Building FIPS 1.1.2 on SuSe 9 on S390: Unable to collect signature - Openssl

This is a discussion on Building FIPS 1.1.2 on SuSe 9 on S390: Unable to collect signature - Openssl ; Hi, We are trying to use FIPS in our product and have been successful for Windows, Linux (on x86) and on Solaris. We are also trying Linux on S390. Following the (very specific) instructions to build FIPS, we get an ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Building FIPS 1.1.2 on SuSe 9 on S390: Unable to collect signature

  1. Building FIPS 1.1.2 on SuSe 9 on S390: Unable to collect signature


    Hi,

    We are trying to use FIPS in our product and have been successful for
    Windows, Linux (on x86) and on Solaris. We are also trying Linux on S390.

    Following the (very specific) instructions to build FIPS, we get an error.
    First we execute 'config fips' (as required), no problem there, it
    configures for 'linux-s390'.
    But when we follow with the required 'make', all seems OK, but when the
    openssl executable is being linked through the 'fipsld' link-script, the
    following happens:

    make[1]: Entering directory
    `/mnt/vhibld/66/dev/atoem/openssl/Build-fips-product/openssl-fips-1.1.2/apps'
    rm -f openssl
    + ../fips-1.0/fipsld -o openssl -DMONOLITH -I.. -I../include
    -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_D
    FCN_H -DOPENSSL_NO_KRB5 -DB_ENDIAN -DTERMIO -DNO_ASM -O3
    -fomit-frame-pointer -Wall openssl.o verify.o asn1pars.o req.o
    dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o
    crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.
    genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o
    s_socket.o app_rand.o version.o sess_id.o ciphe
    s.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o prime.o
    .../libssl.a ../libcrypto.a -ldl
    FIPS_text_start() returns NULL
    unable to collect signature
    make[1]: *** [openssl] Error 1
    make[1]: Leaving directory
    `/mnt/vhibld/66/dev/atoem/openssl/Build-fips-product/openssl-fips-1.1.2/apps'
    make: *** [sub_all] Error 1

    My question is, is this something we can get fixed ourselves, I doubt it, as
    changing anything will invalidate the FIPS validation. Or is this something
    that has not been 'done' by the FIPS development team.
    I'm afraid I have to convince my management that if it can't be done, why
    that is.
    I know Linux on S390 is not on the list of platforms that have been
    confirmed to work (and tested).
    If that's all there is to it, so be it, but I need to have that confirmed.

    I know there has been a similar question on this subject (FIPS 1.0 on RedHat
    on S390, back in 2006), but there was no reply, so I've given it another go.

    Any help would be much appreciated.

    Thanks,

    Arie Plugge
    Configuration / Release Engineer
    Attachmate
    --
    View this message in context: http://www.nabble.com/Building-FIPS-...p17315175.html
    Sent from the OpenSSL - Dev mailing list archive at Nabble.com.

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org

  2. Re: Building FIPS 1.1.2 on SuSe 9 on S390: Unable to collect signature

    > My question is, is this something we can get fixed ourselves, I doubt it, as
    > changing anything will invalidate the FIPS validation. Or is this something
    > that has not been 'done' by the FIPS development team.
    > I'm afraid I have to convince my management that if it can't be done, why
    > that is.
    > I know Linux on S390 is not on the list of platforms that have been
    > confirmed to work (and tested).
    > If that's all there is to it, so be it, but I need to have that confirmed.

    If you take a look at fips_canister.c, specifically
    instruction_pointer() and FIPS_ref_point() you'll see there is no
    S390 support. Obviously modifying that code would invalidate the
    FIPS module.

    I'd suggest if you need fips support, grab the 0.9.8 fips branch
    and see if that works, if it doesn't, submit a patch that properly
    implements S390 support. It won't make it into the current validation
    which is on-going for 0.9.8, but would make it into the next and my
    uneducated guess would say it'll take at least 18 months.

    -Brad
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org

  3. Re: Building FIPS 1.1.2 on SuSe 9 on S390: Unable to collectsignature

    On Wed, May 21, 2008, Brad House wrote:

    > I'd suggest if you need fips support, grab the 0.9.8 fips branch
    > and see if that works, if it doesn't, submit a patch that properly
    > implements S390 support. It won't make it into the current validation
    > which is on-going for 0.9.8, but would make it into the next and my
    > uneducated guess would say it'll take at least 18 months.
    >

    The version being validated is at:

    ftp://ftp.openssl.org/snapshot/opens...t-1.2.0.tar.gz

    So that would be the one to try.

    Steve.
    --
    Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
    OpenSSL project core developer and freelance consultant.
    Homepage: http://www.drh-consultancy.demon.co.uk
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org

+ Reply to Thread
« segfault on ssl_test with padlock engine | [PATCH] genrsa with ENGINE »