Re: Build Error on 1.0.1 with FIPS
So let me ask for some additional guidance here... If we wanted to use the latest and greatest FIPS 1.2 validated based on a 0.9.8 OpenSSL baseline, which combination of versions should we use? If we wanted to use the latest and greatest FIPS 2.0 non-validated based test version (but we need it to be able to go into FIPS mode through the calls, even if not certified), and based on a 1.0.0 or 1.0.1 OpenSSL baseline, which combination of versions should we use? In essence, which downloads for FIPS and OpenSSL should we retrieve from source to insure success on Ubuntu 10.10 using binutils 2.20.51? Thanks! Dr. Stephen Henson wrote: On Thu, Jan 19, 2012, Breakthrough wrote: We start with openssl-SNAP-20120118, and follow the directions. ./config fipscanisteronly make Don't use that, use one of the *fips* snapshots instead. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Build-Error-on-1.0.1-with-FIPS-tp31948446p33171026.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
Thanks. That seemed to resolve the issue. Dr. Stephen Henson wrote: On Thu, Jan 19, 2012, Breakthrough wrote: We start with openssl-SNAP-20120118, and follow the directions. ./config fipscanisteronly make Don't use that, use one of the *fips* snapshots instead. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Build-Error-on-1.0.1-with-FIPS-tp31948446p33171628.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
Steve, I'm having similar issues. This is all being done on Ubuntu 10.10. At first, I tried to get our FIPS 1.2 version to compile, so we could remain consistent with our 0.9.8 OpenSSL that we use in Windows, but we're getting all of the 32-bit unsigned error junk from binutils. So we decided to attempt to get FIPS 2.0 Test with the latest OpenSSL 1.0.1 Snapshot to work instead. We get the FIPS 2.0 to compile and install, and it puts the fipscanister under our /usr/local/ssl/fips-2.0 location; however, when we attempt to make the OpenSSL 1.0.1 snapshot work with the built FIPS, we get a problem. Essentially we're doing: ./config fips (it tells us to do the make depends, which we've tried, and we've ignored, it doesn't seem to matter) make We get compilation errors because the the libcrypto library is conflicting with the fipscanister object in the following areas. ../libcrypto.a(aes-x86_64.o): In function `asm_AES_encrypt': (.text+0x460): multiple definition of `asm_AES_encrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x33fa0): first defined here ../libcrypto.a(aes-x86_64.o): In function `asm_AES_decrypt': (.text+0x9f0): multiple definition of `asm_AES_decrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34530): first defined here ../libcrypto.a(aes-x86_64.o): In function `asm_AES_cbc_encrypt': (.text+0xfa0): multiple definition of `asm_AES_cbc_encrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34ad0): first defined here We're unsure how to overcome this, having tried various --with-fipslibdir scenarios to no avail. We'd like two answers to this... 1. Is there a way to get FIPS 1.2 to compile against 0.9.8 on Ubuntu with binutils 2.20.51? If so, which patch will work. We can't seem to find one that can correctly modify the constants in the md5 and sha1 assembly code to make this compile for the fips canister. 2. What are we doing wrong with the FIPS 2.0 test above? Dr. Stephen Henson wrote: On Tue, Jun 28, 2011, Tyrel Haveman wrote: All, I'm having a problem when building OpenSSL 1.0.1 along with fips-2.0. My layout is like this: /home/tyrel/openssl-test/openssl -- contains the 1.0.1 branch from CVS /home/tyrel/openssl-test/fips -- contains the extract fips-2.0 snapshot tarball My build steps are (from the openssl-test dir): cd fips ./config no-asm no-hw --prefix=/home/tyrel/openssl-test/dep make make install cd .. cd openssl export FIPSDIR=/home/tyrel/openssl-test/dep export FIPSLIBDIR=/home/tyrel/openssl-test/dep/lib ./config fips no-asm no-hw --prefix=/home/tyrel/openssl-test/dep make depend make make install The config script indicated that I should run make depend because you've disabled or enabled at least one algorithm. But make depend is the step that is failing. Log is below. It's worth noting that even though make depend fails, I can run make just fine. Is make depend even necessary, then, in this case? You don't need to run make depend. Also the steps you use above should be changed. Set FIPSDIR only and no other environment variables before you even build the test 2.0 module. You can only do: ./config make make install for the FIPS test 2.0 module build. No other options are permitted. In the past no-asm was permitted but this time no one has (so far) sponsored the C only build. For the FIPS capable build you can include additional options but don't set --prefix in the FIPS capable build to the same directory as FIPSDIR. The test 2.0 module and the FIPS capable OpenSSL should go in different places. You can skip make depend. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Build-Error-on-1.0.1-with-FIPS-tp31948446p33164693.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
On Wed, Jan 18, 2012, Breakthrough wrote: Steve, I'm having similar issues. This is all being done on Ubuntu 10.10. At first, I tried to get our FIPS 1.2 version to compile, so we could remain consistent with our 0.9.8 OpenSSL that we use in Windows, but we're getting all of the 32-bit unsigned error junk from binutils. So we decided to attempt to get FIPS 2.0 Test with the latest OpenSSL 1.0.1 Snapshot to work instead. We get the FIPS 2.0 to compile and install, and it puts the fipscanister under our /usr/local/ssl/fips-2.0 location; however, when we attempt to make the OpenSSL 1.0.1 snapshot work with the built FIPS, we get a problem. Essentially we're doing: ./config fips (it tells us to do the make depends, which we've tried, and we've ignored, it doesn't seem to matter) make We get compilation errors because the the libcrypto library is conflicting with the fipscanister object in the following areas. ../libcrypto.a(aes-x86_64.o): In function `asm_AES_encrypt': (.text+0x460): multiple definition of `asm_AES_encrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x33fa0): first defined here ../libcrypto.a(aes-x86_64.o): In function `asm_AES_decrypt': (.text+0x9f0): multiple definition of `asm_AES_decrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34530): first defined here ../libcrypto.a(aes-x86_64.o): In function `asm_AES_cbc_encrypt': (.text+0xfa0): multiple definition of `asm_AES_cbc_encrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34ad0): first defined here Can you give details of how you compiled and installed the test 2.0 module, i.e. the commands you used? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
On Thu, Jan 19, 2012, Dr. Stephen Henson wrote: On Wed, Jan 18, 2012, Breakthrough wrote: Steve, I'm having similar issues. This is all being done on Ubuntu 10.10. At first, I tried to get our FIPS 1.2 version to compile, so we could remain consistent with our 0.9.8 OpenSSL that we use in Windows, but we're getting all of the 32-bit unsigned error junk from binutils. So we decided to attempt to get FIPS 2.0 Test with the latest OpenSSL 1.0.1 Snapshot to work instead. We get the FIPS 2.0 to compile and install, and it puts the fipscanister under our /usr/local/ssl/fips-2.0 location; however, when we attempt to make the OpenSSL 1.0.1 snapshot work with the built FIPS, we get a problem. Essentially we're doing: ./config fips (it tells us to do the make depends, which we've tried, and we've ignored, it doesn't seem to matter) make We get compilation errors because the the libcrypto library is conflicting with the fipscanister object in the following areas. ../libcrypto.a(aes-x86_64.o): In function `asm_AES_encrypt': (.text+0x460): multiple definition of `asm_AES_encrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x33fa0): first defined here ../libcrypto.a(aes-x86_64.o): In function `asm_AES_decrypt': (.text+0x9f0): multiple definition of `asm_AES_decrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34530): first defined here ../libcrypto.a(aes-x86_64.o): In function `asm_AES_cbc_encrypt': (.text+0xfa0): multiple definition of `asm_AES_cbc_encrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34ad0): first defined here Can you give details of how you compiled and installed the test 2.0 module, i.e. the commands you used? Looking at this a little further... those symbols don't exist in the 2.0 module. That would happen if you used HEAD instead of the fips-2.0 snapshots to build fipscanister.o Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
We start with openssl-SNAP-20120118, and follow the directions. ./config fipscanisteronly make We then create a restricted tarball. make -f Makefile.fips dist We take that tar file and extract it to openssl-fips-2.0-test Then we do the following: ./config make sudo make install The seems to work and it places the fipscanister.o under /usr/local/ssl/fips-2.0/lib Then per the guidance provided, we get openssl-1.0.1-stable-SNAP-20120118 and do the following: ./config fips (it says on the screen that we should do make depend, but we do not, per earlier email instructions) make We get the following errors: ../libcrypto.a(aes-x86_64.o): In function `asm_AES_encrypt': (.text+0x460): multiple definition of `asm_AES_encrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x33fa0): first defined here ../libcrypto.a(aes-x86_64.o): In function `asm_AES_decrypt': (.text+0x9f0): multiple definition of `asm_AES_decrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34530): first defined here ../libcrypto.a(aes-x86_64.o): In function `asm_AES_cbc_encrypt': (.text+0xfa0): multiple definition of `asm_AES_cbc_encrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34ad0): first defined here collect2: ld returned 1 exit status That's as far as we get. Dr. Stephen Henson wrote: On Wed, Jan 18, 2012, Breakthrough wrote: Steve, I'm having similar issues. This is all being done on Ubuntu 10.10. At first, I tried to get our FIPS 1.2 version to compile, so we could remain consistent with our 0.9.8 OpenSSL that we use in Windows, but we're getting all of the 32-bit unsigned error junk from binutils. So we decided to attempt to get FIPS 2.0 Test with the latest OpenSSL 1.0.1 Snapshot to work instead. We get the FIPS 2.0 to compile and install, and it puts the fipscanister under our /usr/local/ssl/fips-2.0 location; however, when we attempt to make the OpenSSL 1.0.1 snapshot work with the built FIPS, we get a problem. Essentially we're doing: ./config fips (it tells us to do the make depends, which we've tried, and we've ignored, it doesn't seem to matter) make We get compilation errors because the the libcrypto library is conflicting with the fipscanister object in the following areas. ../libcrypto.a(aes-x86_64.o): In function `asm_AES_encrypt': (.text+0x460): multiple definition of `asm_AES_encrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x33fa0): first defined here ../libcrypto.a(aes-x86_64.o): In function `asm_AES_decrypt': (.text+0x9f0): multiple definition of `asm_AES_decrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34530): first defined here ../libcrypto.a(aes-x86_64.o): In function `asm_AES_cbc_encrypt': (.text+0xfa0): multiple definition of `asm_AES_cbc_encrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34ad0): first defined here Can you give details of how you compiled and installed the test 2.0 module, i.e. the commands you used? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Build-Error-on-1.0.1-with-FIPS-tp31948446p33168400.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
On Thu, Jan 19, 2012, Breakthrough wrote: We start with openssl-SNAP-20120118, and follow the directions. ./config fipscanisteronly make Don't use that, use one of the *fips* snapshots instead. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
A recent code change on the 1.0.1 branch seems to have introduced a build error on x86-64 with Windows. Here's what we're seeing: cl /Fotmp32dll\fips_premain_dso.obj -DFINGERPRINT_PREMAIN_DSO_LOAD -Iinc32 -Itmp32dll /MD /Ox -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -I..\dep/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM -DOPENSSL_USE_APPLINK -I. -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_HW -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll/lib -D_WINDLL -c ..\dep\lib\fips_premain.c fips_premain.c link /nologo /subsystem:console /opt:ref /debug /out:out32dll\fips_premain_dso.exe @C:\Users\TyrelHa\AppData\Local\Temp\nmDD6D.tmp Creating library out32dll\fips_premain_dso.lib and object out32dll\fips_premain_dso.exp eng_rsax.obj : error LNK2019: unresolved external symbol mod_exp_512 referenced in function e_rsax_bn_mod_exp out32dll\fips_premain_dso.exe : fatal error LNK1120: 1 unresolved externals NMAKE : fatal error U1077: 'c:\Program Files (x86)\Microsoft Visual Studio 10.0 \VC\BIN\x86_amd64\link.EXE' : return code '0x460' We're continuing to try to learn the build system of OpenSSL so that we can solve these sorts of problems ourselves and just send you patches, but in the meantime I hope that one of you can take a look at this. It started happening, I believe, when this file was added: crypto/bn/asm/ modexp512-x86_86.pl Thanks, Tyrel On Mon, Jul 11, 2011 at 4:12 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Mon, Jul 11, 2011, Tyrel Haveman wrote: Hello again, We've noticed now that while we are able to build the FIPS module for 64-bit Windows, we cannot for 32-bit Windows. Following these steps: set FIPSDIR=..\out perl Configure VC-WIN32 ms\do_ms nmake -f ms\ntdll.mak We get this error: link /nologo /subsystem:console /opt:ref /debug /out:out32dll\fips_standalone_sha1.exe @C:\Users\TyrelHa\AppData\Local\Temp\nmC2ED.tmp sha1dgst.obj : error LNK2019: unresolved external symbol _fips_sha1_block_data_order referenced in function _fips_sha1_update out32dll\fips_standalone_sha1.exe : fatal error LNK1120: 1 unresolved externals NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\link.EXE' : return code '0x460' Stop. I know we should be using do_fips.bat, but it won't let me do a 32-bit build on a 64-bit platform, so we're using these steps instead. The target platform is determined from the environment. Try this before calling do_fips: set PROCESSOR_ARCHITECTURE=x86 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
Hello again, We've noticed now that while we are able to build the FIPS module for 64-bit Windows, we cannot for 32-bit Windows. Following these steps: set FIPSDIR=..\out perl Configure VC-WIN32 ms\do_ms nmake -f ms\ntdll.mak We get this error: link /nologo /subsystem:console /opt:ref /debug /out:out32dll\fips_standalone_sha1.exe @C:\Users\TyrelHa\AppData\Local\Temp\nmC2ED.tmp sha1dgst.obj : error LNK2019: unresolved external symbol _fips_sha1_block_data_order referenced in function _fips_sha1_update out32dll\fips_standalone_sha1.exe : fatal error LNK1120: 1 unresolved externals NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\link.EXE' : return code '0x460' Stop. I know we should be using do_fips.bat, but it won't let me do a 32-bit build on a 64-bit platform, so we're using these steps instead. Any thoughts? Thanks, Tyrel On Thu, Jun 30, 2011 at 4:07 PM, Tyrel Haveman ty...@binarypeople.netwrote: Ah, okay. We tried that out and the FIPS module does build great afterwards. But then, later, the 1.0.1 fips-capable build fails to build with this reasoning: nasm -f win64 -DNEAR -Ox -g -o tmp32dll\rc4-x86_64.obj tmp32dll\rc4-x86_ 64.asm tmp32dll\rc4-x86_64.asm:755: error: symbol `L$SEH_begin_RC4_set_key' undefined tmp32dll\rc4-x86_64.asm:756: error: symbol `L$SEH_end_RC4_set_key' undefined NMAKE : fatal error U1077: 'C:\devel\crypto\tools\nasm.EXE' : return code '0x1' Stop. On Thu, Jun 30, 2011 at 2:28 PM, Dr. Stephen Henson st...@openssl.org wrote: On Thu, Jun 30, 2011, Tyrel Haveman wrote: Thanks Steve, but now it's running into this instead: Assembling: tmp32dll\x86_64cpuid.asm tmp32dll\x86_64cpuid.asm(9) : error A2008:syntax error : SEGMENT tmp32dll\x86_64cpuid.asm(12) : error A2008:syntax error : ENDS NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\x86_amd64\ml64.EXE' : return code '0x1' Stop. The code at those lines looks like this: .data SEGMENT COMM fips_openssl_ia32cap_p:DWORD:2 .data ENDS I don't know MASM syntax so I'm not sure how to correct this. You have to use NASM for the build and the build process is simply: ms\do_fips Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
On Mon, Jul 11, 2011, Tyrel Haveman wrote: Hello again, We've noticed now that while we are able to build the FIPS module for 64-bit Windows, we cannot for 32-bit Windows. Following these steps: set FIPSDIR=..\out perl Configure VC-WIN32 ms\do_ms nmake -f ms\ntdll.mak We get this error: link /nologo /subsystem:console /opt:ref /debug /out:out32dll\fips_standalone_sha1.exe @C:\Users\TyrelHa\AppData\Local\Temp\nmC2ED.tmp sha1dgst.obj : error LNK2019: unresolved external symbol _fips_sha1_block_data_order referenced in function _fips_sha1_update out32dll\fips_standalone_sha1.exe : fatal error LNK1120: 1 unresolved externals NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\link.EXE' : return code '0x460' Stop. I know we should be using do_fips.bat, but it won't let me do a 32-bit build on a 64-bit platform, so we're using these steps instead. The target platform is determined from the environment. Try this before calling do_fips: set PROCESSOR_ARCHITECTURE=x86 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
We just noticed that building the fips module on Linux works fine with no-asm, but on a 64-bit Windows build, it doesn't work without no-asm. Here's the error: link /nologo /subsystem:console /opt:ref /debug /out:out32dll\fips_standalone_sha1.exe @C:\Users\TyrelHa\AppData\Local\Temp\nmAD0D.tmp sha1dgst.obj : error LNK2019: unresolved external symbol fips_sha1_block_data_order referenced in function fips_sha1_update sha1-x86_64.obj : error LNK2019: unresolved external symbol OPENSSL_ia32cap_P referenced in function sha1_block_data_order out32dll\fips_standalone_sha1.exe : fatal error LNK1120: 2 unresolved externals NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 10.0 \VC\BIN\x86_amd64\link.EXE' : return code '0x460' Stop. I don't know enough about the openssl build yet to be able to resolve this one myself. It works fine if no-asm is specified to Configure. Can someone take a look? Thanks! Tyrel On Wed, Jun 29, 2011 at 2:14 PM, Steve Marquess marqu...@opensslfoundation.com wrote: On 06/29/2011 04:46 PM, Dr. Stephen Henson wrote: On Wed, Jun 29, 2011, Tyrel Haveman wrote: Thanks Steve. This helps a lot. One more related question: Why are the FIPS test vectors different for different platforms? It seems like Windows and Linux, for example, should both be able to encrypt the same things and produce the same outputs. They are interchangable it's just that those are the testvectors produced by that particular platform during testing. The formal testing process requires that a unique set of test vectors (request files) be generated for each test platform (operational environment). Once such a set is used for one platform and the response files confirmed as correct it cannot be used again for any formal testing. Presumably that is to keep the vendors (i.e. us) from cheating by hard-coding the correct answers. By now we have encountered quite a few of these test vector sets, but as they are interchangeable there is no point in keeping more than a few representative samples. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
On Thu, Jun 30, 2011, Tyrel Haveman wrote: We just noticed that building the fips module on Linux works fine with no-asm, but on a 64-bit Windows build, it doesn't work without no-asm. Here's the error: link /nologo /subsystem:console /opt:ref /debug /out:out32dll\fips_standalone_sha1.exe @C:\Users\TyrelHa\AppData\Local\Temp\nmAD0D.tmp sha1dgst.obj : error LNK2019: unresolved external symbol fips_sha1_block_data_order referenced in function fips_sha1_update sha1-x86_64.obj : error LNK2019: unresolved external symbol OPENSSL_ia32cap_P referenced in function sha1_block_data_order out32dll\fips_standalone_sha1.exe : fatal error LNK1120: 2 unresolved externals NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 10.0 \VC\BIN\x86_amd64\link.EXE' : return code '0x460' Stop. I don't know enough about the openssl build yet to be able to resolve this one myself. It works fine if no-asm is specified to Configure. Can someone take a look? Should be fixed in the next snapshot. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
Thanks Steve, but now it's running into this instead: Assembling: tmp32dll\x86_64cpuid.asm tmp32dll\x86_64cpuid.asm(9) : error A2008:syntax error : SEGMENT tmp32dll\x86_64cpuid.asm(12) : error A2008:syntax error : ENDS NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\x86_amd64\ml64.EXE' : return code '0x1' Stop. The code at those lines looks like this: .data SEGMENT COMMfips_openssl_ia32cap_p:DWORD:2 .data ENDS I don't know MASM syntax so I'm not sure how to correct this. Thanks again, Tyrel On Thu, Jun 30, 2011 at 12:27 PM, Dr. Stephen Henson st...@openssl.org wrote: On Thu, Jun 30, 2011, Tyrel Haveman wrote: We just noticed that building the fips module on Linux works fine with no-asm, but on a 64-bit Windows build, it doesn't work without no-asm. Here's the error: link /nologo /subsystem:console /opt:ref /debug /out:out32dll\fips_standalone_sha1.exe @C:\Users\TyrelHa\AppData\Local\Temp\nmAD0D.tmp sha1dgst.obj : error LNK2019: unresolved external symbol fips_sha1_block_data_order referenced in function fips_sha1_update sha1-x86_64.obj : error LNK2019: unresolved external symbol OPENSSL_ia32cap_P referenced in function sha1_block_data_order out32dll\fips_standalone_sha1.exe : fatal error LNK1120: 2 unresolved externals NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 10.0 \VC\BIN\x86_amd64\link.EXE' : return code '0x460' Stop. I don't know enough about the openssl build yet to be able to resolve this one myself. It works fine if no-asm is specified to Configure. Can someone take a look? Should be fixed in the next snapshot. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
On Thu, Jun 30, 2011, Tyrel Haveman wrote: Thanks Steve, but now it's running into this instead: Assembling: tmp32dll\x86_64cpuid.asm tmp32dll\x86_64cpuid.asm(9) : error A2008:syntax error : SEGMENT tmp32dll\x86_64cpuid.asm(12) : error A2008:syntax error : ENDS NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\x86_amd64\ml64.EXE' : return code '0x1' Stop. The code at those lines looks like this: .data SEGMENT COMM fips_openssl_ia32cap_p:DWORD:2 .data ENDS I don't know MASM syntax so I'm not sure how to correct this. You have to use NASM for the build and the build process is simply: ms\do_fips Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
Ah, okay. We tried that out and the FIPS module does build great afterwards. But then, later, the 1.0.1 fips-capable build fails to build with this reasoning: nasm -f win64 -DNEAR -Ox -g -o tmp32dll\rc4-x86_64.obj tmp32dll\rc4-x86_ 64.asm tmp32dll\rc4-x86_64.asm:755: error: symbol `L$SEH_begin_RC4_set_key' undefined tmp32dll\rc4-x86_64.asm:756: error: symbol `L$SEH_end_RC4_set_key' undefined NMAKE : fatal error U1077: 'C:\devel\crypto\tools\nasm.EXE' : return code '0x1' Stop. On Thu, Jun 30, 2011 at 2:28 PM, Dr. Stephen Henson st...@openssl.org wrote: On Thu, Jun 30, 2011, Tyrel Haveman wrote: Thanks Steve, but now it's running into this instead: Assembling: tmp32dll\x86_64cpuid.asm tmp32dll\x86_64cpuid.asm(9) : error A2008:syntax error : SEGMENT tmp32dll\x86_64cpuid.asm(12) : error A2008:syntax error : ENDS NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\x86_amd64\ml64.EXE' : return code '0x1' Stop. The code at those lines looks like this: .data SEGMENT COMM fips_openssl_ia32cap_p:DWORD:2 .data ENDS I don't know MASM syntax so I'm not sure how to correct this. You have to use NASM for the build and the build process is simply: ms\do_fips Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
Thanks Steve. This helps a lot. One more related question: Why are the FIPS test vectors different for different platforms? It seems like Windows and Linux, for example, should both be able to encrypt the same things and produce the same outputs. Thanks again, Tyrel On Tue, Jun 28, 2011 at 10:44 AM, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Jun 28, 2011, Tyrel Haveman wrote: All, I'm having a problem when building OpenSSL 1.0.1 along with fips-2.0. My layout is like this: /home/tyrel/openssl-test/openssl -- contains the 1.0.1 branch from CVS /home/tyrel/openssl-test/fips -- contains the extract fips-2.0 snapshot tarball My build steps are (from the openssl-test dir): cd fips ./config no-asm no-hw --prefix=/home/tyrel/openssl-test/dep make make install cd .. cd openssl export FIPSDIR=/home/tyrel/openssl-test/dep export FIPSLIBDIR=/home/tyrel/openssl-test/dep/lib ./config fips no-asm no-hw --prefix=/home/tyrel/openssl-test/dep make depend make make install The config script indicated that I should run make depend because you've disabled or enabled at least one algorithm. But make depend is the step that is failing. Log is below. It's worth noting that even though make depend fails, I can run make just fine. Is make depend even necessary, then, in this case? You don't need to run make depend. Also the steps you use above should be changed. Set FIPSDIR only and no other environment variables before you even build the test 2.0 module. You can only do: ./config make make install for the FIPS test 2.0 module build. No other options are permitted. In the past no-asm was permitted but this time no one has (so far) sponsored the C only build. For the FIPS capable build you can include additional options but don't set --prefix in the FIPS capable build to the same directory as FIPSDIR. The test 2.0 module and the FIPS capable OpenSSL should go in different places. You can skip make depend. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
On Wed, Jun 29, 2011, Tyrel Haveman wrote: Thanks Steve. This helps a lot. One more related question: Why are the FIPS test vectors different for different platforms? It seems like Windows and Linux, for example, should both be able to encrypt the same things and produce the same outputs. They are interchangable it's just that those are the testvectors produced by that particular platform during testing. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
On 06/29/2011 04:46 PM, Dr. Stephen Henson wrote: On Wed, Jun 29, 2011, Tyrel Haveman wrote: Thanks Steve. This helps a lot. One more related question: Why are the FIPS test vectors different for different platforms? It seems like Windows and Linux, for example, should both be able to encrypt the same things and produce the same outputs. They are interchangable it's just that those are the testvectors produced by that particular platform during testing. The formal testing process requires that a unique set of test vectors (request files) be generated for each test platform (operational environment). Once such a set is used for one platform and the response files confirmed as correct it cannot be used again for any formal testing. Presumably that is to keep the vendors (i.e. us) from cheating by hard-coding the correct answers. By now we have encountered quite a few of these test vector sets, but as they are interchangeable there is no point in keeping more than a few representative samples. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Build Error on 1.0.1 with FIPS
All, I'm having a problem when building OpenSSL 1.0.1 along with fips-2.0. My layout is like this: /home/tyrel/openssl-test/openssl -- contains the 1.0.1 branch from CVS /home/tyrel/openssl-test/fips -- contains the extract fips-2.0 snapshot tarball My build steps are (from the openssl-test dir): cd fips ./config no-asm no-hw --prefix=/home/tyrel/openssl-test/dep make make install cd .. cd openssl export FIPSDIR=/home/tyrel/openssl-test/dep export FIPSLIBDIR=/home/tyrel/openssl-test/dep/lib ./config fips no-asm no-hw --prefix=/home/tyrel/openssl-test/dep make depend make make install The config script indicated that I should run make depend because you've disabled or enabled at least one algorithm. But make depend is the step that is failing. Log is below. It's worth noting that even though make depend fails, I can run make just fine. Is make depend even necessary, then, in this case? Also this failure only seems to be happening the last week or so, I think. So it may be related to a recent change in CVS. My coworkers are seeing the same thing on their boxes. Any thoughts? Here's the log: make[2]: Entering directory `/home/tyrel/openssl-test/openssl/crypto/hmac' ../../util/domd ../.. -MD gcc -- -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -I/home/tyrel/openssl-test/dep/include -I.. -I../.. -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC_NISTP224_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE -- hmac.c hm_ameth.c hm_pmeth.c In file included from hm_pmeth.c:64: ../evp/evp_locl.h:355:1: error: SHA1_Init redefined In file included from /home/tyrel/openssl-test/dep/include/openssl/crypto.h:151, from ../cryptlib.h:72, from hm_pmeth.c:59: /home/tyrel/openssl-test/dep/include/openssl/fipssyms.h:456:1: error: this is the location of the previous definition In file included from hm_pmeth.c:64: ../evp/evp_locl.h:356:1: error: SHA224_Init redefined In file included from /home/tyrel/openssl-test/dep/include/openssl/crypto.h:151, from ../cryptlib.h:72, from hm_pmeth.c:59: /home/tyrel/openssl-test/dep/include/openssl/fipssyms.h:462:1: error: this is the location of the previous definition In file included from hm_pmeth.c:64: ../evp/evp_locl.h:357:1: error: SHA256_Init redefined In file included from /home/tyrel/openssl-test/dep/include/openssl/crypto.h:151, from ../cryptlib.h:72, from hm_pmeth.c:59: /home/tyrel/openssl-test/dep/include/openssl/fipssyms.h:465:1: error: this is the location of the previous definition In file included from hm_pmeth.c:64: ../evp/evp_locl.h:358:1: error: SHA384_Init redefined In file included from /home/tyrel/openssl-test/dep/include/openssl/crypto.h:151, from ../cryptlib.h:72, from hm_pmeth.c:59: /home/tyrel/openssl-test/dep/include/openssl/fipssyms.h:471:1: error: this is the location of the previous definition In file included from hm_pmeth.c:64: ../evp/evp_locl.h:359:1: error: SHA512_Init redefined In file included from /home/tyrel/openssl-test/dep/include/openssl/crypto.h:151, from ../cryptlib.h:72, from hm_pmeth.c:59: /home/tyrel/openssl-test/dep/include/openssl/fipssyms.h:474:1: error: this is the location of the previous definition In file included from hm_pmeth.c:64: ../evp/evp_locl.h:367:1: error: DES_set_key_unchecked redefined In file included from /home/tyrel/openssl-test/dep/include/openssl/crypto.h:151, from ../cryptlib.h:72, from hm_pmeth.c:59: /home/tyrel/openssl-test/dep/include/openssl/fipssyms.h:254:1: error: this is the location of the previous definition make[2]: *** [depend] Error 1 make[2]: Leaving directory `/home/tyrel/openssl-test/openssl/crypto/hmac' make[1]: *** [depend] Error 1 make[1]: Leaving directory `/home/tyrel/openssl-test/openssl/crypto' make: *** [depend] Error 1 Thanks, Tyrel __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Build Error on 1.0.1 with FIPS
On Tue, Jun 28, 2011, Tyrel Haveman wrote: All, I'm having a problem when building OpenSSL 1.0.1 along with fips-2.0. My layout is like this: /home/tyrel/openssl-test/openssl -- contains the 1.0.1 branch from CVS /home/tyrel/openssl-test/fips -- contains the extract fips-2.0 snapshot tarball My build steps are (from the openssl-test dir): cd fips ./config no-asm no-hw --prefix=/home/tyrel/openssl-test/dep make make install cd .. cd openssl export FIPSDIR=/home/tyrel/openssl-test/dep export FIPSLIBDIR=/home/tyrel/openssl-test/dep/lib ./config fips no-asm no-hw --prefix=/home/tyrel/openssl-test/dep make depend make make install The config script indicated that I should run make depend because you've disabled or enabled at least one algorithm. But make depend is the step that is failing. Log is below. It's worth noting that even though make depend fails, I can run make just fine. Is make depend even necessary, then, in this case? You don't need to run make depend. Also the steps you use above should be changed. Set FIPSDIR only and no other environment variables before you even build the test 2.0 module. You can only do: ./config make make install for the FIPS test 2.0 module build. No other options are permitted. In the past no-asm was permitted but this time no one has (so far) sponsored the C only build. For the FIPS capable build you can include additional options but don't set --prefix in the FIPS capable build to the same directory as FIPSDIR. The test 2.0 module and the FIPS capable OpenSSL should go in different places. You can skip make depend. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
