Question: How to build agents using local (FIPS certified) OpenSSL

[D4V3M0NK]

@Ylianst is aware of a little side project that I'm working on, and that's getting MC2 up and running within a FIPS 140-2 environment. Today I successfully (finally!!) got node and the MC2 server operating on Ubuntu and it's certified OpenSSL encryption modules.

I believe I'm correct in assuming that the agents, however, are built by you fine chaps with the non-FIPS versions of OpenSSL and included as binaries when "npm install meshcentral" is run.

Is it possible to build these locally, using the OpenSSL files already on my system?

I've cloned the latest MeshAgent and see that there's an openssl folder thereunder. It appears that ~MeshAgent/openssl/include/openssl contains files that appear in my /usr/include/openssl folder (those being the FIPS OpenSSL files that I have already on my server). Additionally, ~/MeshAgent/openssl/libstatic/linux/x86-64 contains files that appear in my /usr/lib/x86_64-linux-gnu/ folder ...

I'm sure this is just the tip of the iceberg here, but would it be feasible to work on replacing what's in my cloned folder with files from my system and then perform some sort of build against everything? Alternatively, within the ./configure can I use something like node's --shared-openssl parameter (with perhaps the associated --shared-openssl-includes=/PATH/TO/OPENSSL/INCLUDE)?

[krayon007]

There's two main ways you can accomplish what you are trying to...

1.) You can compile the FIPS version of openssl, and drop the .a file into the appropriate libstatic folder, and rebuild the agent.

2.) Modify the makefile, to dynamically link the openssl on your platform, instead of statically linking the one from the libstatic folder.

I can look at modifying the makefile, to provide a switch, so you can supply a command line switch when you build the agent to use either a static library, or a shared one.

[D4V3M0NK]

@krayon007 Thanks for responding so quickly. I think (2) would make more sense, at least to me, considering that's what I had to do with node itself. Additionally, Bryan, if a short but concise document could be included to explain what's needed to build (Ylian stated that it's trickier than node, as there's C/C++ cross-compiling to be done) that can be understood by a non-programmer, I'd certainly appreciate that!

[krayon007]

What platforms do you need to compile the agent for? Once you let me know, i can show you the steps for that platform.

[D4V3M0NK]

@krayon007 / Brian, The agents required will be just Linux x64.To cover myself, I should also consider compiling the router too, which will be for Linux x64 and Windows x64.

I really appreciate the assistance.

Dave

[D4V3M0NK]

Just wondered @krayon007 if there was any documentation I could follow to give these builds a go? Just checking in...

[krayon007]

I tried to put all the pertinent documentation into the makefile itself... It will give you directions on which packages to install to compile. (The only additional package, is just the dev packages for jpeg and x11)

It also shows how to build the agent, and what flags to pass, etc...

[D4V3M0NK]

Ok (rubbing hands like a small child at Christmas) ... I'll let you know how I get on! Thanks Bryan

[D4V3M0NK]

(and just like Christmas, I had to wait...) Just getting to this tonight!

[D4V3M0NK]

Keeping this here for historical value only : the error that I'm seeing here is commonplace and can be ignored (see here)

@krayon007 - Just checking in, but I had to install NASM before compiling libjpeg-turbo and got the following error a few times when making libjpeg-turbo libtool: error: ignoring unknown tag NASM. Is this normal and anything to worry about in your opinion, do you see the same when you compile the agent (or at least when libjpeg-turbo was compiled)?

(full log: https://pastebin.com/gQ6AWatB)

[D4V3M0NK]

Additionally, when compiling for Windows 64bit (make ARCHID=2) I get the following error:

gcc -std=gnu99 -g -Wall -D_POSIX -DMICROSTACK_PROXY  -DILibChain_WATCHDOG_TIMEOUT=6000000 -fno-strict-aliasing -I. -Iopenssl/include -Imicrostack -Imicroscript -Imeshcore -Imeshconsole -DDUK_USE_DEBUGGER_SUPPORT -DDUK_USE_INTERRUPT_COUNTER -DDUK_USE_DEBUGGER_INSPECT -DDUK_USE_DEBUGGER_PAUSE_UNCAUGHT -DMICROSTACK_TLS_DETECT -O3   -c -o meshcore/agentcore.o meshcore/agentcore.c
In file included from ./microstack/ILibParsers.h:77:0,
                 from meshcore/agentcore.h:32,
                 from meshcore/agentcore.c:26:
meshcore/agentcore.c: In function ‘MeshServer_SendAgentInfo’:
meshcore/agentcore.c:2385:24: error: ‘MESH_AGENTID’ undeclared (first use in this function)
  info->agentId = htonl(MESH_AGENTID);
                        ^
meshcore/agentcore.c:2385:24: note: each undeclared identifier is reported only once for each function it appears in
meshcore/agentcore.c: In function ‘MeshAgent_Create’:
meshcore/agentcore.c:3665:38: error: ‘MESH_AGENTID’ undeclared (first use in this function)
  retVal->agentID = (AgentIdentifiers)MESH_AGENTID;
                                      ^
<builtin>: recipe for target 'meshcore/agentcore.o' failed
make: *** [meshcore/agentcore.o] Error 1

Although I didn't think I would need to, I will infact need Windows agents too and so wondered if there was anything else I needed to install (on an Ubuntu system) in order to compile for Windows?

[krayon007]

I haven't compiled libjpeg in a while so I'll check..

For windows you need to build with visual studio 2015 or newer, it currently can't be built with the makefile.

[D4V3M0NK]

@krayon007, apologies Bryan - I've amended my comment about libjpeg-turbo as I found that there is warning that's shown that can be ignored. I kept my post there just for reference purposes.