[openssl-dev] BUG - FIPS capable OpenSSL fails to build on Linux PPC64

Cristi Fati cristifati0 at gmail.com
Thu Jun 30 15:10:48 UTC 2016 

Thank you Marcus for the comments. Couple of notes:
- My archs are  Big Endian.
- I was aiming for openssl1.0.2(h) since this is the LTS version.

Short recap:
- *On (Linux running on) PPC64*, openssl 1.0.2h + openssl-fips-2.0.12, when
both are automatically configured (using *config*) *does not build*: error
when linking *libcrypto.so.1.0.0* (error described in my previous mail)
- This does *not* reproduce with older versions (tried with openssl 1.0.1p
+ openssl-fips-2.0.5), where everything works fine.
Details:
when autoconfiguring both products, *ppc64-whatever-linux2* is identified
by *config* and *Configure linux-ppc* is called. But in openssl-1.0.2(h),
some extra processing is performed by *config* for *ppc64-*-linux2* resulting
(at least for me) in adding *-m32* compiler option. So, openssl generates
32 bit code, but not openssl-fips that doesn't have this processing, and
naturally when the linker tries to add the objects together, it fails.
*The quick workaround* that did the trick for me was to call *./**Configure
linux-ppc* for openssl-1.0.2 and skip the extra processing done by *config*.

*However:*
Given the fact that *Configure*'s *linux-ppc* target generates 64bit code (*ELF
64-bit MSB*), I assume that *linux-ppc64 *does the same thing, I think that
the final solution should:
- since *config* is a client for *Configure*, I think the extra processing
done actually in (openssl-1.0.2h's) *config* should be ported to *Configure*,
so the same binaries are obtained configuring using whether *config*(which
calls *Configure linux-ppc*) or *Configure linux-ppc *directly.
- port the extra processing to openssl-fips as well, so both products when
auto configured, generate the same binaries type (linkable together).

Regards,
Cristi.


On Tue, Jun 21, 2016 at 2:37 PM, Marcus Meissner <meissner at suse.de> wrote:

> On Tue, Jun 21, 2016 at 12:39:35PM +0300, Cristi Fati wrote:
> > Hi all,
> >
> > I am trying to build a FIPS (2.0.12) capable OpenSSL (1.0.2h) on PPC64
> > Linux (tried RH5 and SLES12), but it fails.
>
> FWIW,
>
> The openssl packages on SLES 12 have received FIPS certificate for x86_64
> While we have not certified them on ppc64le, the same FIPS source code is
> inside.
>
> So the SLES12 ppc64le openssl 1.0.1i is FIPS capable.
>
> Ciao, Marcus
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160630/df247ef6/attachment-0001.html>

More information about the openssl-dev mailing list