Unable to build a working FIPS capable OpenSSL on HP-UX

unix gcc build openssl hp-ux
CristiFati picture CristiFati · Feb 27, 2016 · Viewed 22.6k times · Source

I am building openssl-1.0.2f with openssl-fips-2.0.12 (I am going to talk about this configuration in the following lines, but at the end of the post I'll specify all the configurations that I tried), on HP-UX11.31 (pa-risc2 ([HPE]: pa-risc1.1 pa-risc2.0)). Everything is good, but when I try using it (in FIPS mode), it doesn't work.

Note: Given the fact that cwd is set to the build folder (not the installation folder where RPATH points to), I need to instruct the linker where to search for libs (SHLIB_PATH):

[%__OPENSSL_MACHINE_PROMPT%]> OPENSSL_FIPS=1 SHLIB_PATH=./lib ./bin/openssl version -a
2063867464:error:2D06B071:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match segment aliasing:fips.c:224:

Note: Instead of displaying any path, I'm replacing it by a meaningful placeholder (name starting with __OPENSSL) surrounded by % signs (the equivalent of Win env vars - don't want to create confusion if any actual Ux env vars might be involved).

Here's the output of the "same" command without setting FIPS (OPENSSL_FIPS=1) mode:

[%__OPENSSL_MACHINE_PROMPT%]> SHLIB_PATH=./lib ./bin/openssl version -a
OpenSSL 1.0.2f-fips  28 Jan 2016
  built on: Fri Feb 26 09:53:34 2016
  platform: hpux-parisc2-gcc
  options:  bn(64,64) rc4(ptr,char) des(ptr,risc1,16,long) blowfish(idx)
  compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS  -DDSO_DL -fPIC -D_REENTRANT -march=2.0 -O3 -DB_ENDIAN -D_REENTRANT -I%__OPENSSL_BUILD_PATH%/include
  OPENSSLDIR: "%__OPENSSL_PREFIX_DIR%"

This occurs on all the machines I've tried running it (including the very machine I've built it on):

[%__OPENSSL_BUILD_MACHINE_PROMPT%]> uname -a
HP-UX hpux1131 B.11.31 U 9000/800 629887774 unlimited-user license

gcc version (native linker (ld_pa) used):

[%__OPENSSL_BUILD_MACHINE_PROMPT%]> gcc -v
  Using built-in specs.
  Target: hppa2.0w-hp-hpux11.31
  Configured with: ../gcc-4.2.4/configure --disable-shared --with-gnu-as --with-as=%__GCC_PREFIX_PATH%/bin/as --with-ld=/bin/ld --disable-nls --enable-threads=posix --prefix=%__GCC_PREFIX_PATH% --with-local-prefix=%__GCC_PREFIX_PATH%
  Thread model: posix
  gcc version 4.2.4`

  • Here's the openssl-fips-2.1.12 configurator's output:

    ./config no-asm
Operating system: 9000/800-hp-hpux1x
  Auto Configuring fipsonly
  Auto Configuring fipsonly
  Configuring for hpux-parisc2-gcc
  Auto Configuring fipsonly
  Configuring for hpux-parisc2-gcc
      no-asm          [option]   OPENSSL_NO_ASM
      no-bf           [option]   OPENSSL_NO_BF (skip dir)
      no-camellia     [option]   OPENSSL_NO_CAMELLIA (skip dir)
      no-cast         [option]   OPENSSL_NO_CAST (skip dir)
      no-ec_nistp_64_gcc_128 [default]  OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
      no-gmp          [default]  OPENSSL_NO_GMP (skip dir)
      no-idea         [option]   OPENSSL_NO_IDEA (skip dir)
      no-jpake        [experimental] OPENSSL_NO_JPAKE (skip dir)
      no-krb5         [krb5-flavor not specified] OPENSSL_NO_KRB5
      no-md2          [option]   OPENSSL_NO_MD2 (skip dir)
      no-md5          [option]   OPENSSL_NO_MD5 (skip dir)
      no-mdc2         [option]   OPENSSL_NO_MDC2 (skip dir)
      no-rc2          [option]   OPENSSL_NO_RC2 (skip dir)
      no-rc4          [option]   OPENSSL_NO_RC4 (skip dir)
      no-rc5          [option]   OPENSSL_NO_RC5 (skip dir)
      no-rfc3779      [default]  OPENSSL_NO_RFC3779 (skip dir)
      no-ripemd       [option]   OPENSSL_NO_RIPEMD (skip dir)
      no-seed         [option]   OPENSSL_NO_SEED (skip dir)
      no-srp          [forced]   OPENSSL_NO_SRP (skip dir)
      no-ssl2         [forced]   OPENSSL_NO_SSL2 (skip dir)
      no-ssl3         [forced]   OPENSSL_NO_SSL3 (skip dir)
      no-store        [experimental] OPENSSL_NO_STORE (skip dir)
      no-tls1         [forced]   OPENSSL_NO_TLS1 (skip dir)
      no-tlsext       [forced]   OPENSSL_NO_TLSEXT (skip dir)
      no-zlib         [default]
      no-zlib-dynamic [default]

  • And here's openssl-1.0.2f's:

    ./config fips shared --prefix=%__OPENSSL_PREFIX_DIR% no-rc5 no-mdc2 no-idea -fPIC no-asm --openssldir=%__OPENSSL_PREFIX_DIR%/openssl
Operating system: 9000/800-hp-hpux1x
  Configuring for hpux-parisc2-gcc
  Configuring for hpux-parisc2-gcc
      no-asm          [option]   OPENSSL_NO_ASM
      no-ec_nistp_64_gcc_128 [default]  OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
      no-gmp          [default]  OPENSSL_NO_GMP (skip dir)
      no-idea         [option]   OPENSSL_NO_IDEA (skip dir)
      no-jpake        [experimental] OPENSSL_NO_JPAKE (skip dir)
      no-krb5         [krb5-flavor not specified] OPENSSL_NO_KRB5
      no-libunbound   [experimental] OPENSSL_NO_LIBUNBOUND (skip dir)
      no-md2          [default]  OPENSSL_NO_MD2 (skip dir)
      no-mdc2         [option]   OPENSSL_NO_MDC2 (skip dir)
      no-rc5          [option]   OPENSSL_NO_RC5 (skip dir)
      no-rfc3779      [default]  OPENSSL_NO_RFC3779 (skip dir)
      no-rsax         [forced]   OPENSSL_NO_RSAX (skip dir)
      no-sctp         [default]  OPENSSL_NO_SCTP (skip dir)
      no-ssl-trace    [default]  OPENSSL_NO_SSL_TRACE (skip dir)
      no-store        [experimental] OPENSSL_NO_STORE (skip dir)
      no-unit-test    [default]  OPENSSL_NO_UNIT_TEST (skip dir)
      no-zlib         [default]
      no-zlib-dynamic [default]

Important note: I've stated the problem that I have using openssl-1.0.2f + openssl-fips-2.0.12 on HP-UX11.31 om PA-RISC2. What else I've tried:

  • openssl-1.0.1X (where X = [e..p]) + openssl-fips-2.0.5
  • HP-UX11.31 or HP-UX11.11 on PA-RISC2
  • no-asm configure flag specified/unspecified

Note: During debug, I've also modified fips_premain.c (and others), and (shocking :) ), the fingerprint produced by fips_premain_dso (compiled with -DFINGERPRINT_PREMAIN_DSO_LOAD) and the one computed at runtime don't match! I've also dumped the memory zone (in original or hex format) that the fingerprint is being computed on, and (of course) it differs (but so for I can't tell why).

Given the fact that it works (or it is supposed to work) - even if not being tested on pa-risc, but only on IA64 -, and extensive Google search didn't reveal anything truly relevant, I am 99.99 sure that it is related to the machine(s) in my environment.

However, can anyone give me some pointers?

@EDIT0: I mentioned that I reproduced the same problem on IA64; it was most likely a mistake. I recently (got a machine and) built it on HP-UX11.23 IA64 and it worked fine. The only problem is that cross architecture compatibility (build/run) is one way only: PA-RISC -> IA64.

Answer

Related questions

Merge multiple .so shared libraries

Say I have a.so and b.so. Can I produce c.so as a single shared library with all the functions exported by a and b, of course resolving all intra-dependencies (i.e. all functions of b.so called …

Read More
Linking two shared libraries with some of the same symbols

I link with two different shared libraries. Both libraries define some symbols that share a name but have different implementations. I can't make each library use its own implementation over the other. For example, both libraries define a global function …

Read More
What does "BUS_ADRALN - Invalid address alignment" error means?

We are on HPUX and my code is in C++. We are getting BUS_ADRALN - Invalid address alignment in our executable on a function call. What does this error means? Same function is working many times then suddenly its …

Read More