /usr/include/cygwin/types.h 2009-12-07 09:46:21.528790900 -0500 > @@ -21,6 +21,15 @@ > #include <stdint.h> > #include <endian.h> > > +#if defined(__CYGWIN__) && defined(OPENSSL_FIPS) > + #define __MINGW32__ > + #define stricmp strcasecmp > + #define strnicmp strncasecmp > + #include <stdarg.h> > + #include <w32api/windef.h> > + #include <w32api/winbase.h> > +#endif > + > #ifndef __timespec_t_defined > #define __timespec_t_defined > typedef struct timespec timespec_t; > > ... which is arguably not spiritually pure in FIPS theology and clearly not > Sound Programming Practice. I documented it and my client is happy (that > specific software was being generated from source code for largely frivolous > reasons anyway). Note I'm telling you what I did in one specific > circumstance and I'm not recommending it as a general solution, or any > solution at all. > We are doing it because OpenSSH is BSD-licensed, and free... The other options are costing us a bit of money that we'd like to save. > We can't of course put a fix where it belongs, in the OpenSSL FIPS Object > Module source. If/when we do another validation we'll try to check the > Cygwin platform. > > -Steve M. > > -- > Steve Marquess > The OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877-673-6775 > marqu...@opensslfoundation.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
