|
| 1 | +# Building on Windows |
| 2 | + |
| 3 | +wolfEngine has Visual Studio support for FIPS 140-2, FIPS Ready, and non-FIPS |
| 4 | +builds. All expect the following directory structure: |
| 5 | + |
| 6 | +``` |
| 7 | +. |
| 8 | +├── openssl |
| 9 | +├── wolfEngine |
| 10 | +└── wolfssl |
| 11 | +``` |
| 12 | + |
| 13 | +The build will not work unless the directories are named as above. |
| 14 | + |
| 15 | +## OpenSSL |
| 16 | + |
| 17 | +Follow the instructions in the OpenSSL `INSTALL` file. The list of commands to |
| 18 | +run are: |
| 19 | + |
| 20 | +``` |
| 21 | +$ perl Configure { VC-WIN32 | VC-WIN64A | VC-WIN64I | VC-CE } |
| 22 | +$ nmake clean # This command needs to be run if OpenSSL has previously been |
| 23 | +built in this directory with a different configuration. |
| 24 | +$ nmake |
| 25 | +``` |
| 26 | + |
| 27 | +## wolfSSL |
| 28 | + |
| 29 | +The wolfSSL FIPS module performs an integrity check over the code and read only |
| 30 | +data contents of itself during the FIPS self-test. This requires that the |
| 31 | +module be assembled in a specific order, with the object files wolfcrypt_first.o |
| 32 | +and wolfcrypt_last.o marking the beginning and end of the FIPS module, |
| 33 | +respectively. The only way we have found to reliably ensure this ordering on |
| 34 | +Windows is by building wolfSSL as a DLL. As such, even static builds of |
| 35 | +wolfEngine (i.e. the "Debug" and "Release" configurations) will use wolfSSL as a |
| 36 | +DLL. All wolfEngine Visual Studio configurations also use OpenSSL as a DLL. |
| 37 | + |
| 38 | +### FIPS 140-2 |
| 39 | + |
| 40 | +First, replace the contents of `IDE\WIN10\user_settings.h` in wolfSSL with the |
| 41 | +contents of `windows\fips_140_2\user_settings.h` from wolfEngine. Then, compile |
| 42 | +wolfSSL using `IDE\WIN10\wolfssl-fips.sln`. |
| 43 | + |
| 44 | +### FIPS Ready |
| 45 | + |
| 46 | +First, replace the contents of `IDE\WIN10\user_settings.h` in wolfSSL with the |
| 47 | +contents of `windows\fips_ready\user_settings.h` from wolfEngine. Then, compile |
| 48 | +wolfSSL using `IDE\WIN10\wolfssl-fips.sln`. |
| 49 | + |
| 50 | +### Non-FIPS |
| 51 | + |
| 52 | +First, replace the contents of `IDE\WIN\user_settings.h` in wolfSSL with the |
| 53 | +contents of `windows\non_fips\user_settings.h` from wolfEngine. Then, compile |
| 54 | +wolfSSL using `wolfssl64.sln`. |
| 55 | + |
| 56 | +## wolfEngine |
| 57 | + |
| 58 | +The wolfEngine "test" project copies the OpenSSL and wolfSSL DLLs into the test |
| 59 | +output directory. If you want to skip the OpenSSL step and use system supplied |
| 60 | +versions of OpenSSL, delete the OpenSSL DLL copy command under the test |
| 61 | +project's properties: |
| 62 | + |
| 63 | +``` |
| 64 | +Properties -> Configuration Properties -> Build Events -> Post-Build Event -> |
| 65 | +Command Line |
| 66 | +``` |
| 67 | + |
| 68 | +There is currently no official support for using OpenSSL as a static library |
| 69 | +with wolfEngine. |
| 70 | + |
| 71 | +### FIPS 140-2 |
| 72 | + |
| 73 | +Build wolfEngine using `windows\wolfEngine.sln`. Select one of the 4 FIPS 140-2 |
| 74 | +configurations (e.g. DLL Debug FIPS 140-2). Run the test suite by right-clicking |
| 75 | +on the "test" project in the Solution Explorer > Debug > Start New Instance. You |
| 76 | +are likely to encounter this error message: |
| 77 | + |
| 78 | +``` |
| 79 | +in FIPS callback, ok = 0, err = -203 |
| 80 | +message = In Core Integrity check FIPS error |
| 81 | +hash = 550122FD59F12AFA94F1B0D95AB361FF03E3EB8708C68974C36D6571524B675C |
| 82 | +In core integrity hash check failure, copy above hash |
| 83 | +into verifyCore[] in wolfSSL's (NOT wolfEngine) fips_test.c and rebuild |
| 84 | +ERR: Failed to find engine! |
| 85 | +``` |
| 86 | + |
| 87 | +As mentioned earlier, part of wolfSSL's FIPS self-test is an integrity check |
| 88 | +of the FIPS module. At startup, the self-test computes an HMAC of the code and |
| 89 | +read-only data of the FIPS module and compares the result to an expected value |
| 90 | +compiled into the library. If these don't match, the FIPS module enters an error |
| 91 | +state and cannot be used. The wolfEngine test program will print the above error |
| 92 | +message in this case. If this happens, you should take the hash value printed |
| 93 | +out and replace the `verifyCore` value in wolfSSL's `wolfcrypt\src\fips_test.c` |
| 94 | +with it. Rebuild wolfSSL, rebuild wolfEngine, and run the wolfEngine tests |
| 95 | +again. The integrity check should pass this time. |
| 96 | + |
| 97 | +### FIPS Ready |
| 98 | + |
| 99 | +Build wolfEngine using `windows\wolfEngine.sln`. Select one of the 4 FIPS Ready |
| 100 | +configurations (e.g. DLL Debug FIPS Ready). Run the test suite by right-clicking |
| 101 | +on the "test" project in the Solution Explorer > Debug > Start New Instance. The |
| 102 | +FIPS self-test noted above for FIPS 140-2 applies to FIPS Ready, too, so you |
| 103 | +will need to update the expected hash value accordingly. |
| 104 | + |
| 105 | +### Non-FIPS |
| 106 | + |
| 107 | +Build wolfEngine using `windows\wolfEngine.sln`. Select one of the 4 non-FIPS |
| 108 | +configurations (e.g. DLL Debug Non-FIPS) Run the test suite by right-clicking on |
| 109 | +the "test" project in the Solution Explorer > Debug > Start New Instance. |
| 110 | + |
| 111 | +# Development |
| 112 | + |
| 113 | +The build options for the various configurations are all held in property sheets |
| 114 | +in the `windows\props\` directory. If you need to add a new build option (e.g. |
| 115 | +a macro or compiler option), you should add it to the most general property |
| 116 | +sheet possible. For example, if you are adding a compiler option that should be |
| 117 | +applied to all debug configurations, add it to debug.props. If you are adding a |
| 118 | +macro that should only be applied when building the test project with wolfSSL |
| 119 | +FIPS (Ready or 140-2) and a debug configuration, add it to |
| 120 | +debug_fips_test.props. Do NOT add properties directly to wolfEngine.vcxproj or |
| 121 | +test.vcxproj unless absolutely necessary, but this will likely never be the |
| 122 | +case. |
0 commit comments