Re: out range error compiling fips 1.2.3
Replies below. But the meta-question is does there exist step by step instructions for compiling the openssl FIPS module. It seems odd that this is supposed to be so strict, yet the process seems to be to google around and try various options until something works. From: Dr. Stephen Henson st...@openssl.org To: openssl-users@openssl.org Date: 09/09/2011 09:45 AM Subject: Re: out range error compiling fips 1.2.3 Sent by: owner-openssl-us...@openssl.org On Thu, Sep 08, 2011, Kenneth Goldman wrote: I'm getting this error compiling openssl-fips-1.2.3.tar.gz, which seems to be the latest. It seems to be well known on openssl-dev, but I don't know what to do about it. Any ideas? gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -c -o md5-x86_64.o md5-x86_64.s md5-x86_64.s: Assembler messages: md5-x86_64.s:41: Error: 0xd76aa478 out range of signed 32bit displacement uname -a Linux cainl.watson.ibm.com 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux If you can get OpenSSL to compile despite that error (e.g. different version of the assembler) it wont matter because that file isn't used in the FIPS module itself. It's just a side effect of the 1.2 build process that it needs to build a complete vesion of OpenSSL as well as the module. I thought I was not allowed to touch any of the build configuration. This is a standard Linux RHEL 6.1 with standard gnu tools. ~~ A second question. In researching this error, I saw someone compile with ./config fipscanisterbuild That's not in the INSTALL file. Do I need this? That is for testing purposes for the unvalidated 2.0 module only. The 1.2 module uses ./config fipscanister instead. I tried that and got: ./config fipscanister Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 target already defined - linux-x86_64 (offending arg: fipscanister)
Re: out range error compiling fips 1.2.3
From: Jakob Bohm jb-open...@wisemo.com Date: 09/09/2011 05:36 AM Subject: Re: out range error compiling fips 1.2.3 On 9/8/2011 9:35 PM, Kenneth Goldman wrote: ... A second question. In researching this error, I saw someone compile with ./config fipscanisterbuild That's not in the INSTALL file. Do I need this? Hmm, in previous versions of the FIPS module, there was an official document as part of the FIPS approval which restricted the FIPS certification to use of a specific sequence of build steps, one of which was that command. Maybe the INSTALL file is the standard OpenSSL INSTALL file and not the true FIPS instructions, or maybe that command is only for the old FIPS module for version 0.9.x and not for the new module for version 1.0.x . Someone else on this list certainly knows which of those two applies. I think you're right that the INSTALL file is the standard one. The string FIPS never appears. IMHO, this is a bug in the FIPS tarball. For the record, - When one specifies fipscanisterbuild, a message appears that one should go to www.openssl.org/docs/fips - In that page, there's a pdf SecurityPolicy that suggests ./config fipscanisterbuild noasm This eliminates the 'out range' error. But them make test fails with this: echo test normal x509v1 certificate test normal x509v1 certificate sh ./tx509 2/dev/null testing X509 conversions p - d make[1]: *** [test_x509] Error 1 make[1]: Leaving directory `/home/kgold/Downloads/openssl-fips-1.2.3/test' make: *** [tests] Error 2
Re: out range error compiling fips 1.2.3
On Fri, Sep 09, 2011, Kenneth Goldman wrote: From: Jakob Bohm jb-open...@wisemo.com Date: 09/09/2011 05:36 AM Subject: Re: out range error compiling fips 1.2.3 On 9/8/2011 9:35 PM, Kenneth Goldman wrote: ... A second question. In researching this error, I saw someone compile with ./config fipscanisterbuild That's not in the INSTALL file. Do I need this? Hmm, in previous versions of the FIPS module, there was an official document as part of the FIPS approval which restricted the FIPS certification to use of a specific sequence of build steps, one of which was that command. Maybe the INSTALL file is the standard OpenSSL INSTALL file and not the true FIPS instructions, or maybe that command is only for the old FIPS module for version 0.9.x and not for the new module for version 1.0.x . Someone else on this list certainly knows which of those two applies. I think you're right that the INSTALL file is the standard one. The string FIPS never appears. IMHO, this is a bug in the FIPS tarball. For the record, - When one specifies fipscanisterbuild, a message appears that one should go to www.openssl.org/docs/fips - In that page, there's a pdf SecurityPolicy that suggests ./config fipscanisterbuild noasm This eliminates the 'out range' error. But them make test fails with this: echo test normal x509v1 certificate test normal x509v1 certificate sh ./tx509 2/dev/null testing X509 conversions p - d make[1]: *** [test_x509] Error 1 make[1]: Leaving directory `/home/kgold/Downloads/openssl-fips-1.2.3/test' make: *** [tests] Error 2 That's a known problem due to the ancient nature of the version of OpenSSL that comes with the FIPS tarball. If you link the module against OpenSSL 0.9.8r (the so called FIPS capable OpenSSL) it should work fine. For details see the user guide at: http://www.openssl.org/docs/fips/UserGuide-1.2.pdf Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: out range error compiling fips 1.2.3
On Fri, Sep 09, 2011, Kenneth Goldman wrote: Replies below. But the meta-question is does there exist step by step instructions for compiling the openssl FIPS module. The user guide and the security policy have details. That is for testing purposes for the unvalidated 2.0 module only. The 1.2 module uses ./config fipscanister instead. I tried that and got: ./config fipscanister Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 target already defined - linux-x86_64 (offending arg: fipscanister) Sorry yes it is fipscanisterbuild, I've been messing around with multiple versions of the module this last week and got confused. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
out range error compiling fips 1.2.3
I'm getting this error compiling openssl-fips-1.2.3.tar.gz, which seems to be the latest. It seems to be well known on openssl-dev, but I don't know what to do about it. Any ideas? gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -c -o md5-x86_64.o md5-x86_64.s md5-x86_64.s: Assembler messages: md5-x86_64.s:41: Error: 0xd76aa478 out range of signed 32bit displacement uname -a Linux cainl.watson.ibm.com 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux ~~ A second question. In researching this error, I saw someone compile with ./config fipscanisterbuild That's not in the INSTALL file. Do I need this? -- Ken Goldman kg...@watson.ibm.com 914-784-7646 (863-7646)
Re: out range error compiling fips 1.2.3
On 9/8/2011 9:35 PM, Kenneth Goldman wrote: ... A second question. In researching this error, I saw someone compile with ./config fipscanisterbuild That's not in the INSTALL file. Do I need this? -- Ken Goldman kg...@watson.ibm.com 914-784-7646 (863-7646) Hmm, in previous versions of the FIPS module, there was an official document as part of the FIPS approval which restricted the FIPS certification to use of a specific sequence of build steps, one of which was that command. Maybe the INSTALL file is the standard OpenSSL INSTALL file and not the true FIPS instructions, or maybe that command is only for the old FIPS module for version 0.9.x and not for the new module for version 1.0.x . Someone else on this list certainly knows which of those two applies. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: out range error compiling fips 1.2.3
On Thu, Sep 08, 2011, Kenneth Goldman wrote: I'm getting this error compiling openssl-fips-1.2.3.tar.gz, which seems to be the latest. It seems to be well known on openssl-dev, but I don't know what to do about it. Any ideas? gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -c -o md5-x86_64.o md5-x86_64.s md5-x86_64.s: Assembler messages: md5-x86_64.s:41: Error: 0xd76aa478 out range of signed 32bit displacement uname -a Linux cainl.watson.ibm.com 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux If you can get OpenSSL to compile despite that error (e.g. different version of the assembler) it wont matter because that file isn't used in the FIPS module itself. It's just a side effect of the 1.2 build process that it needs to build a complete vesion of OpenSSL as well as the module. ~~ A second question. In researching this error, I saw someone compile with ./config fipscanisterbuild That's not in the INSTALL file. Do I need this? That is for testing purposes for the unvalidated 2.0 module only. The 1.2 module uses ./config fipscanister instead. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
