Steve, FYI... I was able resolve this "unknown size" error when I discovered that the error was not present when OpenSSL was built to produce a DLL (instead of a static LIB).
The solution was to change e_os.h (line 310) from: # if defined(_MSC_VER) && !defined(_DLL) && defined(stdin) To: # if defined(_MSC_VER) && !defined(_DLL) && defined(stdin) && !defined(_WIN32_WCE) It appears to me that "_DLL" is only defined in WinCE DLL builds but not the WinCE static LIB build. The definitions below the conditional produced the error and this section does not appear to be needed in WinCE. My statically linked application did enable FIPS successfully after this modification. NOTE: I still have to disable optimization which leaves me with a Non-Validated FIPS module. Thanks, Joe PS. I am working with openssl-1.0.1c -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Mendonca, Joseph Sent: Wednesday, October 31, 2012 9:55 AM To: [email protected] Subject: RE: Need help building FIPS capable Openssl for Windows CE Steve, FYI... I tried to use a newer compiler version in an attempt to restore the optimization setting and get back to a validated FIPS module. However, with the only difference being the compiler version, I got a compiler error (see below). NOTE: this is in the OpenSSL build not the FIPS Module build - the FIPS module builds without error using the newer compiler. With compiler for WinCE 5.0: Microsoft (R) C/C++ Optimizing Compiler Version 13.10.4091 for ARM Copyright (C) Microsoft Corporation 1984-2004. All rights reserved. cl.exe /Fotmp32_ARMV4I\cryptlib.obj -Iinc32 -Itmp32_ARMV4I /MC /Od /W3 /GF /Gy /nologo -DUNICODE -D_UNICODE -DOPENSSL_SYSNAME_WINCE -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_CAPIENG -DOPENSSL_USE_IPV6=0 -D_WIN32_WCE=500 -DUNDER_CE=500 -DWCE_PLATFORM_CHAMELEON -DARM -D_ARM_ -DARMV4I -QRarch4T -QRinterwork-return -IC:\nan\gem\iStar\Encryption\openssl_fips\util\fips-2.0/include -IC:\nan\gem\iStar\Encryption\wcecompat/include -DOPENSSL_NO_RC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_MDC2 -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_DYNAMIC_ENGINE /Zi /Fdtmp32_ARMV4I/lib -c .\crypto\cryptlib.c cryptlib.c c:\nan\gem\iStar\Encryption\openssl\crypto\cryptlib.c(926) : error C2036: 'FILE *' : unknown size With compiler for WinCE 3.0 (no error - all command line settings are the same): Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.01.8569 for ARM Copyright (C) Microsoft Corp 1984-1999. All rights reserved. clarm.exe /Fotmp32_ARMV4I\cryptlib.obj -Iinc32 -Itmp32_ARMV4I /MC /Od /W3 /GF /Gy /nologo -DUNICODE -D_UNICODE -DOPENSSL_SYSNAME_WINCE -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_CAPIENG -DOPENSSL_USE_IPV6=0 -D_WIN32_WCE=500 -DUNDER_CE=500 -DWCE_PLATFORM_CHAMELEON -DARM -D_ARM_ -DARMV4I -QRarch4T -QRinterwork-return -IC:\nan\gem\iStar\Encryption\openssl_fips\util\fips-2.0/include -IC:\nan\gem\iStar\Encryption\wcecompat/include -DOPENSSL_NO_RC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_MDC2 -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_DYNAMIC_ENGINE /Zi /Fdtmp32_ARMV4I/lib -c .\crypto\cryptlib.c cryptlib.c I am stumped as to what I could do to correct the error. -Joe -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dr. Stephen Henson Sent: Thursday, October 25, 2012 3:45 PM To: [email protected] Subject: Re: Need help building FIPS capable Openssl for Windows CE On Thu, Oct 25, 2012, Mendonca, Joseph wrote: > Steve, > > I resolved the remaining problem and now have FIPS working. For > OpenSSL, I had previously, found a compiler problem introduced during > optimization and had disabled optimization to avoid the problem. I > had to disable optimization during the FIPS module build to resolve > this remaining problem. > Changed: > $opt_cflags=' /MC /O1i'; # optimize for space, but with > intrinsics... > To: > $opt_cflags=' /MC /Od'; # optimize for space, but with > intrinsics... > In util\pl\VC-32.pl (for FIPS module) > Unfortunately making changes like that violates the security policy and the result is no longer validated. The original CE5 validation also suffered from a compiler bug which was worked around by disabling optimisation for the affected code see crypto/bn/bn_nist.c in the 2.0.1 sources. What version of C compiler are you using? > However, having to continuously update "--with-baseaddr=0xnnnnnnn" is > going to be pain. So we need to explore the static linking option. > It is not obvious to me the changes needed generate the static LIB(s) > instead of the DLL. Could you provide me with the proper settings to > generate LIBs instead of the (libeay32.)DLL? > Well a fixed base address can work provided you make approriate changes to platform builder and include the DLL in the nk.bin file. A static build of the FIPS capable OpenSSL is untested but should follow the rules of a static Win32 build (call the static Makefile instead). You'd then need to modify the link procedure of your application to call fipslink.pl or an equivalent (e.g. making use of msincore). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
