Re: [openssl-users] Problem building Linux shared library with static FIPS capable OpenSSL
On Mon, May 01, 2017, Nathan Glasser wrote: > Hello, > > We are using openssl-fips 2.0.14 with OpenSSL 1.0.2j. > > We have a shared library on both Linux and Windows which uses static OpenSSL > libraries. We'd like it to use static FIPS-capable OpenSSL libraries. > > On Windows, everything is fine. On Linux, I have a problem. I am > doing my tests on RedHat 6.0. > > I am able to make standalone executables just fine, but shared library (.so) > building does not work. I am linking using supplied the fipsld script. > > The script gets error 139, which means a segmentation fault. Modifying > the fipsld script to uncomment the "set -x" at the top shows me that > the following is where the segmentation fault is occurring. > > # generate signature... > SIG=`"${TARGET}"` > > It is attempting to run ${TARGET}, which is the .so file that has just been > generated in the first link step. (It's not suprising to me that this results > in a segmentation fault.) If I run the file which is left after the building > aborts, I also get a segmentation fault. > > I can see that there is another case - when the filename matches > lib*|*.dll, which it does not. > > If I try renaming the target to have "lib" at the start of the name, > then when it runs this part > > # generate signature... > SIG=`"${PREMAIN_DSO}" "${TARGET}"` > > it fails because there is no fips_premain_dso program. Nor can I find > this anywhere in the openssl-fips or openssl packages. Should this have > gotten built automatically in an earlier step? > > I created a simplified test which consists of the fips_hmac sample (included > in the OpenSSL Fips 2.0 manual), with main renamed to something else. > > Can someone on this list please point me in the right direction for > getting this to work? Thanks. Below are my makefile and build log. > Try a shared build of the FIPS capable OpenSSL. You should then get fips_premain_dso built as part of that process. Alternatively just do: make fips_premain_dso The fips_premain_dso executable isn't anything special: all it does is load the library. It should then print out the signature which can then be embedded for the second link step. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Documentation for Integrating New Cipher Creation Request
I think this is worthwhile too. Just before I submitted the ARIA addition, I drafted such a document which you could use as a basis. The PR had some modifications made before being merged, so it isn't completely accurate. I'll forward this directly. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia -Original Message- From: Schmicker, Robert [mailto:rsc...@unh.newhaven.edu] Sent: Monday, 1 May 2017 1:08 PM To: openssl-users@openssl.org Subject: [openssl-users] Documentation for Integrating New Cipher Creation Request Hello, Over the past several months through trial and error I have at last been able to integrate a new symmetric cipher into OpenSSL. After following this email chain for these past months I’ve noticed that once in a blue moon other users would ask how to integrate a new cipher into both libcrypto and libssl. While the process is still fresh in my head, I was wondering if the community would benefit in having some documentation on the process to follow and issues that may arise? Possibly add this into the OpenSSL wiki? I would love for this to be my first contribution to an open source project and help others who may find themselves in similar situations in the future. Please let me know your thoughts. Best, Rob Schmicker -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Problem building Linux shared library with static FIPS capable OpenSSL
Hello, We are using openssl-fips 2.0.14 with OpenSSL 1.0.2j. We have a shared library on both Linux and Windows which uses static OpenSSL libraries. We'd like it to use static FIPS-capable OpenSSL libraries. On Windows, everything is fine. On Linux, I have a problem. I am doing my tests on RedHat 6.0. I am able to make standalone executables just fine, but shared library (.so) building does not work. I am linking using supplied the fipsld script. The script gets error 139, which means a segmentation fault. Modifying the fipsld script to uncomment the "set -x" at the top shows me that the following is where the segmentation fault is occurring. # generate signature... SIG=`"${TARGET}"` It is attempting to run ${TARGET}, which is the .so file that has just been generated in the first link step. (It's not suprising to me that this results in a segmentation fault.) If I run the file which is left after the building aborts, I also get a segmentation fault. I can see that there is another case - when the filename matches lib*|*.dll, which it does not. If I try renaming the target to have "lib" at the start of the name, then when it runs this part # generate signature... SIG=`"${PREMAIN_DSO}" "${TARGET}"` it fails because there is no fips_premain_dso program. Nor can I find this anywhere in the openssl-fips or openssl packages. Should this have gotten built automatically in an earlier step? I created a simplified test which consists of the fips_hmac sample (included in the OpenSSL Fips 2.0 manual), with main renamed to something else. Can someone on this list please point me in the right direction for getting this to work? Thanks. Below are my makefile and build log. Here is the makefile I am using. The directory names included reflect my local environment, but they are all using the versions I stated. CC = gcc OPENSSLDIR = ../openssl/export_openssl/ FIPSDIR=export_fips/linux/4.4 LIBCRYPTO = $(OPENSSLDIR)/linux/4.4/libcrypto.a INCLUDES = -I$(OPENSSLDIR)/include CMD = fips_hmac OBJS = $(CMD).o $(CMD).so: $(OBJS) FIPSLD_CC=$(CC) $(FIPSDIR)/bin/fipsld -m32 -shared -Wl,-Bsymbolic -o $(CMD).so $(OBJS) $(LIBCRYPTO) -ldl $(OBJS): $(CMD).c $(CC) -c $(CMD).c $(INCLUDES) -m32 clean: rm $(OBJS) Here is the output from the build using the modified fipsld to include "set -x". gcc -c fips_hmac.c -I../openssl/export_openssl//include -m32 FIPSLD_CC=gcc export_fips/linux/4.4/bin/fipsld -m32 -shared -Wl,-Bsymbolic -o fips_hmac.so fips_hmac.o ../openssl/export_openssl//linux/4.4/libcrypto.a -ldl + CC=gcc + '[' -n gcc ']' + '[' x-m32 '!=' x -a x-m32 '!=' x-c -a x-m32 '!=' x-E ']' + shift + '[' x-shared '!=' x -a x-shared '!=' x-c -a x-shared '!=' x-E ']' + shift + '[' x-Wl,-Bsymbolic '!=' x -a x-Wl,-Bsymbolic '!=' x-c -a x-Wl,-Bsymbolic '!=' x-E ']' + shift + '[' x-o '!=' x -a x-o '!=' x-c -a x-o '!=' x-E ']' + shift + '[' xfips_hmac.so '!=' x -a xfips_hmac.so '!=' x-c -a xfips_hmac.so '!=' x-E ']' + shift + '[' xfips_hmac.o '!=' x -a xfips_hmac.o '!=' x-c -a xfips_hmac.o '!=' x-E ']' + shift + '[' x../openssl/export_openssl//linux/4.4/libcrypto.a '!=' x -a x../openssl/export_openssl//linux/4.4/libcrypto.a '!=' x-c -a x../openssl/export_openssl//linux/4.4/libcrypto.a '!=' x-E ']' + shift + '[' x-ldl '!=' x -a x-ldl '!=' x-c -a x-ldl '!=' x-E ']' + shift + '[' x '!=' x -a x '!=' x-c -a x '!=' x-E ']' + '[' 0 -ge 1 ']' ++ '[' x-m32 '!=' x -a x-m32 '!=' x-o ']' ++ shift ++ '[' x-shared '!=' x -a x-shared '!=' x-o ']' ++ shift ++ '[' x-Wl,-Bsymbolic '!=' x -a x-Wl,-Bsymbolic '!=' x-o ']' ++ shift ++ '[' x-o '!=' x -a x-o '!=' x-o ']' ++ echo fips_hmac.so + TARGET=fips_hmac.so + case `basename "${TARGET}"` in ++ basename fips_hmac.so + case "$*" in + '[' -n fips_hmac.so ']' + '[' x-m32 '!=' x -a x-m32 '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']' + shift + '[' x-shared '!=' x -a x-shared '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']' + shift + '[' x-Wl,-Bsymbolic '!=' x -a x-Wl,-Bsymbolic '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']' + shift + '[' x-o '!=' x -a x-o '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']' + shift + '[' xfips_hmac.so '!=' x -a xfips_hmac.so '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']' + shift + '[' xfips_hmac.o '!=' x -a xfips_hmac.o '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']' + shift + '[' x../openssl/export_openssl//linux/4.4/libcrypto.a '!=' x -a x../openssl/export_openssl//linux/4.4/libcrypto.a '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']' + shift + '[' x-ldl '!=' x -a x-ldl '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']' + shift + '[' x '!=' x -a x '!=' x-DDEBUG_FINGERPRINT_PREMAIN ']' + '[' 0 -ge 1 ']' ++ echo export_fips/linux/4.4/bin/fipsld ++ sed -e 's|[^/]*$||' + THERE=export_fips/linux/4.4/bin/.. ++ '[' x-m32 '!=' x ']' ++ case "$1" in ++ shift ++ '[' x-shared '!=' x ']' ++ case "$1" in ++ shift ++ '[' x-Wl,-Bsymbolic '!=' x ']' ++ case "$1" in ++ shift ++ '[' x-o '!=' x ']' ++ case "$1" in ++ shift ++ '['
[openssl-users] Win 10 failure on install
Hello, I keep running into a Win 10 failure using nmake for SSL installation. Here is the CLI info: c:\openssl>nmake Microsoft (R) Program Maintenance Utility Version 14.00.24210.0 Copyright (C) Microsoft Corporation. All rights reserved. "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\BIN\nmake.exe" depend && "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\BIN\nmake.exe" _all Microsoft (R) Program Maintenance Utility Version 14.00.24210.0 Copyright (C) Microsoft Corporation. All rights reserved. Microsoft (R) Program Maintenance Utility Version 14.00.24210.0 Copyright (C) Microsoft Corporation. All rights reserved. ias -d debug -ocrypto\aes\aes-ia64.obj "crypto\aes\aes-ia64.asm" 'ias' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'ias' : return code '0x1' Stop. NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\BIN\nmake.exe"' : return code '0x2' Stop. Has anyone run into this, and is there a workaround? Thanks, Jon -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] NMAKE error
On 5/1/2017 12:00 PM, Jordan Brown wrote: On 5/1/2017 8:53 AM, James Condren wrote: Thanks for the prompt response. Just a little background: I am trying to install OpenSSL on a Windows PC so I can view a server cert. It might be simpler to install cygwin and an already-built OpenSSL. If installing prebuilt binaries is possible, this is far easier than cygwin: http://slproweb.com/products/Win32OpenSSL.html -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] NMAKE error
On 5/1/2017 8:53 AM, James Condren wrote: > > Thanks for the prompt response. Just a little background: I am > trying to install OpenSSL on a Windows PC so I can view a server cert. > It might be simpler to install cygwin and an already-built OpenSSL. http://cygwin.com/ -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] NMAKE error
Thanks for the prompt response. Just a little background: I am trying to install OpenSSL on a Windows PC so I can view a server cert. I have verified that the file exists and is part of the source. I set SRCDIR in makefile to "C:\Workspaces\ Harmony\openssl1" (it was set to ".") and by doing so, it got me past the issues I originally logged but now I am getting "NMAKE : fatal error U1073: don't know how to make '""'". Not sure where the makefile is erroring out. I tried to add console output to the makefile but it is erroring on the @echo lines. -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Richard Levitte Sent: Monday, May 1, 2017 11:58 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] NMAKE error Can you verify that crypto\include\internal\bn_conf.h.in exists? It should, it's part of the source. Can you check if there's a file with a similar name in crypto\include\internal? Cheers, Richard ( am wondering if there are tar implementations that screw up file name with more than one period... ) In messageon Mon, 1 May 2017 15:02:41 +, James Condren said: jcondren> Getting the following error when attempting to make: jcondren> jcondren> NMAKE : fatal error U1073: don't know how to make jcondren> '"crypto\include\internal\bn_conf.h.in"' jcondren> jcondren> Stop. jcondren> jcondren> Here¢s the lines from the makefile that are creating the error: jcondren> jcondren> crypto\include\internal\bn_conf.h: jcondren> "crypto\include\internal\bn_conf.h.in" "configdata.pm" jcondren> jcondren> "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util\dofile.pl" \ jcondren> jcondren> "-omakefile" "crypto\include\internal\bn_conf.h.in" > $@ jcondren> jcondren> If I remove '"crypto\include\internal\bn_conf.h.in"', it then jcondren> gives me the following error: jcondren> jcondren> NMAKE : fatal error U1073: don't know how to make '".\Configure"' jcondren> jcondren> Stop. jcondren> -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] NMAKE error
Can you verify that crypto\include\internal\bn_conf.h.in exists? It should, it's part of the source. Can you check if there's a file with a similar name in crypto\include\internal? Cheers, Richard ( am wondering if there are tar implementations that screw up file name with more than one period... ) In messageon Mon, 1 May 2017 15:02:41 +, James Condren said: jcondren> Getting the following error when attempting to make: jcondren> jcondren> NMAKE : fatal error U1073: don't know how to make jcondren> '"crypto\include\internal\bn_conf.h.in"' jcondren> jcondren> Stop. jcondren> jcondren> Here’s the lines from the makefile that are creating the error: jcondren> jcondren> crypto\include\internal\bn_conf.h: jcondren> "crypto\include\internal\bn_conf.h.in" "configdata.pm" jcondren> jcondren> "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util\dofile.pl" \ jcondren> jcondren> "-omakefile" "crypto\include\internal\bn_conf.h.in" > $@ jcondren> jcondren> If I remove '"crypto\include\internal\bn_conf.h.in"', it then gives me jcondren> the following error: jcondren> jcondren> NMAKE : fatal error U1073: don't know how to make '".\Configure"' jcondren> jcondren> Stop. jcondren> -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] NMAKE error
Thanks for the prompt response. Just a little background: I am trying to install OpenSSL on a Windows PC so I can view a server cert. I downloaded the latest openssl version from github. Here are the steps I performed so far: 1. Downloaded latest version of openssl from git to C:\Workspaces\Harmony\openssl1 2. Downloaded NASM 3. Added Test::More and Text::Template perl modules to Perl location 4. SET PATH=%PATH%;C:\Workspaces\Harmony\openssl1 5. Executed perl Configure VC-WIN64A (got makefile) 6. Set SRCDIR in makefile to "C:\Workspaces\ Harmony\openssl1" Doing step #6 got me past the issues I originally logged but now I am getting "NMAKE : fatal error U1073: don't know how to make '""'". Not sure where the makefile is erroring out. I tried to add console output to the makefile but it is erroring on the @echo lines. From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Benjamin Kaduk via openssl-users Sent: Monday, May 1, 2017 11:38 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] NMAKE error On 05/01/2017 10:02 AM, James Condren wrote: Getting the following error when attempting to make: NMAKE : fatal error U1073: don't know how to make '"crypto\include\internal\bn_conf.h.in"' Stop. Here's the lines from the makefile that are creating the error: crypto\include\internal\bn_conf.h: "crypto\include\internal\bn_conf.h.in" "configdata.pm" "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util\dofile.pl" \ "-omakefile" "crypto\include\internal\bn_conf.h.in" > $@ If I remove '"crypto\include\internal\bn_conf.h.in"', it then gives me the following error: NMAKE : fatal error U1073: don't know how to make '".\Configure"' Stop. What version of openssl? What steps did you take prior to running nmake? -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] NMAKE error
On 05/01/2017 10:02 AM, James Condren wrote: > > Getting the following error when attempting to make: > > NMAKE : fatal error U1073: don't know how to make > '"crypto\include\internal\bn_conf.h.in"' > > Stop. > > > > Here’s the lines from the makefile that are creating the error: > > crypto\include\internal\bn_conf.h: > "crypto\include\internal\bn_conf.h.in" "configdata.pm" > >"$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util\dofile.pl" \ > >"-omakefile" "crypto\include\internal\bn_conf.h.in" > > $@ > > > > > > If I remove '"crypto\include\internal\bn_conf.h.in"', it then gives me > the following error: > > NMAKE : fatal error U1073: don't know how to make '".\Configure"' > > Stop. > > What version of openssl? What steps did you take prior to running nmake? -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] NMAKE error
Getting the following error when attempting to make: NMAKE : fatal error U1073: don't know how to make '"crypto\include\internal\bn_conf.h.in"' Stop. Here's the lines from the makefile that are creating the error: crypto\include\internal\bn_conf.h: "crypto\include\internal\bn_conf.h.in" "configdata.pm" "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util\dofile.pl" \ "-omakefile" "crypto\include\internal\bn_conf.h.in" > $@ If I remove '"crypto\include\internal\bn_conf.h.in"', it then gives me the following error: NMAKE : fatal error U1073: don't know how to make '".\Configure"' Stop. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Documentation for Integrating New Cipher Creation Request
> While the process is still fresh in my head, I was wondering if the community > would benefit in having some documentation on the process to follow and > issues that may arise? Possibly add this into the OpenSSL wiki? This would be a great idea. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users