Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

FIPS Open SSL Build using VC++ on Windows

289 views
Skip to first unread message

rajesh kumar

unread,
Oct 12, 2010, 7:07:06 AM10/12/10
to
Hi All,

i am very new to OpenSSL build ... 

I have build the static build of FIPS Capable OpenSSL as mentioned in user guide 1.2.

I have used following commands on VS2005 Command Prompt...

Build FIPS Module : ms\do_fips no-asm

Set Confiugration : perl Configure VC-WIN32 --with-fipslibdir="..\openssl-0.9.8l\out32dll"

For not using Assembler : ms\do_ms

Static Build : nmake -f ms\nt.mak InstallStatic


All this seems to work but the issue is that when i link libeay32.lib and ssleay32.lib in application and when i am calling FIPS_mode_set() function to set/reset FIPS Mode.

I am seeing following link error ...

error LNK2019: unresolved external symbol _FIPS_mode referenced in function

Can some one please let me know if i am missing anything...

when i am looking at the do_fips.bat file; it internally calls ntdll.mak - i am not sure if fips module is always creating Dynamic mode where as my application links them static...
 
quick reply would be really helpful .... 

Thanks,
Rajesh.

Vivek Madani

unread,
Oct 12, 2010, 8:14:36 AM10/12/10
to

Are you using fipslink.pl to statically link FIPS module to your
application/dll? If not, I believe you need to use it to comply to
OpenSSL FIPS security policy.

> Thanks,
> Rajesh.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Lee Merrill

unread,
Oct 12, 2010, 8:25:16 AM10/12/10
to
I had a problem after building as well, I built the fips-mode (version 1.2) of openssl on LInux via running "./config fipscanisterbuild" and then "make", this builds fine, and "make test" works, only fipscanister.o doesn't have the strings that fipsld expects, when I run "strings fipscanister.o | fgrep HMAC" all I see is "HMAC: digest not allowed in FIPS mode". The other strings I got before with fips openssl 1.1 which have the hash values (e.g. "HMAC-SHA1(fips_premain.c)= 6a08d15c578f1258246181bf52134ae974aa5a80") are not present. This causes fipsld to fail, any suggestions appreciated.

Lee
--


On 10/12/2010 07:07 AM, rajesh kumar wrote:
Hi All,

i am very new to OpenSSL build ... 

I have build the static build of FIPS Capable OpenSSL as mentioned in user guide 1.2.

I have used following commands on VS2005 Command Prompt...

Build FIPS Module : ms\do_fips no-asm

Set Confiugration : perl Configure VC-WIN32 --with-fipslibdir="..\openssl-0.9.8l\out32dll"

For not using Assembler : ms\do_ms

Static Build : nmake -f ms\nt.mak InstallStatic


All this seems to work but the issue is that when i link libeay32.lib and ssleay32.lib in application and when i am calling FIPS_mode_set() function to set/reset FIPS Mode.

I am seeing following link error ...

error LNK2019: unresolved external symbol _FIPS_mode referenced in function

Can some one please let me know if i am missing anything...

when i am looking at the do_fips.bat file; it internally calls ntdll.mak - i am not sure if fips module is always creating Dynamic mode where as my application links them static...
 
quick reply would be really helpful .... 

Thanks,
Rajesh.

--
Unless otherwise stated, any views presented in this email are solely those of the author and do not necessarily represent those of the company.

Dr. Stephen Henson

unread,
Oct 12, 2010, 8:51:50 AM10/12/10
to
On Tue, Oct 12, 2010, rajesh kumar wrote:

> Hi All,
>
> i am very new to OpenSSL build ...
>
> I have build the static build of FIPS Capable OpenSSL as mentioned in user
> guide 1.2.
>
> I have used following commands on VS2005 Command Prompt...
>

> *Build FIPS Module : ms\do_fips no-asm*
> *
> *
> *Set Confiugration : perl Configure VC-WIN32
> --with-fipslibdir="..\openssl-0.9.8l\out32dll"*
> *

That looks like you aren't linking to the validated module: you *must* use the
1.2 sources to build the module and link against that or the result is not
FIPS 140-2 compliant.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

Dr. Stephen Henson

unread,
Oct 12, 2010, 8:53:36 AM10/12/10
to
On Tue, Oct 12, 2010, Lee Merrill wrote:

> I had a problem after building as well, I built the fips-mode (version 1.2)
> of openssl on LInux via running "./config fipscanisterbuild" and then
> "make", this builds fine, and "make test" works, only fipscanister.o
> doesn't have the strings that fipsld expects, when I run "strings
> fipscanister.o | fgrep HMAC" all I see is "HMAC: digest not allowed in FIPS
> mode". The other strings I got before with fips openssl 1.1 which have the
> hash values (e.g. "HMAC-SHA1(fips_premain.c)=
> 6a08d15c578f1258246181bf52134ae974aa5a80") are not present. This causes
> fipsld to fail, any suggestions appreciated.
>

Looks like you are using the old (1.1) version of fipsld: you need the 1.2
version.

Dr. Stephen Henson

unread,
Oct 12, 2010, 8:56:04 AM10/12/10
to
On Tue, Oct 12, 2010, Vivek Madani wrote:

>
> Are you using fipslink.pl to statically link FIPS module to your
> application/dll? If not, I believe you need to use it to comply to
> OpenSSL FIPS security policy.
>

You don't need to use fipslink.pl or fipsld but if you don't you have to
provide equivalent functionality in your own linker script.

john.ma...@wipro.com

unread,
Oct 12, 2010, 9:20:15 AM10/12/10
to
As far as I understand the HMAC-SHA1-SIG is something that is passed while compiling the fips_premain.c. And this is taken care by fipsld. Actually fipsld obtains this signature by executing the binary that is linked with fips_premain.o and recompiles the fips_premain.c by passing that signature .. I didn't find any issue while following the steps in the UserGuide.1.1
 
From: owner-ope...@openssl.org [mailto:owner-ope...@openssl.org] On Behalf Of Lee Merrill
Sent: Tuesday, October 12, 2010 5:55 PM
To: openss...@openssl.org
Subject: Re: FIPS Open SSL Build using VC++ on Windows

I had a problem after building as well,
I built the fips-mode (version 1.2) of openssl on LInux via running "./config fipscanisterbuild" and then "make", this builds fine, and "make test" works, only fipscanister.o doesn't have the strings that fipsld expects, when I run "strings fipscanister.o | fgrep HMAC" all I see is "HMAC: digest not allowed in FIPS mode". The other strings I got before with fips openssl 1.1 which have the hash values (e.g. "HMAC-SHA1(fips_premain.c)= 6a08d15c578f1258246181bf52134ae974aa5a80") are not present. This causes fipsld to fail, any suggestions appreciated.

Lee
--


On 10/12/2010 07:07 AM, rajesh kumar wrote:
Hi All,

i am very new to OpenSSL build ... 

I have build the static build of FIPS Capable OpenSSL as mentioned in user guide 1.2.

I have used following commands on VS2005 Command Prompt...

Build FIPS Module : ms\do_fips no-asm

Set Confiugration : perl Configure VC-WIN32 --with-fipslibdir="..\openssl-0.9.8l\out32dll"

For not using Assembler : ms\do_ms

Static Build : nmake -f ms\nt.mak InstallStatic


All this seems to work but the issue is that when i link libeay32.lib and ssleay32.lib in application and when i am calling FIPS_mode_set() function to set/reset FIPS Mode.

I am seeing following link error ...

error LNK2019: unresolved external symbol _FIPS_mode referenced in function

Can some one please let me know if i am missing anything...

when i am looking at the do_fips.bat file; it internally calls ntdll.mak - i am not sure if fips module is always creating Dynamic mode where as my application links them static...
 
quick reply would be really helpful .... 

Thanks,
Rajesh.

--
Unless otherwise stated, any views presented in this email are solely those of the author and do not necessarily represent those of the company.

Please do not print this email unless it is absolutely necessary.

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

Vivek Madani

unread,
Oct 13, 2010, 2:23:36 AM10/13/10
to
On Tue, Oct 12, 2010 at 6:26 PM, Dr. Stephen Henson <st...@openssl.org> wrote:
> On Tue, Oct 12, 2010, Vivek Madani wrote:
>
>>
>> Are you using fipslink.pl to statically link FIPS module to your
>> application/dll? If not, I believe you need to use it to comply to
>> OpenSSL FIPS security policy.
>>
>
> You don't need to use fipslink.pl or fipsld but if you don't you have to
> provide equivalent functionality in your own linker script.
>

Right. Wondering if anyone has tried this with VS 2008. Is this
documented anywhere else except for UserGuide? I have an application
working fine with dynamically linked libeay32.dll and might want to
try out static linking.

rajesh kumar

unread,
Oct 13, 2010, 2:58:19 AM10/13/10
to
Thanks Steve .... 

Thanks everyone for reply

Thanks for the reply and information.

Now i have build FIPS 1.2 module, trying to build static build on version "OpenSSL - 0.9.8o"

While building using "nmake -f ms\nt.mak" i see an link error - interestingly i didnt see this error with FIPS Module (1.2) Build

".\crypto\comp\c_zlib.c(25) : fatal error C1083: Cannot open include file: 'zlib.
h': No such file or directory
NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Visual Studio 8\VC\BIN\c
l.EXE"' : return code '0x2'
Stop."

can you please let me know what i am missing here ... 

Thanks,
Rajesh.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

On Tue, Oct 12, 2010 at 6:21 PM, Dr. Stephen Henson <st...@openssl.org> wrote:
On Tue, Oct 12, 2010, rajesh kumar wrote:

> Hi All,
>
> i am very new to OpenSSL build ...
>
> I have build the static build of FIPS Capable OpenSSL as mentioned in user
> guide 1.2.
>
> I have used following commands on VS2005 Command Prompt...
>
> *Build FIPS Module : ms\do_fips no-asm*
> *
> *
> *Set Confiugration : perl Configure VC-WIN32
> --with-fipslibdir="..\openssl-0.9.8l\out32dll"*
> *

That looks like you aren't linking to the validated module: you *must* use the
1.2 sources to build the module and link against that or the result is not
FIPS 140-2 compliant.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

rajesh kumar

unread,
Oct 13, 2010, 5:36:48 AM10/13/10
to
Steve, 

I have made changes in nt.mak file to not pass -DZLIB option in cFlags and now i am able to compile and build static build of OpenSSL.

Now i face the same issue as mentioned earlier -- "error LNK2019: unresolved external symbol _FIPS_mode_set referenced in function"

In detail this is what i have done...

- I have following Folder structure; Source is downloaded from OpenSSL.org

OpenSSL Version 0.9.8.o - C:\OPENSSL_BUILD\openssl-0.9.8o
FIPS Module Version 1.2 - C:\OPENSSL_BUILD\openssl-fips-1.2

- I have done following steps to build OpenSSL as mentioned in User Guide

From VS 2005 Command Window

- cd C:\OPENSSL_BUILD\openssl-fips-1.2
- ms\do_fips no-asm - this is to build FIPS Module
- cd C:\OPENSSL_BUILD\openssl-0.9.8o
- perl Configure VC-WIN32 --with-fipslibdir="C:\OPENSSL_BUILD\openssl-fips-1.2\out32dll"
- nmake -f ms\nt.mak - to build static OpenSSL

can some one please let me know if i am missing anything.. 

Thanks in Advance

- Rajesh


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Dr. Stephen Henson

unread,
Oct 13, 2010, 12:41:36 PM10/13/10
to
On Wed, Oct 13, 2010, rajesh kumar wrote:

> Steve,
>
> I have made changes in nt.mak file to not pass -DZLIB option in cFlags and
> now i am able to compile and build static build of OpenSSL.
>
> Now i face the same issue as mentioned earlier -- "error LNK2019: unresolved
> external symbol _FIPS_mode_set referenced in function"
>
> In detail this is what i have done...
>
> - I have following Folder structure; Source is downloaded from OpenSSL.org
>
> OpenSSL Version 0.9.8.o - C:\OPENSSL_BUILD\openssl-0.9.8o
> FIPS Module Version 1.2 - C:\OPENSSL_BUILD\openssl-fips-1.2
>
> - I have done following steps to build OpenSSL as mentioned in User Guide
>
> >From VS 2005 Command Window
>
> - cd C:\OPENSSL_BUILD\openssl-fips-1.2
> - ms\do_fips no-asm - this is to build FIPS Module
> - cd C:\OPENSSL_BUILD\openssl-0.9.8o
> - perl Configure VC-WIN32
> --with-fipslibdir="C:\OPENSSL_BUILD\openssl-fips-1.2\out32dll"
> - nmake -f ms\nt.mak - to build static OpenSSL
>
> can some one please let me know if i am missing anything..
>

The user guide says you should do:

perl Configure VC-WIN32 fips --with-fipslibdir=c:\fips\path

0 new messages