[104078] | 1 | NOTES FOR THE HPE NONSTOP PLATFORM
|
---|
| 2 | ==============================
|
---|
| 3 |
|
---|
| 4 | Requirement details
|
---|
| 5 | -------------------
|
---|
| 6 |
|
---|
| 7 | In addition to the requirements and instructions listed
|
---|
| 8 | in [INSTALL.md](INSTALL.md), the following are required as well:
|
---|
| 9 |
|
---|
| 10 | * The TNS/X platform supports hardware randomization.
|
---|
| 11 | Specify the `--with-rand-seed=rdcpu` option to the `./Configure` script.
|
---|
| 12 | This is recommended but not required. `egd` is supported at 3.0 but cannot
|
---|
| 13 | be used if FIPS is selected.
|
---|
| 14 | * The TNS/E platform does not support hardware randomization, so
|
---|
| 15 | specify the `--with-rand-seed=egd` option to the `./Configure` script.
|
---|
| 16 |
|
---|
| 17 | About c99 compiler
|
---|
| 18 | ------------------
|
---|
| 19 |
|
---|
| 20 | The c99 compiler is required for building OpenSSL from source. While c11
|
---|
| 21 | may work, it has not been broadly tested. c99 is the only compiler
|
---|
| 22 | prerequisite needed to build OpenSSL 3.0 on this platform. You should also
|
---|
| 23 | have the FLOSS package installed on your system. The ITUGLIB FLOSS package
|
---|
| 24 | is the only FLOSS variant that has been broadly tested.
|
---|
| 25 |
|
---|
| 26 | Threading Models
|
---|
| 27 | ----------------
|
---|
| 28 |
|
---|
| 29 | OpenSSL can be built using unthreaded, POSIX User Threads (PUT), or Standard
|
---|
| 30 | POSIX Threads (SPT). Select the following build configuration for each on
|
---|
| 31 | the TNS/X (L-Series) platform:
|
---|
| 32 |
|
---|
| 33 | * `nonstop-nsx` or default will select an unthreaded build.
|
---|
| 34 | * `nonstop-nsx_put` selects the PUT build.
|
---|
| 35 | * `nonstop-nsx_64_put` selects the 64 bit file length PUT build.
|
---|
| 36 | * `nonstop-nsx_spt_floss` selects the SPT build with FLOSS. FLOSS is
|
---|
| 37 | required for SPT builds because of a known hang when using SPT on its own.
|
---|
| 38 |
|
---|
| 39 | ### TNS/E Considerations
|
---|
| 40 |
|
---|
| 41 | The TNS/E platform is build using the same set of builds specifying `nse`
|
---|
| 42 | instead of `nsx` in the set above.
|
---|
| 43 |
|
---|
| 44 | You cannot build for TNS/E for FIPS, so you must specify the `no-fips`
|
---|
| 45 | option to `./Configure`.
|
---|
| 46 |
|
---|
| 47 | Linking and Loading Considerations
|
---|
| 48 | ----------------------------------
|
---|
| 49 |
|
---|
| 50 | Because of how the NonStop Common Runtime Environment (CRE) works, there are
|
---|
| 51 | restrictions on how programs can link and load with OpenSSL libraries.
|
---|
| 52 | On current NonStop platforms, programs cannot both statically link OpenSSL
|
---|
| 53 | libraries and dynamically load OpenSSL shared libraries concurrently. If this
|
---|
| 54 | is done, there is a high probability of encountering a SIGSEGV condition
|
---|
| 55 | relating to `atexit()` processing when a shared library is unloaded and when
|
---|
| 56 | the program terminates. This limitation applies to all OpenSSL shared library
|
---|
| 57 | components.
|
---|
| 58 |
|
---|
| 59 | A resolution to this situation is under investigation.
|
---|
| 60 |
|
---|
| 61 | About Prefix and OpenSSLDir
|
---|
| 62 | ---------------------------
|
---|
| 63 |
|
---|
| 64 | Because there are many potential builds that must co-exist on any given
|
---|
| 65 | NonStop node, managing the location of your build distribution is crucial.
|
---|
| 66 | Keep each destination separate and distinct. Mixing any mode described in
|
---|
| 67 | this document can cause application instability. The recommended approach
|
---|
| 68 | is to specify the OpenSSL version and threading model in your configuration
|
---|
| 69 | options, and keeping your memory and float options consistent, for example:
|
---|
| 70 |
|
---|
| 71 | * For 1.1 `--prefix=/usr/local-ssl1.1 --openssldir=/usr/local-ssl1.1/ssl`
|
---|
| 72 | * For 1.1 PUT `--prefix=/usr/local-ssl1.1_put --openssldir=/usr/local-ssl1.1_put/ssl`
|
---|
| 73 |
|
---|
| 74 | As of 3.0, the NonStop configurations use the multilib attribute to distinguish
|
---|
| 75 | between different models:
|
---|
| 76 |
|
---|
| 77 | * For 3.0 `--prefix=/usr/local-ssl3.0 --openssldir=/usr/local-ssl3.0/ssl`
|
---|
| 78 |
|
---|
| 79 | The PUT model is placed in `${prefix}/lib-put` for 32-bit models and
|
---|
| 80 | `${prefix}/lib64-put` for 64-bit models.
|
---|
| 81 |
|
---|
| 82 | Use the `_RLD_LIB_PATH` environment variable in OSS to select the appropriate
|
---|
| 83 | directory containing `libcrypto.so` and `libssl.so`. In GUARDIAN, use the
|
---|
| 84 | `=_RLD_LIB_PATH` search define to locate the GUARDIAN subvolume where OpenSSL
|
---|
| 85 | is installed.
|
---|
| 86 |
|
---|
| 87 | Float Considerations
|
---|
| 88 | --------------------
|
---|
| 89 |
|
---|
| 90 | OpenSSL is built using IEEE Float mode by default. If you need a different
|
---|
| 91 | IEEE mode, create a new configuration specifying `tfloat-x86-64` (for Tandem
|
---|
| 92 | Float) or `nfloat-x86-64` (for Neutral Float).
|
---|
| 93 |
|
---|
| 94 | Memory Models
|
---|
| 95 | -------------
|
---|
| 96 |
|
---|
| 97 | The current OpenSSL default memory model uses the default platform address
|
---|
| 98 | model. If you need a different address model, you must specify the appropriate
|
---|
| 99 | c99 options for compile (`CFLAGS`) and linkers (`LDFLAGS`).
|
---|
| 100 |
|
---|
| 101 | Cross Compiling on Windows
|
---|
| 102 | --------------------------
|
---|
| 103 |
|
---|
| 104 | To configure and compile OpenSSL, you will need to set up a Cygwin environment.
|
---|
| 105 | The Cygwin tools should include bash, make, and any other normal tools required
|
---|
| 106 | for building programs.
|
---|
| 107 |
|
---|
| 108 | Your `PATH` must include the bin directory for the c99 cross-compiler, as in:
|
---|
| 109 |
|
---|
| 110 | export PATH=/cygdrive/c/Program\ Files\ \(x86\)/HPE\ NonStop/L16.05/usr/bin:$PATH
|
---|
| 111 |
|
---|
| 112 | This should be set before Configure is run. For the c99 cross-compiler to work
|
---|
| 113 | correctly, you also need the `COMP_ROOT` set, as in:
|
---|
| 114 |
|
---|
| 115 | export COMP_ROOT="C:\Program Files (x86)\HPE NonStop\L16.05"
|
---|
| 116 |
|
---|
| 117 | `COMP_ROOT` needs to be in Windows form.
|
---|
| 118 |
|
---|
| 119 | `Configure` must specify the `no-makedepend` option otherwise errors will
|
---|
| 120 | result when running the build because the c99 cross-compiler does not support
|
---|
| 121 | the `gcc -MT` option. An example of a `Configure` command to be run from the
|
---|
| 122 | OpenSSL directory is:
|
---|
| 123 |
|
---|
| 124 | ./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu
|
---|
| 125 |
|
---|
| 126 | Do not forget to include any OpenSSL cross-compiling prefix and certificate
|
---|
| 127 | options when creating your libraries.
|
---|
| 128 |
|
---|
| 129 | The OpenSSL test suite will not run on your workstation. In order to verify the
|
---|
| 130 | build, you will need to perform the build and test steps in OSS in your NonStop
|
---|
| 131 | server. You can also build under gcc and run the test suite for Windows but that
|
---|
| 132 | is not equivalent.
|
---|
| 133 |
|
---|
| 134 | **Note:** In the event that you are attempting a FIPS-compliant cross-compile,
|
---|
| 135 | be aware that signatures may not match between builds done under OSS and under
|
---|
| 136 | cross-compiles as the compilers do not necessarily generate identical objects.
|
---|
| 137 | Anything and everything to do with FIPS is outside the scope of this document.
|
---|
| 138 | Refer to the FIPS security policy for more information.
|
---|
| 139 |
|
---|
| 140 | The following build configurations have been successfully attempted at one
|
---|
| 141 | point or another. If you are successful in your cross-compile efforts, please
|
---|
| 142 | update this list:
|
---|
| 143 |
|
---|
| 144 | - nonstop-nsx_64
|
---|
| 145 | - nonstop-nsx_64_put
|
---|
| 146 |
|
---|
| 147 | **Note:** Cross-compile builds for TNS/E have not been attempted, but should
|
---|
| 148 | follow the same considerations as for TNS/X above. SPT builds generally require
|
---|
| 149 | FLOSS, which is not available for workstation builds. As a result, SPT builds
|
---|
| 150 | of OpenSSL cannot be cross-compiled.
|
---|
| 151 |
|
---|
| 152 | Also see the NSDEE discussion below for more historical information.
|
---|
| 153 |
|
---|
| 154 | Cross Compiling with NSDEE
|
---|
| 155 | --------------------------
|
---|
| 156 |
|
---|
| 157 | **Note:** None of these builds have been tested by the platform maintainer and
|
---|
| 158 | are supplied for historical value. Please submit a Pull Request to OpenSSL
|
---|
| 159 | should these need to be adjusted.
|
---|
| 160 |
|
---|
| 161 | If you are attempting to build OpenSSL with NSDEE, you will need to specify
|
---|
| 162 | the following variables. The following set of compiler defines are required:
|
---|
| 163 |
|
---|
| 164 | # COMP_ROOT must be a full path for the build system (e.g. windows)
|
---|
| 165 | COMP_ROOT=$(cygpath -w /path/to/comp_root)
|
---|
| 166 | # CC must be executable by your shell
|
---|
| 167 | CC=/path/to/c99
|
---|
| 168 |
|
---|
| 169 | ### Optional Build Variables
|
---|
| 170 |
|
---|
| 171 | DBGFLAG="--debug"
|
---|
| 172 | CIPHENABLES="enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-rc4"
|
---|
| 173 |
|
---|
| 174 | ### Internal Known TNS/X to TNS/E Cross Compile Variables
|
---|
| 175 |
|
---|
| 176 | The following definition is required if you are building on TNS/X for TNS/E
|
---|
| 177 | and have access to a TNS/E machine on your EXPAND network - with an example
|
---|
| 178 | node named `\CS3`:
|
---|
| 179 |
|
---|
| 180 | SYSTEMLIBS="-L/E/cs3/usr/local/lib"
|
---|
| 181 |
|
---|
| 182 | Version Procedure (VPROC) Considerations
|
---|
| 183 | ----------------------------------------
|
---|
| 184 |
|
---|
| 185 | If you require a VPROC entry for platform version identification, use the
|
---|
| 186 | following variables:
|
---|
| 187 |
|
---|
| 188 | ### For Itanium
|
---|
| 189 |
|
---|
| 190 | OPENSSL_VPROC_PREFIX=T0085H06
|
---|
| 191 |
|
---|
| 192 | ### For x86
|
---|
| 193 |
|
---|
| 194 | OPENSSL_VPROC_PREFIX=T0085L01
|
---|
| 195 |
|
---|
| 196 | ### Common Definition
|
---|
| 197 |
|
---|
| 198 | export OPENSSL_VPROC=${OPENSSL_VPROC_PREFIX}_$(
|
---|
| 199 | . VERSION.dat
|
---|
| 200 | if [ -n "$PRE_RELEASE_TAG" ]; then
|
---|
| 201 | PRE_RELEASE_TAG="-$PRE_RELEASE_TAG"
|
---|
| 202 | fi
|
---|
| 203 | if [ -n "$BUILD_METADATA" ]; then
|
---|
| 204 | BUILD_METADATA="+$BUILD_METADATA"
|
---|
| 205 | fi
|
---|
| 206 | echo "$MAJOR.$MINOR.$PATCH$PRE_RELEASE_TAG$BUILD_METADATA" |\
|
---|
| 207 | sed -e 's/[-.+]/_/g'
|
---|
| 208 | )
|
---|
| 209 |
|
---|
| 210 | Example Configure Targets
|
---|
| 211 | -------------------------
|
---|
| 212 |
|
---|
| 213 | For OSS targets, the main DLL names will be `libssl.so` and `libcrypto.so`.
|
---|
| 214 | For GUARDIAN targets, DLL names will be `ssl` and `crypto`. The following
|
---|
| 215 | assumes that your PWD is set according to your installation standards.
|
---|
| 216 |
|
---|
| 217 | ./Configure nonstop-nsx --prefix=${PWD} \
|
---|
| 218 | --openssldir=${PWD}/ssl no-threads \
|
---|
| 219 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
| 220 | ./Configure nonstop-nsx_g --prefix=${PWD} \
|
---|
| 221 | --openssldir=${PWD}/ssl no-threads \
|
---|
| 222 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
| 223 | ./Configure nonstop-nsx_put --prefix=${PWD} \
|
---|
| 224 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
---|
| 225 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
| 226 | ./Configure nonstop-nsx_spt_floss --prefix=${PWD} \
|
---|
| 227 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
---|
| 228 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
| 229 | ./Configure nonstop-nsx_64 --prefix=${PWD} \
|
---|
| 230 | --openssldir=${PWD}/ssl no-threads \
|
---|
| 231 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
| 232 | ./Configure nonstop-nsx_64_put --prefix=${PWD} \
|
---|
| 233 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
---|
| 234 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
| 235 | ./Configure nonstop-nsx_g_tandem --prefix=${PWD} \
|
---|
| 236 | --openssldir=${PWD}/ssl no-threads \
|
---|
| 237 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
| 238 |
|
---|
| 239 | ./Configure nonstop-nse --prefix=${PWD} \
|
---|
| 240 | --openssldir=${PWD}/ssl no-threads \
|
---|
| 241 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
| 242 | ./Configure nonstop-nse_g --prefix=${PWD} \
|
---|
| 243 | --openssldir=${PWD}/ssl no-threads \
|
---|
| 244 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
| 245 | ./Configure nonstop-nse_put --prefix=${PWD} \
|
---|
| 246 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
---|
| 247 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
| 248 | ./Configure nonstop-nse_spt_floss --prefix=${PWD} \
|
---|
| 249 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
---|
| 250 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
| 251 | ./Configure nonstop-nse_64 --prefix=${PWD} \
|
---|
| 252 | --openssldir=${PWD}/ssl no-threads \
|
---|
| 253 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
| 254 | ./Configure nonstop-nse_64_put --prefix=${PWD} \
|
---|
| 255 | --openssldir=${PWD}/ssl threads "-D_REENTRANT"
|
---|
| 256 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
| 257 | ./Configure nonstop-nse_g_tandem --prefix=${PWD} \
|
---|
| 258 | --openssldir=${PWD}/ssl no-threads \
|
---|
| 259 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|