Build Error on 1.0.1 with FIPS
Tyrel Haveman
I'm having a problem when building OpenSSL 1.0.1 along with fips-2.0.
My layout is like this:
/home/tyrel/openssl-test/openssl <-- contains the 1.0.1 branch from CVS
/home/tyrel/openssl-test/fips <-- contains the extract fips-2.0
snapshot tarball
My build steps are (from the openssl-test dir):
cd fips
./config no-asm no-hw --prefix="/home/tyrel/openssl-test/dep"
make
make install
cd ..
cd openssl
export FIPSDIR=/home/tyrel/openssl-test/dep
export FIPSLIBDIR=/home/tyrel/openssl-test/dep/lib
./config fips no-asm no-hw --prefix="/home/tyrel/openssl-test/dep"
make depend
make
make install
The config script indicated that I should run make depend because
"you've disabled or enabled at least one algorithm". But make depend
is the step that is failing. Log is below.
It's worth noting that even though make depend fails, I can run make
just fine. Is make depend even necessary, then, in this case?
Also this failure only seems to be happening the last week or so, I
think. So it may be related to a recent change in CVS. My coworkers
are seeing the same thing on their boxes.
Any thoughts?
Here's the log:
make[2]: Entering directory `/home/tyrel/openssl-test/openssl/crypto/hmac'
../../util/domd ../.. -MD gcc -- -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3
-fomit-frame-pointer -Wall -I/home/tyrel/openssl-test/dep/include -I..
-I../.. -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED
-DOPENSSL_NO_EC_NISTP224_64_GCC_128 -DOPENSSL_NO_GMP
-DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5
-DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE -- hmac.c hm_ameth.c
hm_pmeth.c
In file included from hm_pmeth.c:64:
../evp/evp_locl.h:355:1: error: "SHA1_Init" redefined
In file included from /home/tyrel/openssl-test/dep/include/openssl/crypto.h:151,
from ../cryptlib.h:72,
from hm_pmeth.c:59:
/home/tyrel/openssl-test/dep/include/openssl/fipssyms.h:456:1: error:
this is the location of the previous definition
In file included from hm_pmeth.c:64:
../evp/evp_locl.h:356:1: error: "SHA224_Init" redefined
In file included from /home/tyrel/openssl-test/dep/include/openssl/crypto.h:151,
from ../cryptlib.h:72,
from hm_pmeth.c:59:
/home/tyrel/openssl-test/dep/include/openssl/fipssyms.h:462:1: error:
this is the location of the previous definition
In file included from hm_pmeth.c:64:
../evp/evp_locl.h:357:1: error: "SHA256_Init" redefined
In file included from /home/tyrel/openssl-test/dep/include/openssl/crypto.h:151,
from ../cryptlib.h:72,
from hm_pmeth.c:59:
/home/tyrel/openssl-test/dep/include/openssl/fipssyms.h:465:1: error:
this is the location of the previous definition
In file included from hm_pmeth.c:64:
../evp/evp_locl.h:358:1: error: "SHA384_Init" redefined
In file included from /home/tyrel/openssl-test/dep/include/openssl/crypto.h:151,
from ../cryptlib.h:72,
from hm_pmeth.c:59:
/home/tyrel/openssl-test/dep/include/openssl/fipssyms.h:471:1: error:
this is the location of the previous definition
In file included from hm_pmeth.c:64:
../evp/evp_locl.h:359:1: error: "SHA512_Init" redefined
In file included from /home/tyrel/openssl-test/dep/include/openssl/crypto.h:151,
from ../cryptlib.h:72,
from hm_pmeth.c:59:
/home/tyrel/openssl-test/dep/include/openssl/fipssyms.h:474:1: error:
this is the location of the previous definition
In file included from hm_pmeth.c:64:
../evp/evp_locl.h:367:1: error: "DES_set_key_unchecked" redefined
In file included from /home/tyrel/openssl-test/dep/include/openssl/crypto.h:151,
from ../cryptlib.h:72,
from hm_pmeth.c:59:
/home/tyrel/openssl-test/dep/include/openssl/fipssyms.h:254:1: error:
this is the location of the previous definition
make[2]: *** [depend] Error 1
make[2]: Leaving directory `/home/tyrel/openssl-test/openssl/crypto/hmac'
make[1]: *** [depend] Error 1
make[1]: Leaving directory `/home/tyrel/openssl-test/openssl/crypto'
make: *** [depend] Error 1
Thanks,
Tyrel
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org
Dr. Stephen Henson
You don't need to run "make depend". Also the steps you use above should
be changed.
Set FIPSDIR only and no other environment variables before you even
build the test 2.0 module. You can only do:
./config
make
make install
for the FIPS test 2.0 module build. No other options are permitted. In the
past no-asm was permitted but this time no one has (so far) sponsored the
C only build.
For the FIPS capable build you can include additional options but
don't set --prefix in the FIPS capable build to the same directory as
FIPSDIR. The test 2.0 module and the FIPS capable OpenSSL should go in
different places.
You can skip make depend.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Tyrel Haveman
FIPS test vectors different for different platforms? It seems like
Windows and Linux, for example, should both be able to encrypt the
same things and produce the same outputs.
Thanks again,
Tyrel
Dr. Stephen Henson
> Thanks Steve. This helps a lot. One more related question: Why are the
> FIPS test vectors different for different platforms? It seems like
> Windows and Linux, for example, should both be able to encrypt the
> same things and produce the same outputs.
>
They are interchangable it's just that those are the testvectors produced by
that particular platform during testing.
Steve Marquess
> On Wed, Jun 29, 2011, Tyrel Haveman wrote:
>
>> Thanks Steve. This helps a lot. One more related question: Why are the
>> FIPS test vectors different for different platforms? It seems like
>> Windows and Linux, for example, should both be able to encrypt the
>> same things and produce the same outputs.
>>
> They are interchangable it's just that those are the testvectors produced by
> that particular platform during testing.
The formal testing process requires that a unique set of test vectors
(request files) be generated for each test platform ("operational
environment"). Once such a set is used for one platform and the
response files confirmed as correct it cannot be used again for any
formal testing. Presumably that is to keep the vendors (i.e. us) from
cheating by hard-coding the correct answers. By now we have encountered
quite a few of these test vector sets, but as they are interchangeable
there is no point in keeping more than a few representative samples.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marq...@opensslfoundation.com
Tyrel Haveman
no-asm, but on a 64-bit Windows build, it doesn't work without no-asm.
Here's the error:
link /nologo /subsystem:console /opt:ref /debug
/out:out32dll\fips_standalone_sha1.exe
@C:\Users\TyrelHa\AppData\Local\Temp\nmAD0D.tmp
sha1dgst.obj : error LNK2019: unresolved external symbol
fips_sha1_block_data_order referenced in function fips_sha1_update
sha1-x86_64.obj : error LNK2019: unresolved external symbol
OPENSSL_ia32cap_P referenced in function sha1_block_data_order
out32dll\fips_standalone_sha1.exe : fatal error LNK1120: 2 unresolved externals
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 10.0
\VC\BIN\x86_amd64\link.EXE"' : return code '0x460'
Stop.
I don't know enough about the openssl build yet to be able to resolve
this one myself. It works fine if no-asm is specified to Configure.
Can someone take a look?
Thanks!
Tyrel
Dr. Stephen Henson
> We just noticed that building the fips module on Linux works fine with
> no-asm, but on a 64-bit Windows build, it doesn't work without no-asm.
> Here's the error:
>
> link /nologo /subsystem:console /opt:ref /debug
> /out:out32dll\fips_standalone_sha1.exe
> @C:\Users\TyrelHa\AppData\Local\Temp\nmAD0D.tmp
> sha1dgst.obj : error LNK2019: unresolved external symbol
> fips_sha1_block_data_order referenced in function fips_sha1_update
> sha1-x86_64.obj : error LNK2019: unresolved external symbol
> OPENSSL_ia32cap_P referenced in function sha1_block_data_order
> out32dll\fips_standalone_sha1.exe : fatal error LNK1120: 2 unresolved externals
> NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 10.0
> \VC\BIN\x86_amd64\link.EXE"' : return code '0x460'
> Stop.
>
> I don't know enough about the openssl build yet to be able to resolve
> this one myself. It works fine if no-asm is specified to Configure.
> Can someone take a look?
>
Should be fixed in the next snapshot.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Tyrel Haveman
Assembling: tmp32dll\x86_64cpuid.asm
tmp32dll\x86_64cpuid.asm(9) : error A2008:syntax error : SEGMENT
tmp32dll\x86_64cpuid.asm(12) : error A2008:syntax error : ENDS
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual
Stop.
The code at those lines looks like this:
.data SEGMENT
COMM fips_openssl_ia32cap_p:DWORD:2
.data ENDS
I don't know MASM syntax so I'm not sure how to correct this.
Thanks again,
Tyrel
Dr. Stephen Henson
> Thanks Steve, but now it's running into this instead:
> Assembling: tmp32dll\x86_64cpuid.asm
> tmp32dll\x86_64cpuid.asm(9) : error A2008:syntax error : SEGMENT
> tmp32dll\x86_64cpuid.asm(12) : error A2008:syntax error : ENDS
> NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual
> Studio 10.0\VC\BIN\x86_amd64\ml64.EXE"' : return code '0x1'
> Stop.
>
> The code at those lines looks like this:
> .data SEGMENT
> COMM fips_openssl_ia32cap_p:DWORD:2
>
> .data ENDS
>
> I don't know MASM syntax so I'm not sure how to correct this.
>
You have to use NASM for the build and the build process is simply:
ms\do_fips
Tyrel Haveman
afterwards. But then, later, the 1.0.1 fips-capable build fails to
build with this reasoning:
nasm -f win64 -DNEAR -Ox -g -o tmp32dll\rc4-x86_64.obj tmp32dll\rc4-x86_
64.asm
tmp32dll\rc4-x86_64.asm:755: error: symbol `L$SEH_begin_RC4_set_key' undefined
tmp32dll\rc4-x86_64.asm:756: error: symbol `L$SEH_end_RC4_set_key' undefined
NMAKE : fatal error U1077: 'C:\devel\crypto\tools\nasm.EXE' : return code '0x1'
Stop.
Breakthrough
Steve,
I'm having similar issues. This is all being done on Ubuntu 10.10.
At first, I tried to get our FIPS 1.2 version to compile, so we could remain
consistent with our 0.9.8 OpenSSL that we use in Windows, but we're getting
all of the 32-bit unsigned error junk from binutils.
So we decided to attempt to get FIPS 2.0 Test with the latest OpenSSL 1.0.1
Snapshot to work instead.
We get the FIPS 2.0 to compile and install, and it puts the fipscanister
under our /usr/local/ssl/fips-2.0 location; however, when we attempt to make
the OpenSSL 1.0.1 snapshot work with the built FIPS, we get a problem.
Essentially we're doing:
./config fips
(it tells us to do the make depends, which we've tried, and we've ignored,
it doesn't seem to matter)
make
We get compilation errors because the the libcrypto library is conflicting
with the fipscanister object in the following areas.
../libcrypto.a(aes-x86_64.o): In function `asm_AES_encrypt':
(.text+0x460): multiple definition of `asm_AES_encrypt'
/usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x33fa0): first defined
here
../libcrypto.a(aes-x86_64.o): In function `asm_AES_decrypt':
(.text+0x9f0): multiple definition of `asm_AES_decrypt'
/usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34530): first defined
here
../libcrypto.a(aes-x86_64.o): In function `asm_AES_cbc_encrypt':
(.text+0xfa0): multiple definition of `asm_AES_cbc_encrypt'
/usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34ad0): first defined
here
We're unsure how to overcome this, having tried various --with-fipslibdir
scenarios to no avail.
We'd like two answers to this...
1. Is there a way to get FIPS 1.2 to compile against 0.9.8 on Ubuntu with
binutils 2.20.51? If so, which patch will work. We can't seem to find one
that can correctly modify the constants in the md5 and sha1 assembly code to
make this compile for the fips canister.
2. What are we doing wrong with the FIPS 2.0 test above?
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List opens...@openssl.org
> Automated List Manager majo...@openssl.org
>
>
View this message in context: http://old.nabble.com/Build-Error-on-1.0.1-with-FIPS-tp31948446p33164693.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
Dr. Stephen Henson
i.e. the commands you used?
Dr. Stephen Henson
module. That would happen if you used HEAD instead of the fips-2.0 snapshots
to build fipscanister.o
Breakthrough
We start with openssl-SNAP-20120118, and follow the directions.
./config fipscanisteronly
make
We then create a restricted tarball.
make -f Makefile.fips dist
We take that tar file and extract it to openssl-fips-2.0-test
Then we do the following:
./config
make
sudo make install
The seems to work and it places the fipscanister.o under
/usr/local/ssl/fips-2.0/lib
Then per the guidance provided, we get openssl-1.0.1-stable-SNAP-20120118
and do the following:
./config fips
(it says on the screen that we should do make depend, but we do not, per
earlier email instructions)
make
We get the following errors:
../libcrypto.a(aes-x86_64.o): In function `asm_AES_encrypt':
(.text+0x460): multiple definition of `asm_AES_encrypt'
/usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x33fa0): first defined
here
../libcrypto.a(aes-x86_64.o): In function `asm_AES_decrypt':
(.text+0x9f0): multiple definition of `asm_AES_decrypt'
/usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34530): first defined
here
../libcrypto.a(aes-x86_64.o): In function `asm_AES_cbc_encrypt':
(.text+0xfa0): multiple definition of `asm_AES_cbc_encrypt'
/usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34ad0): first defined
here
That's as far as we get.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List opens...@openssl.org
> Automated List Manager majo...@openssl.org
>
>
View this message in context: http://old.nabble.com/Build-Error-on-1.0.1-with-FIPS-tp31948446p33168400.html
Dr. Stephen Henson
>
> We start with openssl-SNAP-20120118, and follow the directions.
>
> ./config fipscanisteronly
> make
>
Breakthrough
So let me ask for some additional guidance here...
If we wanted to use the latest and greatest FIPS 1.2 validated based on a
0.9.8 OpenSSL baseline, which combination of versions should we use?
If we wanted to use the latest and greatest FIPS 2.0 non-validated based
test version (but we need it to be able to go into FIPS mode through the
calls, even if not "certified"), and based on a 1.0.0 or 1.0.1 OpenSSL
baseline, which combination of versions should we use?
In essence, which downloads for FIPS and OpenSSL should we retrieve from
source to insure success on Ubuntu 10.10 using binutils 2.20.51?
Thanks!
View this message in context: http://old.nabble.com/Build-Error-on-1.0.1-with-FIPS-tp31948446p33171026.html
Breakthrough
Thanks. That seemed to resolve the issue.
Dr. Stephen Henson wrote:
>
> On Thu, Jan 19, 2012, Breakthrough wrote:
>
>>
>> We start with openssl-SNAP-20120118, and follow the directions.
>>
>> ./config fipscanisteronly
>> make
>>
>
> Don't use that, use one of the *fips* snapshots instead.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List opens...@openssl.org
> Automated List Manager majo...@openssl.org
>
>
--