Re: [openssl-users] Problem building Linux shared library with static FIPS capable OpenSSL

[Dr. Stephen Henson]

On Mon, May 01, 2017, Nathan Glasser wrote:

> Hello,
> 
> We are using openssl-fips 2.0.14 with OpenSSL 1.0.2j.
> 
> We have a shared library on both Linux and Windows which uses static OpenSSL
> libraries. We'd like it to use static FIPS-capable OpenSSL libraries.
> 
> On Windows, everything is fine. On Linux, I have a problem. I am
> doing my tests on RedHat 6.0.
> 
> I am able to make standalone executables just fine, but shared library (.so)
> building does not work. I am linking using supplied the fipsld script.
> 
> The script gets error 139, which means a segmentation fault. Modifying
> the fipsld script to uncomment the "set -x" at the top shows me that
> the following is where the segmentation fault is occurring.
> 
>   # generate signature...
>   SIG=`"${TARGET}"`
> 
> It is attempting to run ${TARGET}, which is the .so file that has just been
> generated in the first link step. (It's not suprising to me that this results
> in a segmentation fault.) If I run the file which is left after the building
> aborts, I also get a segmentation fault.
> 
> I can see that there is another case - when the filename matches
> lib*|*.dll, which it does not.
> 
> If I try renaming the target to have "lib" at the start of the name,
> then when it runs this part
> 
>   # generate signature...
>   SIG=`"${PREMAIN_DSO}" "${TARGET}"`
> 
> it fails because there is no fips_premain_dso program. Nor can I find
> this anywhere in the openssl-fips or openssl packages. Should this have
> gotten built automatically in an earlier step?
> 
> I created a simplified test which consists of the fips_hmac sample (included
> in the OpenSSL Fips 2.0 manual), with main renamed to something else.
> 
> Can someone on this list please point me in the right direction for
> getting this to work? Thanks. Below are my makefile and build log.
> 

Try a shared build of the FIPS capable OpenSSL. You should then get
fips_premain_dso built as part of that process. Alternatively just do:

make fips_premain_dso

The fips_premain_dso executable isn't anything special: all it does is load
the library. It should then print out the signature which can then be embedded
for the second link step.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Documentation for Integrating New Cipher Creation Request

[Paul Dale]

I think this is worthwhile too.  Just before I submitted the ARIA addition, I 
drafted such a document which you could use as a basis.  The PR had some 
modifications made before being merged, so it isn't completely accurate.

I'll forward this directly.

Pauli

-- 
Oracle
Dr Paul Dale | Cryptographer | Network Security & Encryption 
Phone +61 7 3031 7217
Oracle Australia


-Original Message-
From: Schmicker, Robert [mailto:rsc...@unh.newhaven.edu] 
Sent: Monday, 1 May 2017 1:08 PM
To: openssl-users@openssl.org
Subject: [openssl-users] Documentation for Integrating New Cipher Creation 
Request

Hello,

Over the past several months through trial and error I have at last been able 
to integrate a new symmetric cipher into OpenSSL. After following this email 
chain for these past months I’ve noticed that once in a blue moon other users 
would ask how to integrate a new cipher into both libcrypto and libssl. While 
the process is still fresh in my head, I was wondering if the community would 
benefit in having some documentation on the process to follow and issues that 
may arise? Possibly add this into the OpenSSL wiki? I would love for this to be 
my first contribution to an open source project and help others who may find 
themselves in similar situations in the future.

Please let me know your thoughts.

Best,
Rob Schmicker
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Problem building Linux shared library with static FIPS capable OpenSSL

[Nathan Glasser]

Hello,

We are using openssl-fips 2.0.14 with OpenSSL 1.0.2j.

We have a shared library on both Linux and Windows which uses static OpenSSL
libraries. We'd like it to use static FIPS-capable OpenSSL libraries.

On Windows, everything is fine. On Linux, I have a problem. I am
doing my tests on RedHat 6.0.

I am able to make standalone executables just fine, but shared library (.so)
building does not work. I am linking using supplied the fipsld script.

The script gets error 139, which means a segmentation fault. Modifying
the fipsld script to uncomment the "set -x" at the top shows me that
the following is where the segmentation fault is occurring.

# generate signature...
SIG=`"${TARGET}"`

It is attempting to run ${TARGET}, which is the .so file that has just been
generated in the first link step. (It's not suprising to me that this results
in a segmentation fault.) If I run the file which is left after the building
aborts, I also get a segmentation fault.

I can see that there is another case - when the filename matches
lib*|*.dll, which it does not.

If I try renaming the target to have "lib" at the start of the name,
then when it runs this part

# generate signature...
SIG=`"${PREMAIN_DSO}" "${TARGET}"`

it fails because there is no fips_premain_dso program. Nor can I find
this anywhere in the openssl-fips or openssl packages. Should this have
gotten built automatically in an earlier step?

I created a simplified test which consists of the fips_hmac sample (included
in the OpenSSL Fips 2.0 manual), with main renamed to something else.

Can someone on this list please point me in the right direction for
getting this to work? Thanks. Below are my makefile and build log.


Here is the makefile I am using. The directory names included reflect
my local environment, but they are all using the versions I stated.



CC = gcc
OPENSSLDIR = ../openssl/export_openssl/
FIPSDIR=export_fips/linux/4.4
LIBCRYPTO = $(OPENSSLDIR)/linux/4.4/libcrypto.a
INCLUDES = -I$(OPENSSLDIR)/include
CMD = fips_hmac
OBJS = $(CMD).o

$(CMD).so: $(OBJS)
FIPSLD_CC=$(CC) $(FIPSDIR)/bin/fipsld -m32 -shared -Wl,-Bsymbolic -o 
$(CMD).so $(OBJS) $(LIBCRYPTO) -ldl

$(OBJS): $(CMD).c
$(CC) -c $(CMD).c $(INCLUDES) -m32

clean:
rm $(OBJS)



Here is the output from the build using the modified fipsld to include
"set -x".



gcc -c fips_hmac.c -I../openssl/export_openssl//include -m32
FIPSLD_CC=gcc export_fips/linux/4.4/bin/fipsld -m32 -shared -Wl,-Bsymbolic -o 
fips_hmac.so fips_hmac.o ../openssl/export_openssl//linux/4.4/libcrypto.a -ldl
+ CC=gcc
+ '[' -n gcc ']'
+ '[' x-m32 '!=' x -a x-m32 '!=' x-c -a x-m32 '!=' x-E ']'
+ shift
+ '[' x-shared '!=' x -a x-shared '!=' x-c -a x-shared '!=' x-E ']'
+ shift
+ '[' x-Wl,-Bsymbolic '!=' x -a x-Wl,-Bsymbolic '!=' x-c -a x-Wl,-Bsymbolic 
'!=' x-E ']'
+ shift
+ '[' x-o '!=' x -a x-o '!=' x-c -a x-o '!=' x-E ']'
+ shift
+ '[' xfips_hmac.so '!=' x -a xfips_hmac.so '!=' x-c -a xfips_hmac.so '!=' x-E 
']'
+ shift
+ '[' xfips_hmac.o '!=' x -a xfips_hmac.o '!=' x-c -a xfips_hmac.o '!=' x-E ']'
+ shift
+ '[' x../openssl/export_openssl//linux/4.4/libcrypto.a '!=' x -a 
x../openssl/export_openssl//linux/4.4/libcrypto.a '!=' x-c -a 
x../openssl/export_openssl//linux/4.4/libcrypto.a '!=' x-E ']'
+ shift
+ '[' x-ldl '!=' x -a x-ldl '!=' x-c -a x-ldl '!=' x-E ']'
+ shift
+ '[' x '!=' x -a x '!=' x-c -a x '!=' x-E ']'
+ '[' 0 -ge 1 ']'
++ '[' x-m32 '!=' x -a x-m32 '!=' x-o ']'
++ shift
++ '[' x-shared '!=' x -a x-shared '!=' x-o ']'
++ shift
++ '[' x-Wl,-Bsymbolic '!=' x -a x-Wl,-Bsymbolic '!=' x-o ']'
++ shift
++ '[' x-o '!=' x -a x-o '!=' x-o ']'
++ echo fips_hmac.so
+ TARGET=fips_hmac.so
+ case `basename "${TARGET}"` in
++ basename fips_hmac.so
+ case "$*" in
+ '[' -n fips_hmac.so ']'
+ '[' x-m32 '!=' x -a x-m32 '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']'
+ shift
+ '[' x-shared '!=' x -a x-shared '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']'
+ shift
+ '[' x-Wl,-Bsymbolic '!=' x -a x-Wl,-Bsymbolic '!=' 
x-DDEBUG_FINGERPRINT_PREMAIN ']'
+ shift
+ '[' x-o '!=' x -a x-o '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']'
+ shift
+ '[' xfips_hmac.so '!=' x -a xfips_hmac.so '!=' x-DDEBUG_FINGERPRINT_PREMAIN 
']'
+ shift
+ '[' xfips_hmac.o '!=' x -a xfips_hmac.o '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']'
+ shift
+ '[' x../openssl/export_openssl//linux/4.4/libcrypto.a '!=' x -a 
x../openssl/export_openssl//linux/4.4/libcrypto.a '!=' 
x-DDEBUG_FINGERPRINT_PREMAIN ']'
+ shift
+ '[' x-ldl '!=' x -a x-ldl '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']'
+ shift
+ '[' x '!=' x -a x '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']'
+ '[' 0 -ge 1 ']'
++ echo export_fips/linux/4.4/bin/fipsld
++ sed -e 's|[^/]*$||'
+ THERE=export_fips/linux/4.4/bin/..
++ '[' x-m32 '!=' x ']'
++ case "$1" in
++ shift
++ '[' x-shared '!=' x ']'
++ case "$1" in
++ shift
++ '[' x-Wl,-Bsymbolic '!=' x ']'
++ case "$1" in
++ shift
++ '[' x-o '!=' x ']'
++ case "$1" in
++ shift
++ '[' 

[openssl-users] Win 10 failure on install

[Jon Coons]

Hello,

I keep running into a Win 10 failure using nmake for SSL installation.
Here is the CLI info:

c:\openssl>nmake

Microsoft (R) Program Maintenance Utility Version 14.00.24210.0
Copyright (C) Microsoft Corporation.  All rights reserved.

"C:\Program Files (x86)\Microsoft Visual Studio
14.0\VC\BIN\nmake.exe" depend && "C:\Program Files (x86)\Microsoft Visual
Studio 14.0\VC\BIN\nmake.exe" _all

Microsoft (R) Program Maintenance Utility Version 14.00.24210.0
Copyright (C) Microsoft Corporation.  All rights reserved.


Microsoft (R) Program Maintenance Utility Version 14.00.24210.0
Copyright (C) Microsoft Corporation.  All rights reserved.

ias -d debug -ocrypto\aes\aes-ia64.obj "crypto\aes\aes-ia64.asm"
'ias' is not recognized as an internal or external command,
operable program or batch file.
NMAKE : fatal error U1077: 'ias' : return code '0x1'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio
14.0\VC\BIN\nmake.exe"' : return code '0x2'
Stop.

Has anyone run into this, and is there a workaround?

Thanks,

Jon
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] NMAKE error

[Ken Goldman]

On 5/1/2017 12:00 PM, Jordan Brown wrote:

On 5/1/2017 8:53 AM, James Condren wrote:


Thanks for the prompt response.  Just a little background:  I am
trying to install OpenSSL on a Windows PC so I can view a server cert.



It might be simpler to install cygwin and an already-built OpenSSL.


If installing prebuilt binaries is possible, this is far easier than cygwin:

http://slproweb.com/products/Win32OpenSSL.html


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] NMAKE error

[Jordan Brown]

On 5/1/2017 8:53 AM, James Condren wrote:
>
> Thanks for the prompt response.  Just a little background:  I am
> trying to install OpenSSL on a Windows PC so I can view a server cert.
>

It might be simpler to install cygwin and an already-built OpenSSL.

http://cygwin.com/
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] NMAKE error

[James Condren]

Thanks for the prompt response.  Just a little background:  I am trying to 
install OpenSSL on a Windows PC so I can view a server cert.

I have verified that the file exists and is part of the source.  I set SRCDIR 
in makefile to "C:\Workspaces\ Harmony\openssl1" (it was set to ".") and by 
doing so, it got me past the issues I originally logged but now I am getting 
"NMAKE : fatal error U1073: don't know how to make '""'".

Not sure where the makefile is erroring out.  I tried to add console output to 
the makefile but it is erroring on the @echo lines.


-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Richard Levitte
Sent: Monday, May 1, 2017 11:58 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] NMAKE error

Can you verify that crypto\include\internal\bn_conf.h.in exists?  It should, 
it's part of the source.  Can you check if there's a file with a similar name 
in crypto\include\internal?

Cheers,
Richard ( am wondering if there are tar implementations that screw up file name 
with more than one period... )


In message 

 on Mon, 1 May 2017 15:02:41 +, James Condren  said:

jcondren> Getting the following error when attempting to make:
jcondren> 
jcondren> NMAKE : fatal error U1073: don't know how to make 
jcondren> '"crypto\include\internal\bn_conf.h.in"'
jcondren> 
jcondren> Stop.
jcondren> 
jcondren> Here¢s the lines from the makefile that are creating the error:
jcondren> 
jcondren> crypto\include\internal\bn_conf.h:
jcondren> "crypto\include\internal\bn_conf.h.in" "configdata.pm"
jcondren> 
jcondren> "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util\dofile.pl" \
jcondren> 
jcondren> "-omakefile" "crypto\include\internal\bn_conf.h.in" > $@
jcondren> 
jcondren> If I remove '"crypto\include\internal\bn_conf.h.in"', it then 
jcondren> gives me the following error:
jcondren> 
jcondren> NMAKE : fatal error U1073: don't know how to make '".\Configure"'
jcondren> 
jcondren> Stop.
jcondren> 
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] NMAKE error

[Richard Levitte]

Can you verify that crypto\include\internal\bn_conf.h.in exists?  It
should, it's part of the source.  Can you check if there's a file with
a similar name in crypto\include\internal?

Cheers,
Richard ( am wondering if there are tar implementations that screw up
file name with more than one period... )


In message 

 on Mon, 1 May 2017 15:02:41 +, James Condren  said:

jcondren> Getting the following error when attempting to make:
jcondren> 
jcondren> NMAKE : fatal error U1073: don't know how to make
jcondren> '"crypto\include\internal\bn_conf.h.in"'
jcondren> 
jcondren> Stop.
jcondren> 
jcondren> Here’s the lines from the makefile that are creating the error:
jcondren> 
jcondren> crypto\include\internal\bn_conf.h:
jcondren> "crypto\include\internal\bn_conf.h.in" "configdata.pm"
jcondren> 
jcondren> "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util\dofile.pl" \
jcondren> 
jcondren> "-omakefile" "crypto\include\internal\bn_conf.h.in" > $@
jcondren> 
jcondren> If I remove '"crypto\include\internal\bn_conf.h.in"', it then gives me
jcondren> the following error:
jcondren> 
jcondren> NMAKE : fatal error U1073: don't know how to make '".\Configure"'
jcondren> 
jcondren> Stop.
jcondren> 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] NMAKE error

[James Condren]

Thanks for the prompt response.  Just a little background:  I am trying to 
install OpenSSL on a Windows PC so I can view a server cert.

I downloaded the latest openssl version from github.

Here are the steps I performed so far:

  1.  Downloaded latest version of openssl from git to 
C:\Workspaces\Harmony\openssl1
  2.  Downloaded NASM
  3.  Added Test::More and Text::Template perl modules to Perl location
  4.  SET PATH=%PATH%;C:\Workspaces\Harmony\openssl1
  5.  Executed perl Configure VC-WIN64A (got makefile)
  6.  Set SRCDIR in makefile to "C:\Workspaces\ Harmony\openssl1"

Doing step #6 got me past the issues I originally logged but now I am getting 
"NMAKE : fatal error U1073: don't know how to make '""'".

Not sure where the makefile is erroring out.  I tried to add console output to 
the makefile but it is erroring on the @echo lines.


From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Benjamin Kaduk via openssl-users
Sent: Monday, May 1, 2017 11:38 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] NMAKE error

On 05/01/2017 10:02 AM, James Condren wrote:

Getting the following error when attempting to make:
NMAKE : fatal error U1073: don't know how to make 
'"crypto\include\internal\bn_conf.h.in"'
Stop.

Here's the lines from the makefile that are creating the error:
crypto\include\internal\bn_conf.h: "crypto\include\internal\bn_conf.h.in" 
"configdata.pm"
   "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util\dofile.pl" \
   "-omakefile" "crypto\include\internal\bn_conf.h.in" > $@


If I remove '"crypto\include\internal\bn_conf.h.in"', it then gives me the 
following error:
NMAKE : fatal error U1073: don't know how to make '".\Configure"'
Stop.



What version of openssl?  What steps did you take prior to running nmake?

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] NMAKE error

[Benjamin Kaduk via openssl-users]

On 05/01/2017 10:02 AM, James Condren wrote:
>
> Getting the following error when attempting to make:
>
> NMAKE : fatal error U1073: don't know how to make
> '"crypto\include\internal\bn_conf.h.in"'
>
> Stop.
>
>  
>
> Here’s the lines from the makefile that are creating the error:
>
> crypto\include\internal\bn_conf.h:
> "crypto\include\internal\bn_conf.h.in" "configdata.pm"
>
>"$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util\dofile.pl" \
>
>"-omakefile" "crypto\include\internal\bn_conf.h.in"
> > $@
>
>  
>
>  
>
> If I remove '"crypto\include\internal\bn_conf.h.in"', it then gives me
> the following error:
>
> NMAKE : fatal error U1073: don't know how to make '".\Configure"'
>
> Stop.
>
>


What version of openssl?  What steps did you take prior to running nmake?

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] NMAKE error

[James Condren]

Getting the following error when attempting to make:
NMAKE : fatal error U1073: don't know how to make 
'"crypto\include\internal\bn_conf.h.in"'
Stop.

Here's the lines from the makefile that are creating the error:
crypto\include\internal\bn_conf.h: "crypto\include\internal\bn_conf.h.in" 
"configdata.pm"
   "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util\dofile.pl" \
   "-omakefile" "crypto\include\internal\bn_conf.h.in" > $@


If I remove '"crypto\include\internal\bn_conf.h.in"', it then gives me the 
following error:
NMAKE : fatal error U1073: don't know how to make '".\Configure"'
Stop.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Documentation for Integrating New Cipher Creation Request

[Salz, Rich via openssl-users]

> While the process is still fresh in my head, I was wondering if the community
> would benefit in having some documentation on the process to follow and
> issues that may arise? Possibly add this into the OpenSSL wiki?

This would be a great idea.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users