I am building openssl-1.0.2f with openssl-fips-2.0.12 (I am going to talk about this configuration in the following lines, but at the end of the post I'll specify all the configurations that I tried), on HP-UX11.31 (pa-risc2 ([HPE]: pa-risc1.1 pa-risc2.0)). Everything is good, but when I try using it (in FIPS mode), it doesn't work.
Note: Given the fact that cwd
is set to the build folder (not the installation folder where RPATH points to), I need to instruct the linker where to search for libs (SHLIB_PATH
):
[%__OPENSSL_MACHINE_PROMPT%]> OPENSSL_FIPS=1 SHLIB_PATH=./lib ./bin/openssl version -a
2063867464:error:2D06B071:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match segment aliasing:fips.c:224:
Note: Instead of displaying any path, I'm replacing it by a meaningful placeholder (name starting with __OPENSSL) surrounded by %
signs (the equivalent of Win env vars - don't want to create confusion if any actual Ux env vars might be involved).
Here's the output of the "same" command without setting FIPS (OPENSSL_FIPS=1
) mode:
[%__OPENSSL_MACHINE_PROMPT%]> SHLIB_PATH=./lib ./bin/openssl version -a
OpenSSL 1.0.2f-fips 28 Jan 2016
built on: Fri Feb 26 09:53:34 2016
platform: hpux-parisc2-gcc
options: bn(64,64) rc4(ptr,char) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -DDSO_DL -fPIC -D_REENTRANT -march=2.0 -O3 -DB_ENDIAN -D_REENTRANT -I%__OPENSSL_BUILD_PATH%/include
OPENSSLDIR: "%__OPENSSL_PREFIX_DIR%"
This occurs on all the machines I've tried running it (including the very machine I've built it on):
[%__OPENSSL_BUILD_MACHINE_PROMPT%]> uname -a
HP-UX hpux1131 B.11.31 U 9000/800 629887774 unlimited-user license
gcc version (native linker (ld_pa) used):
[%__OPENSSL_BUILD_MACHINE_PROMPT%]> gcc -v
Using built-in specs.
Target: hppa2.0w-hp-hpux11.31
Configured with: ../gcc-4.2.4/configure --disable-shared --with-gnu-as --with-as=%__GCC_PREFIX_PATH%/bin/as --with-ld=/bin/ld --disable-nls --enable-threads=posix --prefix=%__GCC_PREFIX_PATH% --with-local-prefix=%__GCC_PREFIX_PATH%
Thread model: posix
gcc version 4.2.4`
Important note:
I've stated the problem that I have using openssl-1.0.2f + openssl-fips-2.0.12 on HP-UX11.31 om PA-RISC2. What else I've tried:
- openssl-1.0.1X (where X = [e..p]) + openssl-fips-2.0.5
- HP-UX11.31 or HP-UX11.11 on PA-RISC2
- no-asm configure flag specified/unspecified
Note: During debug, I've also modified fips_premain.c (and others), and (shocking :) ), the fingerprint produced by fips_premain_dso (compiled with -DFINGERPRINT_PREMAIN_DSO_LOAD
) and the one computed at runtime don't match! I've also dumped the memory zone (in original or hex format) that the fingerprint is being computed on, and (of course) it differs (but so for I can't tell why).
Given the fact that it works (or it is supposed to work) - even if not being tested on pa-risc, but only on IA64 -, and extensive Google search didn't reveal anything truly relevant, I am 99.99 sure that it is related to the machine(s) in my environment.
However, can anyone give me some pointers?
@EDIT0: I mentioned that I reproduced the same problem on IA64; it was most likely a mistake. I recently (got a machine and) built it on HP-UX11.23 IA64 and it worked fine. The only problem is that cross architecture compatibility (build/run) is one way only: PA-RISC -> IA64.
See Question&Answers more detail:
os