如何在 Mac 和 Windows 上构建 OpenSSL
Posted
技术标签:
【中文标题】如何在 Mac 和 Windows 上构建 OpenSSL【英文标题】:How to build OpenSSL on Mac and Windows 【发布时间】:2015-08-11 00:46:26 【问题描述】:我需要为 Windows、ios 和 android(x86、MIPS 和 Arm)构建静态 OpenSSL 库。
我有一台 Mac 和一台 Windows PC。我没有Linux机器。到目前为止,我在网络上没有发现任何东西表明构建我需要的东西是可能的,但显然人们已经做到了。
不幸的是,OpenSSL wiki 并没有什么用处。使用 Visual Studio 为 Windows 构建静态库似乎几乎是不可能的。 iOS 有一个作弊,但它没有构建我需要的版本。至于 Android,它不会在 Windows 或 Mac 上构建,至少对我来说不是。
为什么如此常见且被广泛采用的软件如此难以构建和使用?
【问题讨论】:
【参考方案1】:Windows 演示 - 构建 OpenSSL 1.0.2d
我也对构建适用于 Windows 的 OpenSSL 感到沮丧,因此我创建了下面的批处理文件,只需单击一下即可构建它。如果一切顺利,您将拥有一个名为“OpenSSLoutput-1.0.2d”的输出文件夹,其中包含FIPS OpenSSL 文件。
在这里创建静态库:
C:\Work\OpenSSL-Builds\openssl-1.0.2d-64\out32
在此处创建导入库/Dll:
C:\Work\OpenSSL-Builds\openssl-1.0.2d-64\out32dll
要开始 OpenSSL 构建,请创建本地文件夹,例如
C:\Work\OpenSSL-Builds\bin
bin 子文件夹应该有这些文件:
7z.dll
7z.exe
wget.exe
ReadMe.txt
RunMe.bat
BuildOpenSSL.bat
replace.bat
OpenSSL 文件可以使用 7z.dll 和 7z.exe 解压缩。
可在此处获得:www.7-zip.org
Wget.exe 是一个免费的网络实用程序,用于从 Internet 检索文件。
在此处可用:gnuwin32.sourceforge.net/packages/wget.htm
Readme.txt
--- Building FIPS Capable OpenSSL ---
Edit RunMe.bat and tweak these variables:
set fipsurl=http://www.openssl.org/source
set fipsfile=openssl-fips-2.0.11.tar.gz
set fipsfileversion=2.0.11
set opensslurl=http://www.openssl.org/source
set opensslfile=openssl-1.0.2e.tar.gz
set opensslfileversion=1.0.2e
set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC"
To build, run the batch file:
bin\RunMe.bat
--- FIPS capable OpenSSL ---
The FIPS module was designed from the beginning to be used in conjunction with OpenSSL in a configuration we call the "FIPS Capable" OpenSSL, where the FIPS module is embedded in the OpenSSL shared library (or library plus application as an executable file) and all relevant cryptographic operations are seamlessly diverted to the FIPS module when the FIPS mode of operation is enabled. A major advantage of the "FIPS capable" OpenSSL is that vendors can ship the same software to all of their customers, those who want the FIPS 140-2 validated cryptography and those who do not. For many software products and markets the latter group of users is the largest.
The "FIPS capable" OpenSSL redirects allowed cryptography to the embedded FIPS module and disables all other cryptography (those algorithm implementations not in the FIPS module), and to be conservative we implemented the "FIPS capable" OpenSSL 1.0.1 to unconditionally redirect some cryptographic operations (SHA digests, for instance, which are the same for FIPS and non-FIPS implementations) to the FIPS module. So, a FIPS module that unconditionally disables those cryptographic operations will break OpenSSL for anyone who doesn't immediately enable FIPS mode, which is most calling applications. Note that even aside from the fact that most users won't want the overhead of the POST, it isn't possible for a library to automatically perform POST processing in a portable way.
The proper treatment for a new FIPS capable OpenSSL for use with a disabled-by-default FIPS module will be to have OpenSSL ignore the FIPS module completely until and if it is referenced via a call to the FIPS_mode_set() function.
--- System Requirements ---
Download Visual Studio 2008 with VC++ support - C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\
Download nasm assembler - C:\nasm\
Download ActiveState Perl - C:\Perl64\
RunMe.bat
REM --- Building FIPS Capable OpenSSL ---
set fipsurl=http://www.openssl.org/source
set fipsfile=openssl-fips-2.0.11.tar.gz
set fipsfileversion=2.0.11
set opensslurl=http://www.openssl.org/source
set opensslfile=openssl-1.0.2e.tar.gz
set opensslfileversion=1.0.2e
set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC"
call buildOpenSSL.bat %fipsurl% %fipsfile% %opensslurl% %opensslfile% %fipsfileversion% %opensslfileversion% %rootfolder% %VCcompiler%
BuildOpenSSL.bat
@SETLOCAL
cd..
REM ------------------- Build FIPS x86 -------------------
set rootfolder=%7
set rootfolder=%rootfolder:~1,-1%
set fipsurl=%1
set fips=%2
set OpenSSLurl=%3
set openSSL=%4
set fipsver=%5
set OpenSSLver=%6
set fipstar=%fips:~0,-3%
set fipsfolder=%fips:~0,-7%
set openSSLtar=%openSSL:~0,-3%
set openSSLfolder=%openSSL:~0,-7%
set VCcompiler=%8
set VCcompiler=%VCcompiler:~1,-1%
REM Set environment variable PROCESSOR_ARCHITECTURE briefly to x86.
REM This prevents FIPS trying to build an x64 release by default.
ECHO Setting PROCESSOR_ARCHITECTURE from AMD64 to x86
set PROCESSOR_ARCHITECTURE=x86
echo %PROCESSOR_ARCHITECTURE%
call "%VCcompiler%\vcvarsall.bat" x86
set path=C:\nasm;%rootfolder%\bin;%path%
del %fips%
del %fipstar%
rmdir /S /Q %fipsfolder%
rmdir /S /Q %fipsfolder%-64
wget -N -q --no-check-certificate %fipsurl%/%fips%
7z.exe x %fips%
7z.exe x %fipstar%
XCOPY "%rootfolder%\%fipsfolder%" "%rootfolder%\%fipsfolder%-64" /E /I /Y
cd %fipsfolder%
REM This statically links the CRT (/MT). That will remove the msvcr90.dll dependency by basically including the CRT inside the dll.
REM For VC debug builds, comment out the next line to keep /MD.
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%fipsfolder%\util\pl\VC-32.pl"
perl Configure VC-WIN32
call "%rootfolder%\bin\replace.bat" "pause" "rem pause" "%rootfolder%\%fipsfolder%\ms\do_fips.bat"
call ms\do_fips.bat
cd "%rootfolder%"
REM ------------------- Build OpenSSL x86 -------------------
del %openSSL%
del %openSSLtar%
rmdir /S /Q %openSSLfolder%
wget -N -q --no-check-certificate %OpenSSLurl%/%openSSL%
7z.exe x %openSSL%
7z.exe x %openSSLtar%
XCOPY "%rootfolder%\%openSSLfolder%" "%rootfolder%\%openSSLfolder%-64" /E /I /Y
cd %openSSLfolder%
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%openSSLfolder%\util\pl\VC-32.pl"
perl Configure VC-WIN32 fips --with-fipslibdir=%rootfolder%\%fipsfolder%\out32dll
call ms\do_nasm.bat
REM /fixed tells the operating system to load the program only at its preferred base address.
REM The standard OpenSSL build with the FIPS option will use a base address for libeay32.dll of 0xFB00000.
call "%rootfolder%\bin\replace.bat" "/dll" "/dll /fixed" "%rootfolder%\%openSSLfolder%\ms\ntdll.mak"
REM Embed symbols into lib files - otherwise copy \tmp32\LIB.PDB to the project.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%\ms\ntdll.mak"
REM Building the 32-bit dynamic libraries for FIPS
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test
REM Building the 32-bit static libraries for OPENSSL.EXE
perl Configure VC-WIN32
call ms\do_nasm.bat
REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%\ms\nt.mak"
nmake -f ms\nt.mak
nmake -f ms\nt.mak test
cd "%rootfolder%"
rmdir /S /Q OpenSSLoutput-%OpenSSLver%
mkdir OpenSSLoutput-%OpenSSLver%
copy "%rootfolder%\%openSSLfolder%\out32dll\libeay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32_%OpenSSLver%-fips-%fipsver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32dll\libeay32.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32.dll"
copy "%rootfolder%\%openSSLfolder%\out32dll\ssleay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32_%OpenSSLver%-fips-%fipsver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32dll\ssleay32.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32.dll"
copy "%rootfolder%\%openSSLfolder%\out32\openssl.exe" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OpenSSL.exe"
REM Copy Static Libs (Non FIPS)
copy "%rootfolder%\%openSSLfolder%\out32\libeay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32_%OpenSSLver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32\ssleay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32_%OpenSSLver%_W32.lib"
REM ------------------- Build FIPS x64 -------------------
ECHO Setting PROCESSOR_ARCHITECTURE from x86 to AMD64
set PROCESSOR_ARCHITECTURE=AMD64
echo %PROCESSOR_ARCHITECTURE%
call "%VCcompiler%\vcvarsall.bat" x86_amd64
set path=C:\nasm;%rootfolder%\bin;%path%
cd %fipsfolder%-64
REM This statically links the CRT (/MT). That will remove the msvcr90.dll dependency by basically including the CRT inside the dll.
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%fipsfolder%-64\util\pl\VC-32.pl"
perl Configure VC-WIN64A
call "%rootfolder%\bin\replace.bat" "pause" "rem pause" "%rootfolder%\%fipsfolder%-64\ms\do_fips.bat"
call ms\do_fips.bat
REM ------------------- Build OpenSSL x64 -------------------
cd "%rootfolder%\%openSSLfolder%-64"
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%openSSLfolder%-64\util\pl\VC-32.pl"
perl Configure VC-WIN64A fips --with-fipslibdir=%rootfolder%\%fipsfolder%-64\out32dll
call ms\do_win64a.bat
REM /fixed tells the operating system to load the program only at its preferred base address.
REM The standard OpenSSL build with the FIPS option will use a base address for libeay32.dll of 0xFB00000.
call "%rootfolder%\bin\replace.bat" "/dll" "/dll /fixed" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
REM Create 64-bit named binaries to prevent ***ing with 32-bit binaries
call "%rootfolder%\bin\replace.bat" "SSL=ssleay32" "SSL=ssleay64" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
call "%rootfolder%\bin\replace.bat" "CRYPTO=libeay32" "CRYPTO=libeay64" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
call "%rootfolder%\bin\replace.bat" "SSLEAY32" "SSLEAY64" "%rootfolder%\%openSSLfolder%-64\ms\ssleay32.def"
call "%rootfolder%\bin\replace.bat" "LIBEAY32" "LIBEAY64" "%rootfolder%\%openSSLfolder%-64\ms\libeay32.def"
REM Building the 64-bit dynamic libraries for FIPS
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test
REM Building the 64-bit static libraries for OPENSSL.EXE
perl Configure VC-WIN64A
call ms\do_win64a.bat
call "%rootfolder%\bin\replace.bat" "SSL=ssleay32" "SSL=ssleay64" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"
call "%rootfolder%\bin\replace.bat" "CRYPTO=libeay32" "CRYPTO=libeay64" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"
REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"
nmake -f ms\nt.mak
nmake -f ms\nt.mak test
cd "%rootfolder%"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\libeay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64_%OpenSSLver%-fips-%fipsver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\libeay64.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64.dll"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\ssleay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64_%OpenSSLver%-fips-%fipsver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\ssleay64.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64.dll"
copy "%rootfolder%\%openSSLfolder%-64\out32\openssl.exe" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OpenSSL64.exe"
REM Copy Static Libs (Non FIPS)
copy "%rootfolder%\%openSSLfolder%-64\out32\libeay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64_%OpenSSLver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32\ssleay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64_%OpenSSLver%_W64.lib"
REM ------------------- Cleanup Build -------------------
del %fips%
del %fipstar%
rmdir /S /Q %fipsfolder%
rmdir /S /Q %fipsfolder%-64
del %openSSL%
del %openSSLtar%
rmdir /S /Q %openSSLfolder%
rmdir /S /Q %openSSLfolder%-64
exit
替换.bat
@echo ON
setlocal
call :FindReplace %1 %2 %3
exit /b
:FindReplace <findstr> <replstr> <file>
set tmp="%temp%\tmp.txt"
If not exist %temp%\_.vbs call :MakeReplace
for /f "tokens=*" %%a in ('dir "%3" /s /b /a-d /on') do (
for /f "usebackq" %%b in (`Findstr /mic:"%~1" "%%a"`) do (
echo(&Echo Replacing "%~1" with "%~2" in file %%~nxa
<%%a cscript //nologo %temp%\_.vbs "%~1" "%~2">%tmp%
if exist %tmp% move /Y %tmp% "%%~dpnxa">nul
)
)
del %temp%\_.vbs
exit /b
:MakeReplace
>%temp%\_.vbs echo with Wscript
>>%temp%\_.vbs echo set args=.arguments
>>%temp%\_.vbs echo .StdOut.Write _
>>%temp%\_.vbs echo Replace(.StdIn.ReadAll,args(0),args(1),1,-1,1)
>>%temp%\_.vbs echo end with
在 Visual Studio 中使用 OpenSSL
Several Configuration Properties use these boost/openssl paths:
a. C/C++ -> Additional Include Directories -> C:\boost64\include;C:\Work\OpenSSL-Builds\openssl-1.0.2d-64\inc32
b. Linker -> General -> Additional Library Directories -> C:\boost64\lib;C:\Work\OpenSSL-Builds\openssl-1.0.2d-64\out32
c. Linker -> Command Line -> Additional Options -> Add libeay64.lib and ssleay64.lib
【讨论】:
您应该将“@SETLOCAL”添加到“BuildOpenSSL.bat”文件的顶部。没有它,我的 PATH 变量会随着 .bat 文件的每次执行而不断增长。如果您由于错误而必须多次执行 .bat 文件,这稍后会导致问题(vcvarsall.bat 的“输入行太长”)。以上是关于如何在 Mac 和 Windows 上构建 OpenSSL的主要内容,如果未能解决你的问题,请参考以下文章