如何在Mac和Windows上构建OpenSSL

如何在Mac和Windows上构建OpenSSL,openssl,Openssl,我需要为Windows、iOS和Android(x86、MIPS和Arm)构建静态OpenSSL库 我有一台Mac电脑和一台Windows电脑。我没有Linux机箱。到目前为止,我在网上还没有发现任何迹象表明我需要的东西是可能的,但很明显人们已经做到了 不幸的是,OpenSSL wiki没有什么用处。使用VisualStudio为Windows构建静态库几乎是不可能的。有一个iOS的欺骗,但它没有建立我需要的版本。至于Android,它不会建立在Windows或Mac上,至少对我来说不会 为什么

我需要为Windows、iOS和Android(x86、MIPS和Arm)构建静态OpenSSL库

我有一台Mac电脑和一台Windows电脑。我没有Linux机箱。到目前为止,我在网上还没有发现任何迹象表明我需要的东西是可能的,但很明显人们已经做到了

不幸的是,OpenSSL wiki没有什么用处。使用VisualStudio为Windows构建静态库几乎是不可能的。有一个iOS的欺骗,但它没有建立我需要的版本。至于Android,它不会建立在Windows或Mac上,至少对我来说不会


为什么这样一个普遍使用的软件不可能构建和使用?

Windows演示-构建OpenSSL 1.0.2d

我也对为Windows构建OpenSSL感到沮丧,所以我创建了下面的批处理文件,只需单击一下就可以构建它。如果一切顺利,您将拥有一个名为“OpenSSLoutput-1.0.2d”的输出文件夹,其中包含OpenSSL文件

静态LIB在此处创建:

C:\Work\OpenSSL-Builds\openssl-1.0.2d-64\out32
C:\Work\OpenSSL-Builds\openssl-1.0.2d-64\out32dll
导入库/DLL在此处创建:

C:\Work\OpenSSL-Builds\openssl-1.0.2d-64\out32
C:\Work\OpenSSL-Builds\openssl-1.0.2d-64\out32dll
例如,要开始OpenSSL构建,请创建本地文件夹

C:\Work\OpenSSL-Builds\bin
bin子文件夹应包含以下文件:

7z.dll
7z.exe
wget.exe
ReadMe.txt
RunMe.bat
BuildOpenSSL.bat
replace.bat    
OpenSSL文件可以使用7z.dll7z.exe解压

网址:www.7-zip.org

Wget.exe是一个免费的网络实用程序,用于从Internet检索文件

此处提供:gnuwin32.sourceforge.net/packages/wget.htm

Readme.txt

--- Building FIPS Capable OpenSSL ---

Edit RunMe.bat and tweak these variables:

set fipsurl=http://www.openssl.org/source
set fipsfile=openssl-fips-2.0.11.tar.gz
set fipsfileversion=2.0.11

set opensslurl=http://www.openssl.org/source
set opensslfile=openssl-1.0.2e.tar.gz
set opensslfileversion=1.0.2e

set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC"

To build, run the batch file:

        bin\RunMe.bat


--- FIPS capable OpenSSL ---

The FIPS module was designed from the beginning to be used in conjunction with OpenSSL in a configuration we call the "FIPS Capable" OpenSSL, where the FIPS module is embedded in the OpenSSL shared library (or library plus application as an executable file) and all relevant cryptographic operations are seamlessly diverted to the FIPS module when the FIPS mode of operation is enabled. A major advantage of the "FIPS capable" OpenSSL is that vendors can ship the same software to all of their customers, those who want the FIPS 140-2 validated cryptography and those who do not. For many software products and markets the latter group of users is the largest.

The "FIPS capable" OpenSSL redirects allowed cryptography to the embedded FIPS module and disables all other cryptography (those algorithm implementations not in the FIPS module), and to be conservative we implemented the "FIPS capable" OpenSSL 1.0.1 to unconditionally redirect some cryptographic operations (SHA digests, for instance, which are the same for FIPS and non-FIPS implementations) to the FIPS module. So, a FIPS module that unconditionally disables those cryptographic operations will break OpenSSL for anyone who doesn't immediately enable FIPS mode, which is most calling applications. Note that even aside from the fact that most users won't want the overhead of the POST, it isn't possible for a library to automatically perform POST processing in a portable way.

The proper treatment for a new FIPS capable OpenSSL for use with a disabled-by-default FIPS module will be to have OpenSSL ignore the FIPS module completely until and if it is referenced via a call to the FIPS_mode_set() function.


--- System Requirements ---

Download Visual Studio 2008 with VC++ support - C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\
Download nasm assembler                       - C:\nasm\
Download ActiveState Perl                     - C:\Perl64\
REM --- Building FIPS Capable OpenSSL ---

set fipsurl=http://www.openssl.org/source
set fipsfile=openssl-fips-2.0.11.tar.gz
set fipsfileversion=2.0.11

set opensslurl=http://www.openssl.org/source
set opensslfile=openssl-1.0.2e.tar.gz
set opensslfileversion=1.0.2e

set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC"

call buildOpenSSL.bat %fipsurl% %fipsfile% %opensslurl% %opensslfile% %fipsfileversion% %opensslfileversion% %rootfolder% %VCcompiler%
@SETLOCAL

cd..

REM ------------------- Build FIPS x86 -------------------

set rootfolder=%7
set rootfolder=%rootfolder:~1,-1%
set fipsurl=%1
set fips=%2
set OpenSSLurl=%3
set openSSL=%4
set fipsver=%5
set OpenSSLver=%6
set fipstar=%fips:~0,-3%
set fipsfolder=%fips:~0,-7%
set openSSLtar=%openSSL:~0,-3%
set openSSLfolder=%openSSL:~0,-7%
set VCcompiler=%8
set VCcompiler=%VCcompiler:~1,-1%

REM Set environment variable PROCESSOR_ARCHITECTURE briefly to x86.
REM This prevents FIPS trying to build an x64 release by default.
ECHO Setting PROCESSOR_ARCHITECTURE from AMD64 to x86
set PROCESSOR_ARCHITECTURE=x86
echo %PROCESSOR_ARCHITECTURE%

call "%VCcompiler%\vcvarsall.bat" x86
set path=C:\nasm;%rootfolder%\bin;%path%

del %fips%
del %fipstar%
rmdir /S /Q %fipsfolder%
rmdir /S /Q %fipsfolder%-64

wget -N -q --no-check-certificate %fipsurl%/%fips%
7z.exe x %fips%
7z.exe x %fipstar%

XCOPY "%rootfolder%\%fipsfolder%" "%rootfolder%\%fipsfolder%-64" /E /I /Y

cd %fipsfolder%
REM This statically links the CRT (/MT). That will remove the msvcr90.dll dependency by basically including the CRT inside the dll.
REM For VC debug builds, comment out the next line to keep /MD.
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%fipsfolder%\util\pl\VC-32.pl"

perl Configure VC-WIN32
call "%rootfolder%\bin\replace.bat" "pause" "rem pause" "%rootfolder%\%fipsfolder%\ms\do_fips.bat"
call ms\do_fips.bat

cd "%rootfolder%"

REM ------------------- Build OpenSSL x86 -------------------

del %openSSL%
del %openSSLtar%
rmdir /S /Q %openSSLfolder%

wget -N -q --no-check-certificate %OpenSSLurl%/%openSSL%
7z.exe x %openSSL%
7z.exe x %openSSLtar%

XCOPY "%rootfolder%\%openSSLfolder%" "%rootfolder%\%openSSLfolder%-64" /E /I /Y

cd %openSSLfolder%
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%openSSLfolder%\util\pl\VC-32.pl"

perl Configure VC-WIN32 fips --with-fipslibdir=%rootfolder%\%fipsfolder%\out32dll
call ms\do_nasm.bat

REM /fixed tells the operating system to load the program only at its preferred base address.
REM The standard OpenSSL build with the FIPS option will use a base address for libeay32.dll of 0xFB00000.
call "%rootfolder%\bin\replace.bat" "/dll" "/dll /fixed" "%rootfolder%\%openSSLfolder%\ms\ntdll.mak"

REM Embed symbols into lib files - otherwise copy \tmp32\LIB.PDB to the project.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%\ms\ntdll.mak"

REM Building the 32-bit dynamic libraries for FIPS
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test

REM Building the 32-bit static libraries for OPENSSL.EXE
perl Configure VC-WIN32
call ms\do_nasm.bat

REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%\ms\nt.mak"

nmake -f ms\nt.mak
nmake -f ms\nt.mak test

cd "%rootfolder%"

rmdir /S /Q OpenSSLoutput-%OpenSSLver%
mkdir OpenSSLoutput-%OpenSSLver%

copy "%rootfolder%\%openSSLfolder%\out32dll\libeay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32_%OpenSSLver%-fips-%fipsver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32dll\libeay32.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32.dll"
copy "%rootfolder%\%openSSLfolder%\out32dll\ssleay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32_%OpenSSLver%-fips-%fipsver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32dll\ssleay32.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32.dll"
copy "%rootfolder%\%openSSLfolder%\out32\openssl.exe" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OpenSSL.exe"

REM Copy Static Libs (Non FIPS)
copy "%rootfolder%\%openSSLfolder%\out32\libeay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32_%OpenSSLver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32\ssleay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32_%OpenSSLver%_W32.lib"


REM ------------------- Build FIPS x64 -------------------

ECHO Setting PROCESSOR_ARCHITECTURE from x86 to AMD64
set PROCESSOR_ARCHITECTURE=AMD64
echo %PROCESSOR_ARCHITECTURE%

call "%VCcompiler%\vcvarsall.bat" x86_amd64
set path=C:\nasm;%rootfolder%\bin;%path%

cd %fipsfolder%-64
REM This statically links the CRT (/MT). That will remove the msvcr90.dll dependency by basically including the CRT inside the dll.
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%fipsfolder%-64\util\pl\VC-32.pl"

perl Configure VC-WIN64A
call "%rootfolder%\bin\replace.bat" "pause" "rem pause" "%rootfolder%\%fipsfolder%-64\ms\do_fips.bat"
call ms\do_fips.bat

REM ------------------- Build OpenSSL x64 -------------------

cd "%rootfolder%\%openSSLfolder%-64"
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%openSSLfolder%-64\util\pl\VC-32.pl"

perl Configure VC-WIN64A fips --with-fipslibdir=%rootfolder%\%fipsfolder%-64\out32dll
call ms\do_win64a.bat

REM /fixed tells the operating system to load the program only at its preferred base address.
REM The standard OpenSSL build with the FIPS option will use a base address for libeay32.dll of 0xFB00000.
call "%rootfolder%\bin\replace.bat" "/dll" "/dll /fixed" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"

REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"

REM Create 64-bit named binaries to prevent clashing with 32-bit binaries
call "%rootfolder%\bin\replace.bat" "SSL=ssleay32" "SSL=ssleay64" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
call "%rootfolder%\bin\replace.bat" "CRYPTO=libeay32" "CRYPTO=libeay64" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
call "%rootfolder%\bin\replace.bat" "SSLEAY32" "SSLEAY64" "%rootfolder%\%openSSLfolder%-64\ms\ssleay32.def"
call "%rootfolder%\bin\replace.bat" "LIBEAY32" "LIBEAY64" "%rootfolder%\%openSSLfolder%-64\ms\libeay32.def"

REM Building the 64-bit dynamic libraries for FIPS
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test

REM Building the 64-bit static libraries for OPENSSL.EXE
perl Configure VC-WIN64A
call ms\do_win64a.bat
call "%rootfolder%\bin\replace.bat" "SSL=ssleay32" "SSL=ssleay64" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"
call "%rootfolder%\bin\replace.bat" "CRYPTO=libeay32" "CRYPTO=libeay64" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"

REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"

nmake -f ms\nt.mak
nmake -f ms\nt.mak test

cd "%rootfolder%"

copy "%rootfolder%\%openSSLfolder%-64\out32dll\libeay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64_%OpenSSLver%-fips-%fipsver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\libeay64.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64.dll"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\ssleay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64_%OpenSSLver%-fips-%fipsver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\ssleay64.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64.dll"
copy "%rootfolder%\%openSSLfolder%-64\out32\openssl.exe" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OpenSSL64.exe"

REM Copy Static Libs (Non FIPS)
copy "%rootfolder%\%openSSLfolder%-64\out32\libeay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64_%OpenSSLver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32\ssleay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64_%OpenSSLver%_W64.lib"


REM ------------------- Cleanup Build -------------------

del %fips%
del %fipstar%
rmdir /S /Q %fipsfolder%
rmdir /S /Q %fipsfolder%-64

del %openSSL%
del %openSSLtar%
rmdir /S /Q %openSSLfolder%
rmdir /S /Q %openSSLfolder%-64

exit
@echo ON
setlocal

call :FindReplace %1 %2 %3

exit /b 

:FindReplace <findstr> <replstr> <file>
set tmp="%temp%\tmp.txt"
If not exist %temp%\_.vbs call :MakeReplace
for /f "tokens=*" %%a in ('dir "%3" /s /b /a-d /on') do (
  for /f "usebackq" %%b in (`Findstr /mic:"%~1" "%%a"`) do (
    echo(&Echo Replacing "%~1" with "%~2" in file %%~nxa
    <%%a cscript //nologo %temp%\_.vbs "%~1" "%~2">%tmp%
    if exist %tmp% move /Y %tmp% "%%~dpnxa">nul
  )
)

del %temp%\_.vbs

exit /b

:MakeReplace
>%temp%\_.vbs echo with Wscript
>>%temp%\_.vbs echo set args=.arguments
>>%temp%\_.vbs echo .StdOut.Write _
>>%temp%\_.vbs echo Replace(.StdIn.ReadAll,args(0),args(1),1,-1,1)
>>%temp%\_.vbs echo end with
RunMe.bat

--- Building FIPS Capable OpenSSL ---

Edit RunMe.bat and tweak these variables:

set fipsurl=http://www.openssl.org/source
set fipsfile=openssl-fips-2.0.11.tar.gz
set fipsfileversion=2.0.11

set opensslurl=http://www.openssl.org/source
set opensslfile=openssl-1.0.2e.tar.gz
set opensslfileversion=1.0.2e

set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC"

To build, run the batch file:

        bin\RunMe.bat


--- FIPS capable OpenSSL ---

The FIPS module was designed from the beginning to be used in conjunction with OpenSSL in a configuration we call the "FIPS Capable" OpenSSL, where the FIPS module is embedded in the OpenSSL shared library (or library plus application as an executable file) and all relevant cryptographic operations are seamlessly diverted to the FIPS module when the FIPS mode of operation is enabled. A major advantage of the "FIPS capable" OpenSSL is that vendors can ship the same software to all of their customers, those who want the FIPS 140-2 validated cryptography and those who do not. For many software products and markets the latter group of users is the largest.

The "FIPS capable" OpenSSL redirects allowed cryptography to the embedded FIPS module and disables all other cryptography (those algorithm implementations not in the FIPS module), and to be conservative we implemented the "FIPS capable" OpenSSL 1.0.1 to unconditionally redirect some cryptographic operations (SHA digests, for instance, which are the same for FIPS and non-FIPS implementations) to the FIPS module. So, a FIPS module that unconditionally disables those cryptographic operations will break OpenSSL for anyone who doesn't immediately enable FIPS mode, which is most calling applications. Note that even aside from the fact that most users won't want the overhead of the POST, it isn't possible for a library to automatically perform POST processing in a portable way.

The proper treatment for a new FIPS capable OpenSSL for use with a disabled-by-default FIPS module will be to have OpenSSL ignore the FIPS module completely until and if it is referenced via a call to the FIPS_mode_set() function.


--- System Requirements ---

Download Visual Studio 2008 with VC++ support - C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\
Download nasm assembler                       - C:\nasm\
Download ActiveState Perl                     - C:\Perl64\
REM --- Building FIPS Capable OpenSSL ---

set fipsurl=http://www.openssl.org/source
set fipsfile=openssl-fips-2.0.11.tar.gz
set fipsfileversion=2.0.11

set opensslurl=http://www.openssl.org/source
set opensslfile=openssl-1.0.2e.tar.gz
set opensslfileversion=1.0.2e

set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC"

call buildOpenSSL.bat %fipsurl% %fipsfile% %opensslurl% %opensslfile% %fipsfileversion% %opensslfileversion% %rootfolder% %VCcompiler%
@SETLOCAL

cd..

REM ------------------- Build FIPS x86 -------------------

set rootfolder=%7
set rootfolder=%rootfolder:~1,-1%
set fipsurl=%1
set fips=%2
set OpenSSLurl=%3
set openSSL=%4
set fipsver=%5
set OpenSSLver=%6
set fipstar=%fips:~0,-3%
set fipsfolder=%fips:~0,-7%
set openSSLtar=%openSSL:~0,-3%
set openSSLfolder=%openSSL:~0,-7%
set VCcompiler=%8
set VCcompiler=%VCcompiler:~1,-1%

REM Set environment variable PROCESSOR_ARCHITECTURE briefly to x86.
REM This prevents FIPS trying to build an x64 release by default.
ECHO Setting PROCESSOR_ARCHITECTURE from AMD64 to x86
set PROCESSOR_ARCHITECTURE=x86
echo %PROCESSOR_ARCHITECTURE%

call "%VCcompiler%\vcvarsall.bat" x86
set path=C:\nasm;%rootfolder%\bin;%path%

del %fips%
del %fipstar%
rmdir /S /Q %fipsfolder%
rmdir /S /Q %fipsfolder%-64

wget -N -q --no-check-certificate %fipsurl%/%fips%
7z.exe x %fips%
7z.exe x %fipstar%

XCOPY "%rootfolder%\%fipsfolder%" "%rootfolder%\%fipsfolder%-64" /E /I /Y

cd %fipsfolder%
REM This statically links the CRT (/MT). That will remove the msvcr90.dll dependency by basically including the CRT inside the dll.
REM For VC debug builds, comment out the next line to keep /MD.
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%fipsfolder%\util\pl\VC-32.pl"

perl Configure VC-WIN32
call "%rootfolder%\bin\replace.bat" "pause" "rem pause" "%rootfolder%\%fipsfolder%\ms\do_fips.bat"
call ms\do_fips.bat

cd "%rootfolder%"

REM ------------------- Build OpenSSL x86 -------------------

del %openSSL%
del %openSSLtar%
rmdir /S /Q %openSSLfolder%

wget -N -q --no-check-certificate %OpenSSLurl%/%openSSL%
7z.exe x %openSSL%
7z.exe x %openSSLtar%

XCOPY "%rootfolder%\%openSSLfolder%" "%rootfolder%\%openSSLfolder%-64" /E /I /Y

cd %openSSLfolder%
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%openSSLfolder%\util\pl\VC-32.pl"

perl Configure VC-WIN32 fips --with-fipslibdir=%rootfolder%\%fipsfolder%\out32dll
call ms\do_nasm.bat

REM /fixed tells the operating system to load the program only at its preferred base address.
REM The standard OpenSSL build with the FIPS option will use a base address for libeay32.dll of 0xFB00000.
call "%rootfolder%\bin\replace.bat" "/dll" "/dll /fixed" "%rootfolder%\%openSSLfolder%\ms\ntdll.mak"

REM Embed symbols into lib files - otherwise copy \tmp32\LIB.PDB to the project.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%\ms\ntdll.mak"

REM Building the 32-bit dynamic libraries for FIPS
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test

REM Building the 32-bit static libraries for OPENSSL.EXE
perl Configure VC-WIN32
call ms\do_nasm.bat

REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%\ms\nt.mak"

nmake -f ms\nt.mak
nmake -f ms\nt.mak test

cd "%rootfolder%"

rmdir /S /Q OpenSSLoutput-%OpenSSLver%
mkdir OpenSSLoutput-%OpenSSLver%

copy "%rootfolder%\%openSSLfolder%\out32dll\libeay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32_%OpenSSLver%-fips-%fipsver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32dll\libeay32.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32.dll"
copy "%rootfolder%\%openSSLfolder%\out32dll\ssleay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32_%OpenSSLver%-fips-%fipsver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32dll\ssleay32.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32.dll"
copy "%rootfolder%\%openSSLfolder%\out32\openssl.exe" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OpenSSL.exe"

REM Copy Static Libs (Non FIPS)
copy "%rootfolder%\%openSSLfolder%\out32\libeay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32_%OpenSSLver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32\ssleay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32_%OpenSSLver%_W32.lib"


REM ------------------- Build FIPS x64 -------------------

ECHO Setting PROCESSOR_ARCHITECTURE from x86 to AMD64
set PROCESSOR_ARCHITECTURE=AMD64
echo %PROCESSOR_ARCHITECTURE%

call "%VCcompiler%\vcvarsall.bat" x86_amd64
set path=C:\nasm;%rootfolder%\bin;%path%

cd %fipsfolder%-64
REM This statically links the CRT (/MT). That will remove the msvcr90.dll dependency by basically including the CRT inside the dll.
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%fipsfolder%-64\util\pl\VC-32.pl"

perl Configure VC-WIN64A
call "%rootfolder%\bin\replace.bat" "pause" "rem pause" "%rootfolder%\%fipsfolder%-64\ms\do_fips.bat"
call ms\do_fips.bat

REM ------------------- Build OpenSSL x64 -------------------

cd "%rootfolder%\%openSSLfolder%-64"
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%openSSLfolder%-64\util\pl\VC-32.pl"

perl Configure VC-WIN64A fips --with-fipslibdir=%rootfolder%\%fipsfolder%-64\out32dll
call ms\do_win64a.bat

REM /fixed tells the operating system to load the program only at its preferred base address.
REM The standard OpenSSL build with the FIPS option will use a base address for libeay32.dll of 0xFB00000.
call "%rootfolder%\bin\replace.bat" "/dll" "/dll /fixed" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"

REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"

REM Create 64-bit named binaries to prevent clashing with 32-bit binaries
call "%rootfolder%\bin\replace.bat" "SSL=ssleay32" "SSL=ssleay64" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
call "%rootfolder%\bin\replace.bat" "CRYPTO=libeay32" "CRYPTO=libeay64" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
call "%rootfolder%\bin\replace.bat" "SSLEAY32" "SSLEAY64" "%rootfolder%\%openSSLfolder%-64\ms\ssleay32.def"
call "%rootfolder%\bin\replace.bat" "LIBEAY32" "LIBEAY64" "%rootfolder%\%openSSLfolder%-64\ms\libeay32.def"

REM Building the 64-bit dynamic libraries for FIPS
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test

REM Building the 64-bit static libraries for OPENSSL.EXE
perl Configure VC-WIN64A
call ms\do_win64a.bat
call "%rootfolder%\bin\replace.bat" "SSL=ssleay32" "SSL=ssleay64" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"
call "%rootfolder%\bin\replace.bat" "CRYPTO=libeay32" "CRYPTO=libeay64" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"

REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"

nmake -f ms\nt.mak
nmake -f ms\nt.mak test

cd "%rootfolder%"

copy "%rootfolder%\%openSSLfolder%-64\out32dll\libeay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64_%OpenSSLver%-fips-%fipsver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\libeay64.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64.dll"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\ssleay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64_%OpenSSLver%-fips-%fipsver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\ssleay64.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64.dll"
copy "%rootfolder%\%openSSLfolder%-64\out32\openssl.exe" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OpenSSL64.exe"

REM Copy Static Libs (Non FIPS)
copy "%rootfolder%\%openSSLfolder%-64\out32\libeay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64_%OpenSSLver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32\ssleay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64_%OpenSSLver%_W64.lib"


REM ------------------- Cleanup Build -------------------

del %fips%
del %fipstar%
rmdir /S /Q %fipsfolder%
rmdir /S /Q %fipsfolder%-64

del %openSSL%
del %openSSLtar%
rmdir /S /Q %openSSLfolder%
rmdir /S /Q %openSSLfolder%-64

exit
@echo ON
setlocal

call :FindReplace %1 %2 %3

exit /b 

:FindReplace <findstr> <replstr> <file>
set tmp="%temp%\tmp.txt"
If not exist %temp%\_.vbs call :MakeReplace
for /f "tokens=*" %%a in ('dir "%3" /s /b /a-d /on') do (
  for /f "usebackq" %%b in (`Findstr /mic:"%~1" "%%a"`) do (
    echo(&Echo Replacing "%~1" with "%~2" in file %%~nxa
    <%%a cscript //nologo %temp%\_.vbs "%~1" "%~2">%tmp%
    if exist %tmp% move /Y %tmp% "%%~dpnxa">nul
  )
)

del %temp%\_.vbs

exit /b

:MakeReplace
>%temp%\_.vbs echo with Wscript
>>%temp%\_.vbs echo set args=.arguments
>>%temp%\_.vbs echo .StdOut.Write _
>>%temp%\_.vbs echo Replace(.StdIn.ReadAll,args(0),args(1),1,-1,1)
>>%temp%\_.vbs echo end with
BuildOpenSSL.bat

--- Building FIPS Capable OpenSSL ---

Edit RunMe.bat and tweak these variables:

set fipsurl=http://www.openssl.org/source
set fipsfile=openssl-fips-2.0.11.tar.gz
set fipsfileversion=2.0.11

set opensslurl=http://www.openssl.org/source
set opensslfile=openssl-1.0.2e.tar.gz
set opensslfileversion=1.0.2e

set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC"

To build, run the batch file:

        bin\RunMe.bat


--- FIPS capable OpenSSL ---

The FIPS module was designed from the beginning to be used in conjunction with OpenSSL in a configuration we call the "FIPS Capable" OpenSSL, where the FIPS module is embedded in the OpenSSL shared library (or library plus application as an executable file) and all relevant cryptographic operations are seamlessly diverted to the FIPS module when the FIPS mode of operation is enabled. A major advantage of the "FIPS capable" OpenSSL is that vendors can ship the same software to all of their customers, those who want the FIPS 140-2 validated cryptography and those who do not. For many software products and markets the latter group of users is the largest.

The "FIPS capable" OpenSSL redirects allowed cryptography to the embedded FIPS module and disables all other cryptography (those algorithm implementations not in the FIPS module), and to be conservative we implemented the "FIPS capable" OpenSSL 1.0.1 to unconditionally redirect some cryptographic operations (SHA digests, for instance, which are the same for FIPS and non-FIPS implementations) to the FIPS module. So, a FIPS module that unconditionally disables those cryptographic operations will break OpenSSL for anyone who doesn't immediately enable FIPS mode, which is most calling applications. Note that even aside from the fact that most users won't want the overhead of the POST, it isn't possible for a library to automatically perform POST processing in a portable way.

The proper treatment for a new FIPS capable OpenSSL for use with a disabled-by-default FIPS module will be to have OpenSSL ignore the FIPS module completely until and if it is referenced via a call to the FIPS_mode_set() function.


--- System Requirements ---

Download Visual Studio 2008 with VC++ support - C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\
Download nasm assembler                       - C:\nasm\
Download ActiveState Perl                     - C:\Perl64\
REM --- Building FIPS Capable OpenSSL ---

set fipsurl=http://www.openssl.org/source
set fipsfile=openssl-fips-2.0.11.tar.gz
set fipsfileversion=2.0.11

set opensslurl=http://www.openssl.org/source
set opensslfile=openssl-1.0.2e.tar.gz
set opensslfileversion=1.0.2e

set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC"

call buildOpenSSL.bat %fipsurl% %fipsfile% %opensslurl% %opensslfile% %fipsfileversion% %opensslfileversion% %rootfolder% %VCcompiler%
@SETLOCAL

cd..

REM ------------------- Build FIPS x86 -------------------

set rootfolder=%7
set rootfolder=%rootfolder:~1,-1%
set fipsurl=%1
set fips=%2
set OpenSSLurl=%3
set openSSL=%4
set fipsver=%5
set OpenSSLver=%6
set fipstar=%fips:~0,-3%
set fipsfolder=%fips:~0,-7%
set openSSLtar=%openSSL:~0,-3%
set openSSLfolder=%openSSL:~0,-7%
set VCcompiler=%8
set VCcompiler=%VCcompiler:~1,-1%

REM Set environment variable PROCESSOR_ARCHITECTURE briefly to x86.
REM This prevents FIPS trying to build an x64 release by default.
ECHO Setting PROCESSOR_ARCHITECTURE from AMD64 to x86
set PROCESSOR_ARCHITECTURE=x86
echo %PROCESSOR_ARCHITECTURE%

call "%VCcompiler%\vcvarsall.bat" x86
set path=C:\nasm;%rootfolder%\bin;%path%

del %fips%
del %fipstar%
rmdir /S /Q %fipsfolder%
rmdir /S /Q %fipsfolder%-64

wget -N -q --no-check-certificate %fipsurl%/%fips%
7z.exe x %fips%
7z.exe x %fipstar%

XCOPY "%rootfolder%\%fipsfolder%" "%rootfolder%\%fipsfolder%-64" /E /I /Y

cd %fipsfolder%
REM This statically links the CRT (/MT). That will remove the msvcr90.dll dependency by basically including the CRT inside the dll.
REM For VC debug builds, comment out the next line to keep /MD.
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%fipsfolder%\util\pl\VC-32.pl"

perl Configure VC-WIN32
call "%rootfolder%\bin\replace.bat" "pause" "rem pause" "%rootfolder%\%fipsfolder%\ms\do_fips.bat"
call ms\do_fips.bat

cd "%rootfolder%"

REM ------------------- Build OpenSSL x86 -------------------

del %openSSL%
del %openSSLtar%
rmdir /S /Q %openSSLfolder%

wget -N -q --no-check-certificate %OpenSSLurl%/%openSSL%
7z.exe x %openSSL%
7z.exe x %openSSLtar%

XCOPY "%rootfolder%\%openSSLfolder%" "%rootfolder%\%openSSLfolder%-64" /E /I /Y

cd %openSSLfolder%
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%openSSLfolder%\util\pl\VC-32.pl"

perl Configure VC-WIN32 fips --with-fipslibdir=%rootfolder%\%fipsfolder%\out32dll
call ms\do_nasm.bat

REM /fixed tells the operating system to load the program only at its preferred base address.
REM The standard OpenSSL build with the FIPS option will use a base address for libeay32.dll of 0xFB00000.
call "%rootfolder%\bin\replace.bat" "/dll" "/dll /fixed" "%rootfolder%\%openSSLfolder%\ms\ntdll.mak"

REM Embed symbols into lib files - otherwise copy \tmp32\LIB.PDB to the project.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%\ms\ntdll.mak"

REM Building the 32-bit dynamic libraries for FIPS
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test

REM Building the 32-bit static libraries for OPENSSL.EXE
perl Configure VC-WIN32
call ms\do_nasm.bat

REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%\ms\nt.mak"

nmake -f ms\nt.mak
nmake -f ms\nt.mak test

cd "%rootfolder%"

rmdir /S /Q OpenSSLoutput-%OpenSSLver%
mkdir OpenSSLoutput-%OpenSSLver%

copy "%rootfolder%\%openSSLfolder%\out32dll\libeay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32_%OpenSSLver%-fips-%fipsver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32dll\libeay32.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32.dll"
copy "%rootfolder%\%openSSLfolder%\out32dll\ssleay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32_%OpenSSLver%-fips-%fipsver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32dll\ssleay32.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32.dll"
copy "%rootfolder%\%openSSLfolder%\out32\openssl.exe" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OpenSSL.exe"

REM Copy Static Libs (Non FIPS)
copy "%rootfolder%\%openSSLfolder%\out32\libeay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32_%OpenSSLver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32\ssleay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32_%OpenSSLver%_W32.lib"


REM ------------------- Build FIPS x64 -------------------

ECHO Setting PROCESSOR_ARCHITECTURE from x86 to AMD64
set PROCESSOR_ARCHITECTURE=AMD64
echo %PROCESSOR_ARCHITECTURE%

call "%VCcompiler%\vcvarsall.bat" x86_amd64
set path=C:\nasm;%rootfolder%\bin;%path%

cd %fipsfolder%-64
REM This statically links the CRT (/MT). That will remove the msvcr90.dll dependency by basically including the CRT inside the dll.
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%fipsfolder%-64\util\pl\VC-32.pl"

perl Configure VC-WIN64A
call "%rootfolder%\bin\replace.bat" "pause" "rem pause" "%rootfolder%\%fipsfolder%-64\ms\do_fips.bat"
call ms\do_fips.bat

REM ------------------- Build OpenSSL x64 -------------------

cd "%rootfolder%\%openSSLfolder%-64"
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%openSSLfolder%-64\util\pl\VC-32.pl"

perl Configure VC-WIN64A fips --with-fipslibdir=%rootfolder%\%fipsfolder%-64\out32dll
call ms\do_win64a.bat

REM /fixed tells the operating system to load the program only at its preferred base address.
REM The standard OpenSSL build with the FIPS option will use a base address for libeay32.dll of 0xFB00000.
call "%rootfolder%\bin\replace.bat" "/dll" "/dll /fixed" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"

REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"

REM Create 64-bit named binaries to prevent clashing with 32-bit binaries
call "%rootfolder%\bin\replace.bat" "SSL=ssleay32" "SSL=ssleay64" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
call "%rootfolder%\bin\replace.bat" "CRYPTO=libeay32" "CRYPTO=libeay64" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
call "%rootfolder%\bin\replace.bat" "SSLEAY32" "SSLEAY64" "%rootfolder%\%openSSLfolder%-64\ms\ssleay32.def"
call "%rootfolder%\bin\replace.bat" "LIBEAY32" "LIBEAY64" "%rootfolder%\%openSSLfolder%-64\ms\libeay32.def"

REM Building the 64-bit dynamic libraries for FIPS
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test

REM Building the 64-bit static libraries for OPENSSL.EXE
perl Configure VC-WIN64A
call ms\do_win64a.bat
call "%rootfolder%\bin\replace.bat" "SSL=ssleay32" "SSL=ssleay64" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"
call "%rootfolder%\bin\replace.bat" "CRYPTO=libeay32" "CRYPTO=libeay64" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"

REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"

nmake -f ms\nt.mak
nmake -f ms\nt.mak test

cd "%rootfolder%"

copy "%rootfolder%\%openSSLfolder%-64\out32dll\libeay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64_%OpenSSLver%-fips-%fipsver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\libeay64.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64.dll"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\ssleay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64_%OpenSSLver%-fips-%fipsver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\ssleay64.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64.dll"
copy "%rootfolder%\%openSSLfolder%-64\out32\openssl.exe" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OpenSSL64.exe"

REM Copy Static Libs (Non FIPS)
copy "%rootfolder%\%openSSLfolder%-64\out32\libeay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64_%OpenSSLver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32\ssleay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64_%OpenSSLver%_W64.lib"


REM ------------------- Cleanup Build -------------------

del %fips%
del %fipstar%
rmdir /S /Q %fipsfolder%
rmdir /S /Q %fipsfolder%-64

del %openSSL%
del %openSSLtar%
rmdir /S /Q %openSSLfolder%
rmdir /S /Q %openSSLfolder%-64

exit
@echo ON
setlocal

call :FindReplace %1 %2 %3

exit /b 

:FindReplace <findstr> <replstr> <file>
set tmp="%temp%\tmp.txt"
If not exist %temp%\_.vbs call :MakeReplace
for /f "tokens=*" %%a in ('dir "%3" /s /b /a-d /on') do (
  for /f "usebackq" %%b in (`Findstr /mic:"%~1" "%%a"`) do (
    echo(&Echo Replacing "%~1" with "%~2" in file %%~nxa
    <%%a cscript //nologo %temp%\_.vbs "%~1" "%~2">%tmp%
    if exist %tmp% move /Y %tmp% "%%~dpnxa">nul
  )
)

del %temp%\_.vbs

exit /b

:MakeReplace
>%temp%\_.vbs echo with Wscript
>>%temp%\_.vbs echo set args=.arguments
>>%temp%\_.vbs echo .StdOut.Write _
>>%temp%\_.vbs echo Replace(.StdIn.ReadAll,args(0),args(1),1,-1,1)
>>%temp%\_.vbs echo end with
替换.bat

--- Building FIPS Capable OpenSSL ---

Edit RunMe.bat and tweak these variables:

set fipsurl=http://www.openssl.org/source
set fipsfile=openssl-fips-2.0.11.tar.gz
set fipsfileversion=2.0.11

set opensslurl=http://www.openssl.org/source
set opensslfile=openssl-1.0.2e.tar.gz
set opensslfileversion=1.0.2e

set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC"

To build, run the batch file:

        bin\RunMe.bat


--- FIPS capable OpenSSL ---

The FIPS module was designed from the beginning to be used in conjunction with OpenSSL in a configuration we call the "FIPS Capable" OpenSSL, where the FIPS module is embedded in the OpenSSL shared library (or library plus application as an executable file) and all relevant cryptographic operations are seamlessly diverted to the FIPS module when the FIPS mode of operation is enabled. A major advantage of the "FIPS capable" OpenSSL is that vendors can ship the same software to all of their customers, those who want the FIPS 140-2 validated cryptography and those who do not. For many software products and markets the latter group of users is the largest.

The "FIPS capable" OpenSSL redirects allowed cryptography to the embedded FIPS module and disables all other cryptography (those algorithm implementations not in the FIPS module), and to be conservative we implemented the "FIPS capable" OpenSSL 1.0.1 to unconditionally redirect some cryptographic operations (SHA digests, for instance, which are the same for FIPS and non-FIPS implementations) to the FIPS module. So, a FIPS module that unconditionally disables those cryptographic operations will break OpenSSL for anyone who doesn't immediately enable FIPS mode, which is most calling applications. Note that even aside from the fact that most users won't want the overhead of the POST, it isn't possible for a library to automatically perform POST processing in a portable way.

The proper treatment for a new FIPS capable OpenSSL for use with a disabled-by-default FIPS module will be to have OpenSSL ignore the FIPS module completely until and if it is referenced via a call to the FIPS_mode_set() function.


--- System Requirements ---

Download Visual Studio 2008 with VC++ support - C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\
Download nasm assembler                       - C:\nasm\
Download ActiveState Perl                     - C:\Perl64\
REM --- Building FIPS Capable OpenSSL ---

set fipsurl=http://www.openssl.org/source
set fipsfile=openssl-fips-2.0.11.tar.gz
set fipsfileversion=2.0.11

set opensslurl=http://www.openssl.org/source
set opensslfile=openssl-1.0.2e.tar.gz
set opensslfileversion=1.0.2e

set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC"

call buildOpenSSL.bat %fipsurl% %fipsfile% %opensslurl% %opensslfile% %fipsfileversion% %opensslfileversion% %rootfolder% %VCcompiler%
@SETLOCAL

cd..

REM ------------------- Build FIPS x86 -------------------

set rootfolder=%7
set rootfolder=%rootfolder:~1,-1%
set fipsurl=%1
set fips=%2
set OpenSSLurl=%3
set openSSL=%4
set fipsver=%5
set OpenSSLver=%6
set fipstar=%fips:~0,-3%
set fipsfolder=%fips:~0,-7%
set openSSLtar=%openSSL:~0,-3%
set openSSLfolder=%openSSL:~0,-7%
set VCcompiler=%8
set VCcompiler=%VCcompiler:~1,-1%

REM Set environment variable PROCESSOR_ARCHITECTURE briefly to x86.
REM This prevents FIPS trying to build an x64 release by default.
ECHO Setting PROCESSOR_ARCHITECTURE from AMD64 to x86
set PROCESSOR_ARCHITECTURE=x86
echo %PROCESSOR_ARCHITECTURE%

call "%VCcompiler%\vcvarsall.bat" x86
set path=C:\nasm;%rootfolder%\bin;%path%

del %fips%
del %fipstar%
rmdir /S /Q %fipsfolder%
rmdir /S /Q %fipsfolder%-64

wget -N -q --no-check-certificate %fipsurl%/%fips%
7z.exe x %fips%
7z.exe x %fipstar%

XCOPY "%rootfolder%\%fipsfolder%" "%rootfolder%\%fipsfolder%-64" /E /I /Y

cd %fipsfolder%
REM This statically links the CRT (/MT). That will remove the msvcr90.dll dependency by basically including the CRT inside the dll.
REM For VC debug builds, comment out the next line to keep /MD.
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%fipsfolder%\util\pl\VC-32.pl"

perl Configure VC-WIN32
call "%rootfolder%\bin\replace.bat" "pause" "rem pause" "%rootfolder%\%fipsfolder%\ms\do_fips.bat"
call ms\do_fips.bat

cd "%rootfolder%"

REM ------------------- Build OpenSSL x86 -------------------

del %openSSL%
del %openSSLtar%
rmdir /S /Q %openSSLfolder%

wget -N -q --no-check-certificate %OpenSSLurl%/%openSSL%
7z.exe x %openSSL%
7z.exe x %openSSLtar%

XCOPY "%rootfolder%\%openSSLfolder%" "%rootfolder%\%openSSLfolder%-64" /E /I /Y

cd %openSSLfolder%
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%openSSLfolder%\util\pl\VC-32.pl"

perl Configure VC-WIN32 fips --with-fipslibdir=%rootfolder%\%fipsfolder%\out32dll
call ms\do_nasm.bat

REM /fixed tells the operating system to load the program only at its preferred base address.
REM The standard OpenSSL build with the FIPS option will use a base address for libeay32.dll of 0xFB00000.
call "%rootfolder%\bin\replace.bat" "/dll" "/dll /fixed" "%rootfolder%\%openSSLfolder%\ms\ntdll.mak"

REM Embed symbols into lib files - otherwise copy \tmp32\LIB.PDB to the project.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%\ms\ntdll.mak"

REM Building the 32-bit dynamic libraries for FIPS
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test

REM Building the 32-bit static libraries for OPENSSL.EXE
perl Configure VC-WIN32
call ms\do_nasm.bat

REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%\ms\nt.mak"

nmake -f ms\nt.mak
nmake -f ms\nt.mak test

cd "%rootfolder%"

rmdir /S /Q OpenSSLoutput-%OpenSSLver%
mkdir OpenSSLoutput-%OpenSSLver%

copy "%rootfolder%\%openSSLfolder%\out32dll\libeay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32_%OpenSSLver%-fips-%fipsver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32dll\libeay32.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32.dll"
copy "%rootfolder%\%openSSLfolder%\out32dll\ssleay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32_%OpenSSLver%-fips-%fipsver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32dll\ssleay32.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32.dll"
copy "%rootfolder%\%openSSLfolder%\out32\openssl.exe" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OpenSSL.exe"

REM Copy Static Libs (Non FIPS)
copy "%rootfolder%\%openSSLfolder%\out32\libeay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32_%OpenSSLver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32\ssleay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32_%OpenSSLver%_W32.lib"


REM ------------------- Build FIPS x64 -------------------

ECHO Setting PROCESSOR_ARCHITECTURE from x86 to AMD64
set PROCESSOR_ARCHITECTURE=AMD64
echo %PROCESSOR_ARCHITECTURE%

call "%VCcompiler%\vcvarsall.bat" x86_amd64
set path=C:\nasm;%rootfolder%\bin;%path%

cd %fipsfolder%-64
REM This statically links the CRT (/MT). That will remove the msvcr90.dll dependency by basically including the CRT inside the dll.
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%fipsfolder%-64\util\pl\VC-32.pl"

perl Configure VC-WIN64A
call "%rootfolder%\bin\replace.bat" "pause" "rem pause" "%rootfolder%\%fipsfolder%-64\ms\do_fips.bat"
call ms\do_fips.bat

REM ------------------- Build OpenSSL x64 -------------------

cd "%rootfolder%\%openSSLfolder%-64"
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%openSSLfolder%-64\util\pl\VC-32.pl"

perl Configure VC-WIN64A fips --with-fipslibdir=%rootfolder%\%fipsfolder%-64\out32dll
call ms\do_win64a.bat

REM /fixed tells the operating system to load the program only at its preferred base address.
REM The standard OpenSSL build with the FIPS option will use a base address for libeay32.dll of 0xFB00000.
call "%rootfolder%\bin\replace.bat" "/dll" "/dll /fixed" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"

REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"

REM Create 64-bit named binaries to prevent clashing with 32-bit binaries
call "%rootfolder%\bin\replace.bat" "SSL=ssleay32" "SSL=ssleay64" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
call "%rootfolder%\bin\replace.bat" "CRYPTO=libeay32" "CRYPTO=libeay64" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
call "%rootfolder%\bin\replace.bat" "SSLEAY32" "SSLEAY64" "%rootfolder%\%openSSLfolder%-64\ms\ssleay32.def"
call "%rootfolder%\bin\replace.bat" "LIBEAY32" "LIBEAY64" "%rootfolder%\%openSSLfolder%-64\ms\libeay32.def"

REM Building the 64-bit dynamic libraries for FIPS
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test

REM Building the 64-bit static libraries for OPENSSL.EXE
perl Configure VC-WIN64A
call ms\do_win64a.bat
call "%rootfolder%\bin\replace.bat" "SSL=ssleay32" "SSL=ssleay64" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"
call "%rootfolder%\bin\replace.bat" "CRYPTO=libeay32" "CRYPTO=libeay64" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"

REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"

nmake -f ms\nt.mak
nmake -f ms\nt.mak test

cd "%rootfolder%"

copy "%rootfolder%\%openSSLfolder%-64\out32dll\libeay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64_%OpenSSLver%-fips-%fipsver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\libeay64.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64.dll"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\ssleay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64_%OpenSSLver%-fips-%fipsver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\ssleay64.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64.dll"
copy "%rootfolder%\%openSSLfolder%-64\out32\openssl.exe" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OpenSSL64.exe"

REM Copy Static Libs (Non FIPS)
copy "%rootfolder%\%openSSLfolder%-64\out32\libeay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64_%OpenSSLver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32\ssleay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64_%OpenSSLver%_W64.lib"


REM ------------------- Cleanup Build -------------------

del %fips%
del %fipstar%
rmdir /S /Q %fipsfolder%
rmdir /S /Q %fipsfolder%-64

del %openSSL%
del %openSSLtar%
rmdir /S /Q %openSSLfolder%
rmdir /S /Q %openSSLfolder%-64

exit
@echo ON
setlocal

call :FindReplace %1 %2 %3

exit /b 

:FindReplace <findstr> <replstr> <file>
set tmp="%temp%\tmp.txt"
If not exist %temp%\_.vbs call :MakeReplace
for /f "tokens=*" %%a in ('dir "%3" /s /b /a-d /on') do (
  for /f "usebackq" %%b in (`Findstr /mic:"%~1" "%%a"`) do (
    echo(&Echo Replacing "%~1" with "%~2" in file %%~nxa
    <%%a cscript //nologo %temp%\_.vbs "%~1" "%~2">%tmp%
    if exist %tmp% move /Y %tmp% "%%~dpnxa">nul
  )
)

del %temp%\_.vbs

exit /b

:MakeReplace
>%temp%\_.vbs echo with Wscript
>>%temp%\_.vbs echo set args=.arguments
>>%temp%\_.vbs echo .StdOut.Write _
>>%temp%\_.vbs echo Replace(.StdIn.ReadAll,args(0),args(1),1,-1,1)
>>%temp%\_.vbs echo end with
您应该将“@SETLOCAL”添加到“BuildOpenSSL.bat”文件的顶部。没有它,我的PATH变量会随着.bat文件的每次执行而不断增长。如果由于错误而必须多次执行.bat文件,则这会导致问题(“输入行对于vcvarsall.bat太长”)。