Skip to content

Instantly share code, notes, and snippets.

@stchar

stchar/erlang20.1-fips.md

Last active September 5, 2019 10:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save stchar/64a554b342b86e5c4d742f92659812d1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save stchar/64a554b342b86e5c4d742f92659812d1 to your computer and use it in GitHub Desktop.
Download ZIP
erlang20.1-fips.md
Raw
erlang20.1-fips.md

Erlang OTP 20.1 with openssl fips mode

Openssl with fips

Erang opt 20.1 contains crypto-4.1 with openssl-1.0.2d. So I was using the same version set.

Reqruried Software

I used chocolatey.org to install depdencies

  • Git
choco install -y git --params "/NoAutoCrlf /GitAndUnixToolsOnPath"
  • VS 2017 build tools
choco install -y visualstudio2017buildtools
choco install -y visualstudio2017-workload-vctools
  • Active perl
choco install -y activeperl
  • NASM
choco install -y nasm

Build openssl-fips objects

  • Start powershell
# powershell
mkdir /c/tmp
cd /c/tmp
wget -o openssl-fips-2.0.16.tar.gz https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz
tar -xvf  openssl-fips-2.0.16.tar.gz
cd openssl-fips-2.0.16 
cp -r "C:\Program Files\NASM\*" .\
  • Start cmd
::cmd
"C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Auxiliary\Build\vcvars64.bat" amd64
cd C:\tmp\openssl-fips-2.0.16
ms\do_fips.bat

Build openssl with fips objects

Erlang otp20.1 includes crypto-4.1 module which is linked with openssl-1.0.2d So we are going to use this 1.0.2d version. Shall crypto version is changed you need to re-create appropriate version of openssl with fips objects.

  • Start powershell
#powershell
cd c:/tmp
# if you're behind proxy you need to setup environment variables
# $env:http_proxy=...
# $env:https_proxy="...
git clone https://github.com/openssl/openssl.git
cd openssl
git checkout OpenSSL_1_0_2d
git clean  -fxd
git reset --hard
cp -r "C:\Program Files\NASM\*" .\
  • Start cmd
::cmd
"C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Auxiliary\Build\vcvars64.bat" amd64
cd C:\tmp\openssl
perl .\Configure VC-WIN64A no-asm fips --with-fipsdir=C:\\usr\\local\\ssl\\fips-2.0

ms\do_win64a.bat
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak install
  • NOTE: to build openssl DLL objects I had to remove -DOPENSSL_USE_APPLINK from CFLAG list in ms\ntdll.mak otherwise it's producing following error:
link /nologo /subsystem:console /opt:ref /debug /dll /map /base:0xFB00000 /out:out32dll\libeay32.dll /def:ms/LIBEAY32.de
f @C:\Temp\nm14EF.tmp
   Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp
LINK : warning LNK4281: undesirable base address 0xFB00000 for x64 image; set base address above 4GB for best ASLR optim
ization
out32dll\fips_premain_dso.exe out32dll\libeay32.dll
OPENSSL_Uplink(00007FF64A5CF050,08): no OPENSSL_Applink

I still do not get how to treat this error.

Erlang 20.1 with fips

Reqruried Software

  • VS 2017 build tools
choco install -y visualstudio2017buildtools
choco install -y visualstudio2017-workload-vctools
  • install msys2
choco install msys2
  • install windows sdk 10.1
choco install windows-sdk-10.1
  • install jdk8
choco install jdk8
  • install msys2 packages
pacman -S msys/autoconf msys/make msys/perl msys/tar
  • gcc mingw toolchain
pacman -S mingw64/mingw-w64-x86_64-gcc
  • install msys2 git This is needed only if you want to get OTP sources via git. Anyway I recomend to use git as at any point you can reset sorce set and cleanup working dir with general git clean -fxd; git reset --hard
pacman -S msys/git
  • install vcpkg If you use Win SDK v10 some libraries required by erlang are not included to handle it you can use vcpkg tool
cd /c/tmp
git clone https://github.com/Microsoft/vcpkg.git
cd vcpkg
./bootstrap-vcpkg.bat
  • install required libs
vcpkg install opengl # is not a part of win skd since 10.1
vcpkg install wxwidgets # it also installs development packages which are needed to link otp with wx.
vcpkg integrate install # make them accessible globally

install required libs

Build otp

Commads bellow are to be running in msys2 terminal

Create temporary folder

mkdir /c/tmp
cd  /c/tmp

Obtain OTP sources

cd  /c/tmp
git clone https://github.com/erlang/otp.git
cd otp 
git checkout OTP-20.1

Setup MS VC++ Build Environemnt

Microsolf VC compiler (cl.exe) is being used to build opt. To help developes to setup their environment Microsoft issued well-known vcvars*.bat script.

:: in windows cmd
:: e,g for x64 version
C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Auxiliary\Build\vcvars64.bat

which will prepare you the enviroment. However you cannot reuse in msys2 directly.

But what you can do is to save PATH, LIB, LIBPATH, INCLUDE variables to some temporary files and then transform it to msys2 environemnt with a little bit cygpath and sed/awk magic.

  • Start windows cmd.exe
:: in windows cmd
:: load vcvars
"C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Auxiliary\Build\vcvars64.bat"

:: Return to the workspace
cd C:\tmp
:: Save Variables to own files
echo %PATH%    > PATH.cmd.env
echo %LIB%     > LIB.cmd.env
echo %LIBPATH% > LIBPATH.cmd.env
echo %INCLUDE% > INCLUDE.cmd.env
  • Start msys terminal
  • Prepare PATH variable
# bash

# Read cmd's PATH value split it with `;` then trim leading and traling spaces
cat PATH.cmd.env |sed -e 's#;#\n#g' > PATH.bash.env.tmp

# Use cygpath to convert windows path to unix-like
cygpath -a -u -f PATH.bash.env.tmp |sed -e 's#^\s*##g' -e 's#\s*$##g' -e 's#^/*$##g' |sed '/^$/d' >PATH.bash.env
  • Add PATH, INCLUDE, LIB, and LIBPATH to vcvars64.sh So as a result we have vcvars64 script adapted for particluar msys2 environment
# bash
cat << EOF >vcvars64.sh
PATH="$(paste -d ':' -s PATH.bash.env):\$PATH"

# Vars bellow are used by MS VC++ compile so should be stored
# in windows style #ноэтонеточно
INCLUDE="$(cat INCLUDE.cmd.env |sed 's/\\/\\\\/g')"  #  C:\foo\bar -> C:\\foo\\bar
LIB="$(cat LIB.cmd.env |sed 's/\\/\\\\/g')" 
LIBPATH="$(cat LIBPATH.cmd.env |sed 's/\\/\\\\/g')"

export PATH LIB LIBPATH INCLUDE
EOF

Validate C++ compile actualy works

  • Validate C++ compile actualy works
bash # start bash subshell
  • Load environment variables
. /c/tmp/vcvars64.sh
  • Create simple helloworld application
cat << EOF > hello.cpp
using namespace std;
#include <iostream>
void main()
{
    cout << "Hello, world, from Visual C++!" << endl;
}
EOF
  • Compile and run helloworld
cl hello.cpp
  • If everything is ok ./hello.exe should print out lovely text.
$ ./hello.exe
Hello, world, from Visual C++!
  • Build Otp Build procedure is the same as general windows except configure should include --enable-fips flag Also I had to provide path to my ssl C:\usr\local\ssl\
cd /c/tmp/otp 
export ERL_TOP=$(pwd)

bash # start a sub-shell to let you easily revert to the initial 
     # environment setup shall things go messy
. /c/tmp/vcvars64.sh
eval `./otp_build env_win32 x64`

./otp_build autoconf

#  ./otp_build configure  --without-hipe --without-wx --without-ssl
./otp_build configure  \
--with-wxdir=/c/tmp/vcpkg/installed/x64-windows/ \
--with-ssl=/c/usr/local/ssl \
--enable-fips

./otp_build boot -a
./otp_build release -a
./otp_build installer_win32
./release/win32/otp_win64_20 /S

Verification

  • Start werl
crypto:start().
crypto:info_lib().
[<<"OpenSSL">>,1234556, <<"OpenSSL 1.0.2d-fips ...>>"].
crypto:info_fips().
enabled.

Links:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment