Jack, On the first compilation step of fips-1.2.3, using the latest build-essential (that should be apt-get install build-essential), I get the following errors:
md5-x86_64.s: Assembler messages: md5-x86_64.s:41: Error: 0xd76aa478 out range of signed 32bit displacement md5-x86_64.s:50: Error: 0xe8c7b756 out range of signed 32bit displacement md5-x86_64.s:68: Error: 0xc1bdceee out range of signed 32bit displacement md5-x86_64.s:77: Error: 0xf57c0faf out range of signed 32bit displacement md5-x86_64.s:95: Error: 0xa8304613 out range of signed 32bit displacement md5-x86_64.s:104: Error: 0xfd469501 out range of signed 32bit displacement md5-x86_64.s:122: Error: 0x8b44f7af out range of signed 32bit displacement md5-x86_64.s:131: Error: 0xffff5bb1 out range of signed 32bit displacement md5-x86_64.s:140: Error: 0x895cd7be out range of signed 32bit displacement md5-x86_64.s:158: Error: 0xfd987193 out range of signed 32bit displacement md5-x86_64.s:167: Error: 0xa679438e out range of signed 32bit displacement md5-x86_64.s:187: Error: 0xf61e2562 out range of signed 32bit displacement md5-x86_64.s:196: Error: 0xc040b340 out range of signed 32bit displacement md5-x86_64.s:214: Error: 0xe9b6c7aa out range of signed 32bit displacement md5-x86_64.s:223: Error: 0xd62f105d out range of signed 32bit displacement md5-x86_64.s:241: Error: 0xd8a1e681 out range of signed 32bit displacement md5-x86_64.s:250: Error: 0xe7d3fbc8 out range of signed 32bit displacement md5-x86_64.s:268: Error: 0xc33707d6 out range of signed 32bit displacement md5-x86_64.s:277: Error: 0xf4d50d87 out range of signed 32bit displacement md5-x86_64.s:295: Error: 0xa9e3e905 out range of signed 32bit displacement md5-x86_64.s:304: Error: 0xfcefa3f8 out range of signed 32bit displacement md5-x86_64.s:322: Error: 0x8d2a4c8a out range of signed 32bit displacement md5-x86_64.s:332: Error: 0xfffa3942 out range of signed 32bit displacement md5-x86_64.s:340: Error: 0x8771f681 out range of signed 32bit displacement md5-x86_64.s:356: Error: 0xfde5380c out range of signed 32bit displacement md5-x86_64.s:364: Error: 0xa4beea44 out range of signed 32bit displacement md5-x86_64.s:380: Error: 0xf6bb4b60 out range of signed 32bit displacement md5-x86_64.s:388: Error: 0xbebfbc70 out range of signed 32bit displacement md5-x86_64.s:404: Error: 0xeaa127fa out range of signed 32bit displacement md5-x86_64.s:412: Error: 0xd4ef3085 out range of signed 32bit displacement md5-x86_64.s:428: Error: 0xd9d4d039 out range of signed 32bit displacement md5-x86_64.s:436: Error: 0xe6db99e5 out range of signed 32bit displacement md5-x86_64.s:452: Error: 0xc4ac5665 out range of signed 32bit displacement md5-x86_64.s:463: Error: 0xf4292244 out range of signed 32bit displacement md5-x86_64.s:481: Error: 0xab9423a7 out range of signed 32bit displacement md5-x86_64.s:490: Error: 0xfc93a039 out range of signed 32bit displacement md5-x86_64.s:508: Error: 0x8f0ccc92 out range of signed 32bit displacement md5-x86_64.s:517: Error: 0xffeff47d out range of signed 32bit displacement md5-x86_64.s:526: Error: 0x85845dd1 out range of signed 32bit displacement md5-x86_64.s:544: Error: 0xfe2ce6e0 out range of signed 32bit displacement md5-x86_64.s:553: Error: 0xa3014314 out range of signed 32bit displacement md5-x86_64.s:571: Error: 0xf7537e82 out range of signed 32bit displacement md5-x86_64.s:580: Error: 0xbd3af235 out range of signed 32bit displacement md5-x86_64.s:598: Error: 0xeb86d391 out range of signed 32bit displacement make[2]: *** [md5-x86_64.o] Error 1 This appears to be an issue between the fips-1.2.3 source and the version of binutils (2.20.51) which are incompatible as-is. I've been unable to find a combination (from openssl.org) of a stable source set compatible with any fips validated source that can bypass this error. jdpond wrote: > > Bill, > > This may help - I just did the same using latest Ubuntu Release > > > Jack D. Pond > > "It's not hard to meet expenses, they're everywhere." > > ---------- > > > sudo apt-get build-essential # if you haven't already > wget http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz.sha1 > wget http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz > sha1sum openssl-fips-1.2.3.tar.gz > cat openssl-fips-1.2.3.tar.gz.sha1 > env OPENSSL_FIPS=1 > openssl sha1 -hmac etaonrishdlcupfm openssl-fips-1.2.3.tar.gz > echo # Correct result can be found in Appendix B of User Guide > tar -zxvf openssl-fips-1.2.3.tar.gz > cd openssl-fips-1.2.3 > > # Make the cannister > ./config fipscanisterbuild > make > sudo make install > > > sudo vim /usr/local/ssl/fips-1.0/openssl.cnf # make fips-mode=yes > # > ./config fips --with-fipslibdir="/usr/local/ssl/fips-1.0/lib" > make > sudo make install > > sudo vim /etc/ld.so.conf.d/FIPS.conf > # add the following line (or whatever was specified in the build command > as > OpenSSL shared libraries have been installed in: > /usr/local/ssl/fips-1.0 > # Then activate the link library: > sudo ldconfig > # Create a symbolic link in the executables: > > # Change aparmor > sudo vim /etc/apparmor.d/abstractions/openssl > # add this line > /usr/local/ssl/fips-1.0/openssl.cnf r, > # > > sudo mv /usr/bin/openssl /usr/bin/openssl.save > sudo ln -s /usr/local/ssl/fips-1.0/bin/openssl /usr/bin/openssl > # Test > openssl version > > > > > > > > > > ----------------- >> -----Original Message----- >> From: owner-openssl-us...@openssl.org >> [mailto:owner-openssl-us...@openssl.org] >> On Behalf Of Bill Durant >> Sent: Wednesday, November 02, 2011 1:25 AM >> To: openssl-users@openssl.org >> Cc: Bill Durant >> Subject: Re: How to build a FIPS-capable OpenSSL on Ubuntu Linux from the > latest >> snapshots? >> >> On Nov 1, 2011, at 4:34 PM, Bill Durant wrote: >> > On Nov 1, 2011, at 4:23 PM, Dr. Stephen Henson wrote: >> >> On Tue, Nov 01, 2011, Bill Durant wrote: >> >> >> >>> Hello, >> >>> >> >>> What is the procedure for building a FIPS-capable OpenSSL snapshot on > Ubuntu >> 8.04.4 LTS from the following snapshots: >> >>> >> >> >> >> >> >>> >> >>> ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111031.ta >> >>> r.gz >> >>> >> >>> >> >>> ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111031.tar.gz >> >>> >> >>> When I try to build it, I get the following compilation error: >> >>> >> >>> ====== >> >>> In file included from hm_pmeth.c:64: >> >>> ../evp/evp_locl.h:359:1: error: "SHA1_Init" redefined In file >> >>> included from /tmp/foo/include/openssl/crypto.h:151, >> >>> from ../cryptlib.h:72, >> >>> from hm_pmeth.c:59: >> >>> /tmp/foo/include/openssl/fipssyms.h:456:1: error: this is the >> >>> location of the previous definition ====== >> >>> >> >>> $ ./config fipscanisterbuild no-asm >> >>> ... >> >>> ... >> >>> Configured for linux-elf. >> >>> >> >> >> >> Avoid no-asm: currently no one wants a C only platform so it wont be >> >> a supported platform. It will be *much* slower. >> > >> > >> > OK >> > >> > >> >> >> >>> >> >>> $ ./config fips --prefix=$FIPSDIR no-idea no-mdc2 no-rc5 no-asm ... >> >>> ... >> >>> Since you've disabled or enabled at least one algorithm, you need to >> >>> do the following before building: >> >>> >> >>> make depend >> >>> >> >> >> >> Don't do "make depend" it gets a bit confused. Just doing "make" >> >> should work fine. >> >> >> >> Steve. >> > >> > >> > When I skip doing 'make depend' and just do 'make' I get the following > compilation >> error: >> > >> > gcc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -fPIC > -DOPENSSL_PIC - >> DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,-- >> noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall - >> DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 - >> DOPENSSL_BN_ASM_MONT -I/tmp/foo/include -DSHA1_ASM -DSHA256_ASM - >> DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -c - >> o e_bf.o e_bf.c >> > make[2]: *** No rule to make target `../../include/openssl/idea.h', >> needed > by `e_idea.o'. >> Stop. >> > make[2]: Leaving directory > `/home/bdurant/svn/trunk/Crypto/Linux/openssl-1.0.1- >> stable-SNAP-20111031/crypto/evp' >> > make[1]: *** [subdirs] Error 1 >> > make[1]: Leaving directory > `/home/bdurant/svn/trunk/Crypto/Linux/openssl-1.0.1- >> stable-SNAP-20111031/crypto' >> > make: *** [build_crypto] Error 1 >> > >> > What else am I missing? >> > >> > Thanks, >> > >> > Bill >> >> >> I hacked my way thru this compilation error with the following: >> >> $ cd openssl-1.0.1-stable-SNAP-20111031 >> $ ./config fips --prefix=/tmp/foo no-idea no-mdc2 no-rc5 shared $ cp > crypto/mdc2/*.h >> include/openssl $ cp crypto/idea/*.h include/openssl $ make >> >> Let me know if there is something wrong with doing that. >> >> Bill >> >> > >> > >> >> -- >> >> Dr Stephen N. Henson. OpenSSL project core developer. >> >> Commercial tech support now available see: http://www.openssl.org >> >> >> ____________________________________________________________________ >> __ >> >> OpenSSL Project http://www.openssl.org >> >> User Support Mailing List openssl-users@openssl.org >> >> Automated List Manager majord...@openssl.org >> > >> >> ____________________________________________________________________ >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://old.nabble.com/How-to-build-a-FIPS-capable-OpenSSL-on-Ubuntu-Linux-from-the-latest-snapshots--tp32762047p33164856.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org