Hello,
Maybe it can help that you find a complete WIN CE successful compile
process for openssl v100a there : http://delaage.pierre.free.fr
Hope you will get some useful answers for what you are looking for.
See also this page in openssl rt system :
http://rt.openssl.org/index.html?q=2350
(user guest password guest).
I confess that my patch still needs to be included in the openssl
mainstream because I have to adapt a few comments to strict C fashion
instead of C++ one.
I will try to do that this year...
Pierre Delaage
Le 31/10/2012 14:54, Mendonca, Joseph a écrit :
Steve,
FYI... I tried to use a newer compiler version in an attempt to restore
the optimization setting and get back to a validated FIPS module.
However, with the only difference being the compiler version, I got a
compiler error (see below). NOTE: this is in the OpenSSL build not the
FIPS Module build - the FIPS module builds without error using the newer
compiler.
With compiler for WinCE 5.0:
Microsoft (R) C/C++ Optimizing Compiler Version 13.10.4091 for ARM
Copyright (C) Microsoft Corporation 1984-2004. All rights reserved.
cl.exe /Fotmp32_ARMV4I\cryptlib.obj -Iinc32 -Itmp32_ARMV4I
/MC /Od /W3 /GF /Gy /nologo -DUNICODE -D_UNICODE -DOPENSSL_SYSNAME_WINCE
-DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD
-DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_CAPIENG -DOPENSSL_USE_IPV6=0
-D_WIN32_WCE=500 -DUNDER_CE=500 -DWCE_PLATFORM_CHAMELEON -DARM -D_ARM_
-DARMV4I -QRarch4T -QRinterwork-return
-IC:\nan\gem\iStar\Encryption\openssl_fips\util\fips-2.0/include
-IC:\nan\gem\iStar\Encryption\wcecompat/include -DOPENSSL_NO_RC2
-DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_MDC2
-DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS
-DOPENSSL_NO_JPAKE -DOPENSSL_NO_DYNAMIC_ENGINE /Zi /Fdtmp32_ARMV4I/lib
-c .\crypto\cryptlib.c cryptlib.c
c:\nan\gem\iStar\Encryption\openssl\crypto\cryptlib.c(926) : error
C2036: 'FILE *' : unknown size
With compiler for WinCE 3.0 (no error - all command line settings are
the same):
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.01.8569 for
ARM
Copyright (C) Microsoft Corp 1984-1999. All rights reserved.
clarm.exe /Fotmp32_ARMV4I\cryptlib.obj -Iinc32 -Itmp32_ARMV4I
/MC /Od /W3 /GF /Gy /nologo -DUNICODE -D_UNICODE -DOPENSSL_SYSNAME_WINCE
-DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD
-DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_CAPIENG -DOPENSSL_USE_IPV6=0
-D_WIN32_WCE=500 -DUNDER_CE=500 -DWCE_PLATFORM_CHAMELEON -DARM -D_ARM_
-DARMV4I -QRarch4T -QRinterwork-return
-IC:\nan\gem\iStar\Encryption\openssl_fips\util\fips-2.0/include
-IC:\nan\gem\iStar\Encryption\wcecompat/include -DOPENSSL_NO_RC2
-DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_MDC2
-DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS
-DOPENSSL_NO_JPAKE -DOPENSSL_NO_DYNAMIC_ENGINE /Zi /Fdtmp32_ARMV4I/lib
-c .\crypto\cryptlib.c cryptlib.c
I am stumped as to what I could do to correct the error.
-Joe
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Dr. Stephen Henson
Sent: Thursday, October 25, 2012 3:45 PM
To: [email protected]
Subject: Re: Need help building FIPS capable Openssl for Windows CE
On Thu, Oct 25, 2012, Mendonca, Joseph wrote:
Steve,
I resolved the remaining problem and now have FIPS working. For
OpenSSL, I had previously, found a compiler problem introduced during
optimization and had disabled optimization to avoid the problem. I
had to disable optimization during the FIPS module build to resolve
this remaining problem.
Changed:
$opt_cflags=' /MC /O1i'; # optimize for space, but with
intrinsics...
To:
$opt_cflags=' /MC /Od'; # optimize for space, but with
intrinsics...
In util\pl\VC-32.pl (for FIPS module)
Unfortunately making changes like that violates the security policy and
the result is no longer validated.
The original CE5 validation also suffered from a compiler bug which was
worked around by disabling optimisation for the affected code see
crypto/bn/bn_nist.c in the 2.0.1 sources.
What version of C compiler are you using?
However, having to continuously update "--with-baseaddr=0xnnnnnnn" is
going to be pain. So we need to explore the static linking option.
It is not obvious to me the changes needed generate the static LIB(s)
instead of the DLL. Could you provide me with the proper settings to
generate LIBs instead of the (libeay32.)DLL?
Well a fixed base address can work provided you make approriate changes
to platform builder and include the DLL in the nk.bin file.
A static build of the FIPS capable OpenSSL is untested but should follow
the rules of a static Win32 build (call the static Makefile instead).
You'd then need to modify the link procedure of your application to call
fipslink.pl or an equivalent (e.g. making use of msincore).
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
