Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How to build a FIPS-capable OpenSSL on Ubuntu Linux from the latest snapshots?
3,787 views
Skip to first unread message
Bill Durant
Nov 1, 2011, 5:54:29 PM11/1/11
to
Hello,
What is the procedure for building a FIPS-capable OpenSSL snapshot on Ubuntu 8.04.4 LTS from the following snapshots:
ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111031.tar.gz
ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111031.tar.gz
When I try to build it, I get the following compilation error:
======
In file included from hm_pmeth.c:64:
../evp/evp_locl.h:359:1: error: "SHA1_Init" redefined
In file included from /tmp/foo/include/openssl/crypto.h:151,
from ../cryptlib.h:72,
from hm_pmeth.c:59:
/tmp/foo/include/openssl/fipssyms.h:456:1: error: this is the location of the previous definition
======
Here are the build details:
$ uname -a
Linux harpo 2.6.24-29-generic #1 SMP Wed Aug 10 16:34:32 UTC 2011 i686 GNU/Linux
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.4 LTS"
$ export FIPSDIR=/tmp/foo
$ cd openssl-fips-2.0-test-20111031
$ ./config fipscanisterbuild no-asm
...
...
Configured for linux-elf.
$ make
...
...
./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
ar r ../libcrypto.a fipscanister.o
ar: creating ../libcrypto.a
/usr/bin/ranlib ../libcrypto.a || echo Never mind.
if [ "y" = "n" -a -n "fipscanister.o" ]; then ar r ../libcrypto.a fipscanister.o; fi
make[2]: Leaving directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-fips-2.0-test-20111031/fips'
make[1]: Leaving directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-fips-2.0-test-20111031/fips'
$ make install
...
...
installing fipsld
installing fips_standalone_sha1
cp -p -f fipscanister.o fipscanister.o.sha1 \
fips_premain.c fips_premain.c.sha1 \
/tmp/foo/lib/; \
chmod 0444 /tmp/foo/lib/fips*
make[1]: Leaving directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-fips-2.0-test-20111031/fips'
making install in test...
make[1]: Entering directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-fips-2.0-test-20111031/test'
make[1]: Nothing to be done for `install'.
make[1]: Leaving directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-fips-2.0-test-20111031/test'
$ cd ../openssl-1.0.1-stable-SNAP-20111031/
$ echo $FIPSDIR
/tmp/foo
$ ./config fips --prefix=$FIPSDIR no-idea no-mdc2 no-rc5 no-asm
...
...
Since you've disabled or enabled at least one algorithm, you need to do
the following before building:
make depend
Configured for linux-elf.
$ make depend
making depend in crypto...
make[1]: Entering directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-1.0.1-stable-SNAP-20111031/crypto'
making depend in crypto/objects...
make[2]: Entering directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-1.0.1-stable-SNAP-20111031/crypto/objects'
../../util/domd ../.. -MD gcc -- -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -I/tmp/foo/include -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_IDEA -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_RSAX -DOPENSSL_NO_STORE -- o_names.c obj_dat.c obj_lib.c obj_err.c obj_xref.c
...
...
make[2]: Entering directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-1.0.1-stable-SNAP-20111031/crypto/hmac'
../../util/domd ../.. -MD gcc -- -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -I/tmp/foo/include -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_IDEA -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_RSAX -DOPENSSL_NO_STORE -- hmac.c hm_ameth.c hm_pmeth.c
In file included from hm_pmeth.c:64:
../evp/evp_locl.h:359:1: error: "SHA1_Init" redefined
In file included from /tmp/foo/include/openssl/crypto.h:151,
from ../cryptlib.h:72,
from hm_pmeth.c:59:
/tmp/foo/include/openssl/fipssyms.h:456:1: error: this is the location of the previous definition
Any ideas,
Bill______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
What is the procedure for building a FIPS-capable OpenSSL snapshot on Ubuntu 8.04.4 LTS from the following snapshots:
ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111031.tar.gz
ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111031.tar.gz
When I try to build it, I get the following compilation error:
======
In file included from hm_pmeth.c:64:
../evp/evp_locl.h:359:1: error: "SHA1_Init" redefined
In file included from /tmp/foo/include/openssl/crypto.h:151,
from ../cryptlib.h:72,
from hm_pmeth.c:59:
/tmp/foo/include/openssl/fipssyms.h:456:1: error: this is the location of the previous definition
======
Here are the build details:
$ uname -a
Linux harpo 2.6.24-29-generic #1 SMP Wed Aug 10 16:34:32 UTC 2011 i686 GNU/Linux
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.4 LTS"
$ export FIPSDIR=/tmp/foo
$ cd openssl-fips-2.0-test-20111031
$ ./config fipscanisterbuild no-asm
...
...
Configured for linux-elf.
$ make
...
...
./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
ar r ../libcrypto.a fipscanister.o
ar: creating ../libcrypto.a
/usr/bin/ranlib ../libcrypto.a || echo Never mind.
if [ "y" = "n" -a -n "fipscanister.o" ]; then ar r ../libcrypto.a fipscanister.o; fi
make[2]: Leaving directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-fips-2.0-test-20111031/fips'
make[1]: Leaving directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-fips-2.0-test-20111031/fips'
$ make install
...
...
installing fipsld
installing fips_standalone_sha1
cp -p -f fipscanister.o fipscanister.o.sha1 \
fips_premain.c fips_premain.c.sha1 \
/tmp/foo/lib/; \
chmod 0444 /tmp/foo/lib/fips*
make[1]: Leaving directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-fips-2.0-test-20111031/fips'
making install in test...
make[1]: Entering directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-fips-2.0-test-20111031/test'
make[1]: Nothing to be done for `install'.
make[1]: Leaving directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-fips-2.0-test-20111031/test'
$ cd ../openssl-1.0.1-stable-SNAP-20111031/
$ echo $FIPSDIR
/tmp/foo
$ ./config fips --prefix=$FIPSDIR no-idea no-mdc2 no-rc5 no-asm
...
...
Since you've disabled or enabled at least one algorithm, you need to do
the following before building:
make depend
Configured for linux-elf.
$ make depend
making depend in crypto...
make[1]: Entering directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-1.0.1-stable-SNAP-20111031/crypto'
making depend in crypto/objects...
make[2]: Entering directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-1.0.1-stable-SNAP-20111031/crypto/objects'
../../util/domd ../.. -MD gcc -- -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -I/tmp/foo/include -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_IDEA -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_RSAX -DOPENSSL_NO_STORE -- o_names.c obj_dat.c obj_lib.c obj_err.c obj_xref.c
...
...
make[2]: Entering directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-1.0.1-stable-SNAP-20111031/crypto/hmac'
../../util/domd ../.. -MD gcc -- -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -I/tmp/foo/include -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_IDEA -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_RSAX -DOPENSSL_NO_STORE -- hmac.c hm_ameth.c hm_pmeth.c
In file included from hm_pmeth.c:64:
../evp/evp_locl.h:359:1: error: "SHA1_Init" redefined
In file included from /tmp/foo/include/openssl/crypto.h:151,
from ../cryptlib.h:72,
from hm_pmeth.c:59:
/tmp/foo/include/openssl/fipssyms.h:456:1: error: this is the location of the previous definition
Any ideas,
Bill______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Dr. Stephen Henson
Nov 1, 2011, 7:23:47 PM11/1/11
to
On Tue, Nov 01, 2011, Bill Durant wrote:
> Hello,
>
> What is the procedure for building a FIPS-capable OpenSSL snapshot on Ubuntu 8.04.4 LTS from the following snapshots:
>
> ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111031.tar.gz
>
> ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111031.tar.gz
>
> When I try to build it, I get the following compilation error:
>
> ======
> In file included from hm_pmeth.c:64:
> ../evp/evp_locl.h:359:1: error: "SHA1_Init" redefined
> In file included from /tmp/foo/include/openssl/crypto.h:151,
> from ../cryptlib.h:72,
> from hm_pmeth.c:59:
> /tmp/foo/include/openssl/fipssyms.h:456:1: error: this is the location of the previous definition
> ======
>
> Hello,
>
> What is the procedure for building a FIPS-capable OpenSSL snapshot on Ubuntu 8.04.4 LTS from the following snapshots:
>
> ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111031.tar.gz
>
> ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111031.tar.gz
>
> When I try to build it, I get the following compilation error:
>
> ======
> In file included from hm_pmeth.c:64:
> ../evp/evp_locl.h:359:1: error: "SHA1_Init" redefined
> In file included from /tmp/foo/include/openssl/crypto.h:151,
> from ../cryptlib.h:72,
> from hm_pmeth.c:59:
> /tmp/foo/include/openssl/fipssyms.h:456:1: error: this is the location of the previous definition
> ======
>
> $ ./config fipscanisterbuild no-asm
> ...
> ...
> Configured for linux-elf.
>
Avoid no-asm: currently no one wants a C only platform so it wont be a
> ...
> ...
> Configured for linux-elf.
>
supported platform. It will be *much* slower.
>
> $ ./config fips --prefix=$FIPSDIR no-idea no-mdc2 no-rc5 no-asm
> ...
> ...
> Since you've disabled or enabled at least one algorithm, you need to do
> the following before building:
>
> make depend
>
fine.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Bill Durant
Nov 1, 2011, 7:34:19 PM11/1/11
to
On Nov 1, 2011, at 4:23 PM, Dr. Stephen Henson wrote:
> On Tue, Nov 01, 2011, Bill Durant wrote:
>
>> Hello,
>>
>> What is the procedure for building a FIPS-capable OpenSSL snapshot on Ubuntu 8.04.4 LTS from the following snapshots:
>>
>
>
>> ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111031.tar.gz
>>
>> ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111031.tar.gz
>>
>> When I try to build it, I get the following compilation error:
>>
>> ======
>> In file included from hm_pmeth.c:64:
>> ../evp/evp_locl.h:359:1: error: "SHA1_Init" redefined
>> In file included from /tmp/foo/include/openssl/crypto.h:151,
>> from ../cryptlib.h:72,
>> from hm_pmeth.c:59:
>> /tmp/foo/include/openssl/fipssyms.h:456:1: error: this is the location of the previous definition
>> ======
>>
>> $ ./config fipscanisterbuild no-asm
>> ...
>> ...
>> Configured for linux-elf.
>>
>
> Avoid no-asm: currently no one wants a C only platform so it wont be a
> supported platform. It will be *much* slower.
OK
> On Tue, Nov 01, 2011, Bill Durant wrote:
>
>> Hello,
>>
>> What is the procedure for building a FIPS-capable OpenSSL snapshot on Ubuntu 8.04.4 LTS from the following snapshots:
>>
>
>
>> ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111031.tar.gz
>>
>> ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111031.tar.gz
>>
>> When I try to build it, I get the following compilation error:
>>
>> ======
>> In file included from hm_pmeth.c:64:
>> ../evp/evp_locl.h:359:1: error: "SHA1_Init" redefined
>> In file included from /tmp/foo/include/openssl/crypto.h:151,
>> from ../cryptlib.h:72,
>> from hm_pmeth.c:59:
>> /tmp/foo/include/openssl/fipssyms.h:456:1: error: this is the location of the previous definition
>> ======
>>
>> $ ./config fipscanisterbuild no-asm
>> ...
>> ...
>> Configured for linux-elf.
>>
>
> Avoid no-asm: currently no one wants a C only platform so it wont be a
> supported platform. It will be *much* slower.
>
>>
>> $ ./config fips --prefix=$FIPSDIR no-idea no-mdc2 no-rc5 no-asm
>> ...
>> ...
>> Since you've disabled or enabled at least one algorithm, you need to do
>> the following before building:
>>
>> make depend
>>
>
> Don't do "make depend" it gets a bit confused. Just doing "make" should work
> fine.
>
> Steve.
gcc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -I/tmp/foo/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -c -o e_bf.o e_bf.c
make[2]: *** No rule to make target `../../include/openssl/idea.h', needed by `e_idea.o'. Stop.
make[2]: Leaving directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-1.0.1-stable-SNAP-20111031/crypto/evp'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-1.0.1-stable-SNAP-20111031/crypto'
make: *** [build_crypto] Error 1
What else am I missing?
Thanks,
Bill
Bill Durant
Nov 2, 2011, 1:24:37 AM11/2/11
to
$ cd openssl-1.0.1-stable-SNAP-20111031
$ ./config fips --prefix=/tmp/foo no-idea no-mdc2 no-rc5 shared
$ cp crypto/mdc2/*.h include/openssl
$ cp crypto/idea/*.h include/openssl
$ make
Let me know if there is something wrong with doing that.
Jack D. Pond
Nov 2, 2011, 8:36:41 AM11/2/11
to
Bill,
This may help - I just did the same using latest Ubuntu Release
Jack D. Pond
"It's not hard to meet expenses, they're everywhere."
----------
sudo apt-get build-essential # if you haven't already
wget http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz.sha1
wget http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz
sha1sum openssl-fips-1.2.3.tar.gz
cat openssl-fips-1.2.3.tar.gz.sha1
env OPENSSL_FIPS=1
openssl sha1 -hmac etaonrishdlcupfm openssl-fips-1.2.3.tar.gz
echo # Correct result can be found in Appendix B of User Guide
tar -zxvf openssl-fips-1.2.3.tar.gz
cd openssl-fips-1.2.3
# Make the cannister
./config fipscanisterbuild
make
sudo make install
sudo vim /usr/local/ssl/fips-1.0/openssl.cnf # make fips-mode=yes
#
./config fips --with-fipslibdir="/usr/local/ssl/fips-1.0/lib"
make
sudo make install
sudo vim /etc/ld.so.conf.d/FIPS.conf
# add the following line (or whatever was specified in the build command as
OpenSSL shared libraries have been installed in:
/usr/local/ssl/fips-1.0
# Then activate the link library:
sudo ldconfig
# Create a symbolic link in the executables:
# Change aparmor
sudo vim /etc/apparmor.d/abstractions/openssl
# add this line
/usr/local/ssl/fips-1.0/openssl.cnf r,
#
sudo mv /usr/bin/openssl /usr/bin/openssl.save
sudo ln -s /usr/local/ssl/fips-1.0/bin/openssl /usr/bin/openssl
# Test
openssl version
-----------------
This may help - I just did the same using latest Ubuntu Release
Jack D. Pond
"It's not hard to meet expenses, they're everywhere."
----------
sudo apt-get build-essential # if you haven't already
wget http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz.sha1
wget http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz
sha1sum openssl-fips-1.2.3.tar.gz
cat openssl-fips-1.2.3.tar.gz.sha1
env OPENSSL_FIPS=1
openssl sha1 -hmac etaonrishdlcupfm openssl-fips-1.2.3.tar.gz
echo # Correct result can be found in Appendix B of User Guide
tar -zxvf openssl-fips-1.2.3.tar.gz
cd openssl-fips-1.2.3
# Make the cannister
./config fipscanisterbuild
make
sudo make install
sudo vim /usr/local/ssl/fips-1.0/openssl.cnf # make fips-mode=yes
#
./config fips --with-fipslibdir="/usr/local/ssl/fips-1.0/lib"
make
sudo make install
sudo vim /etc/ld.so.conf.d/FIPS.conf
# add the following line (or whatever was specified in the build command as
OpenSSL shared libraries have been installed in:
/usr/local/ssl/fips-1.0
# Then activate the link library:
sudo ldconfig
# Create a symbolic link in the executables:
# Change aparmor
sudo vim /etc/apparmor.d/abstractions/openssl
# add this line
/usr/local/ssl/fips-1.0/openssl.cnf r,
#
sudo mv /usr/bin/openssl /usr/bin/openssl.save
sudo ln -s /usr/local/ssl/fips-1.0/bin/openssl /usr/bin/openssl
# Test
openssl version
-----------------
0 new messages