1 | NOTES FOR THE HPE NONSTOP PLATFORM
|
---|
2 | ==============================
|
---|
3 |
|
---|
4 | Requirement details
|
---|
5 | -------------------
|
---|
6 |
|
---|
7 | In addition to the requirements and instructions listed
|
---|
8 | in [INSTALL.md](INSTALL.md), the following are required as well:
|
---|
9 |
|
---|
10 | * The TNS/X platform supports hardware randomization.
|
---|
11 | Specify the `--with-rand-seed=rdcpu` option to the `./Configure` script.
|
---|
12 | This is recommended but not required. `egd` is supported at 3.0 but cannot
|
---|
13 | be used if FIPS is selected.
|
---|
14 | * The TNS/E platform does not support hardware randomization, so
|
---|
15 | specify the `--with-rand-seed=egd` option to the `./Configure` script.
|
---|
16 |
|
---|
17 | About c99 compiler
|
---|
18 | ------------------
|
---|
19 |
|
---|
20 | The c99 compiler is required for building OpenSSL from source. While c11
|
---|
21 | may work, it has not been broadly tested. c99 is the only compiler
|
---|
22 | prerequisite needed to build OpenSSL 3.0 on this platform.
|
---|
23 |
|
---|
24 | Threading Models
|
---|
25 | ----------------
|
---|
26 |
|
---|
27 | OpenSSL can be built either using the POSIX User Threads (PUT) threading model,
|
---|
28 | or with threading support disabled. Select the following build configuration
|
---|
29 | for each on the TNS/X (L-Series) platform:
|
---|
30 |
|
---|
31 | * `nonstop-nsx` or default will select an unthreaded 32-bit build.
|
---|
32 | * `nonstop-nsx_64` selects an unthreaded 64-bit memory and file length build.
|
---|
33 | * `nonstop-nsx_put` selects the PUT build.
|
---|
34 | * `nonstop-nsx_64_put` selects the 64-bit memory and file length PUT build.
|
---|
35 |
|
---|
36 | The SPT threading model is no longer supported as of OpenSSL 3.2.
|
---|
37 |
|
---|
38 | The PUT model is incompatible with the QUIC capability. This capability should
|
---|
39 | be disabled when building with PUT.
|
---|
40 |
|
---|
41 | ### TNS/E Considerations
|
---|
42 |
|
---|
43 | The TNS/E platform is build using the same set of builds specifying `nse`
|
---|
44 | instead of `nsx` in the set above.
|
---|
45 |
|
---|
46 | You cannot build for TNS/E for FIPS, so you must specify the `no-fips`
|
---|
47 | option to `./Configure`.
|
---|
48 |
|
---|
49 | Linking and Loading Considerations
|
---|
50 | ----------------------------------
|
---|
51 |
|
---|
52 | Because of how the NonStop Common Runtime Environment (CRE) works, there are
|
---|
53 | restrictions on how programs can link and load with OpenSSL libraries.
|
---|
54 | On current NonStop platforms, programs cannot both statically link OpenSSL
|
---|
55 | libraries and dynamically load OpenSSL shared libraries concurrently. If this
|
---|
56 | is done, there is a high probability of encountering a SIGSEGV condition
|
---|
57 | relating to `atexit()` processing when a shared library is unloaded and when
|
---|
58 | the program terminates. This limitation applies to all OpenSSL shared library
|
---|
59 | components.
|
---|
60 |
|
---|
61 | A control has been added as of 3.3.x to disable calls to `atexit()` within the
|
---|
62 | `libcrypto` builds (specifically in `crypto/init.c`). This switch can be
|
---|
63 | controlled using `disable-atexit` or `enable-atexit`, and is disabled by default
|
---|
64 | for NonStop builds. If you need to have `atexit()` functionality, set
|
---|
65 | `enabled-atexit` when configuring OpenSSL to enable the `atexit()` call to
|
---|
66 | register `OPENSSL_cleanup()` automatically. Preferably, you can explicitly call
|
---|
67 | `OPENSSL_cleanup()` from your application.
|
---|
68 |
|
---|
69 | About Prefix and OpenSSLDir
|
---|
70 | ---------------------------
|
---|
71 |
|
---|
72 | Because there are many potential builds that must co-exist on any given
|
---|
73 | NonStop node, managing the location of your build distribution is crucial.
|
---|
74 | Keep each destination separate and distinct. Mixing any mode described in
|
---|
75 | this document can cause application instability. The recommended approach
|
---|
76 | is to specify the OpenSSL version and threading model in your configuration
|
---|
77 | options, and keeping your memory and float options consistent, for example:
|
---|
78 |
|
---|
79 | * For 1.1 `--prefix=/usr/local-ssl1.1 --openssldir=/usr/local-ssl1.1/ssl`
|
---|
80 | * For 1.1 PUT `--prefix=/usr/local-ssl1.1_put --openssldir=/usr/local-ssl1.1_put/ssl`
|
---|
81 |
|
---|
82 | As of 3.0, the NonStop configurations use the multilib attribute to distinguish
|
---|
83 | between different models:
|
---|
84 |
|
---|
85 | * For 3.0 `--prefix=/usr/local-ssl3.0 --openssldir=/usr/local-ssl3.0/ssl`
|
---|
86 |
|
---|
87 | The PUT model is placed in `${prefix}/lib-put` for 32-bit models and
|
---|
88 | `${prefix}/lib64-put` for 64-bit models.
|
---|
89 |
|
---|
90 | Use the `_RLD_LIB_PATH` environment variable in OSS to select the appropriate
|
---|
91 | directory containing `libcrypto.so` and `libssl.so`. In GUARDIAN, use the
|
---|
92 | `=_RLD_LIB_PATH` search define to locate the GUARDIAN subvolume where OpenSSL
|
---|
93 | is installed.
|
---|
94 |
|
---|
95 | Float Considerations
|
---|
96 | --------------------
|
---|
97 |
|
---|
98 | OpenSSL is built using IEEE Float mode by default. If you need a different
|
---|
99 | IEEE mode, create a new configuration specifying `tfloat-x86-64` (for Tandem
|
---|
100 | Float) or `nfloat-x86-64` (for Neutral Float).
|
---|
101 |
|
---|
102 | Memory Models
|
---|
103 | -------------
|
---|
104 |
|
---|
105 | The current OpenSSL default memory model uses the default platform address
|
---|
106 | model. If you need a different address model, you must specify the appropriate
|
---|
107 | c99 options for compile (`CFLAGS`) and linkers (`LDFLAGS`).
|
---|
108 |
|
---|
109 | Cross Compiling on Windows
|
---|
110 | --------------------------
|
---|
111 |
|
---|
112 | To configure and compile OpenSSL, you will need to set up a Cygwin environment.
|
---|
113 | The Cygwin tools should include bash, make, and any other normal tools required
|
---|
114 | for building programs.
|
---|
115 |
|
---|
116 | Your `PATH` must include the bin directory for the c99 cross-compiler, as in:
|
---|
117 |
|
---|
118 | export PATH=/cygdrive/c/Program\ Files\ \(x86\)/HPE\ NonStop/L16.05/usr/bin:$PATH
|
---|
119 |
|
---|
120 | This should be set before Configure is run. For the c99 cross-compiler to work
|
---|
121 | correctly, you also need the `COMP_ROOT` set, as in:
|
---|
122 |
|
---|
123 | export COMP_ROOT="C:\Program Files (x86)\HPE NonStop\L16.05"
|
---|
124 |
|
---|
125 | `COMP_ROOT` needs to be in Windows form.
|
---|
126 |
|
---|
127 | `Configure` must specify the `no-makedepend` option otherwise errors will
|
---|
128 | result when running the build because the c99 cross-compiler does not support
|
---|
129 | the `gcc -MT` option. An example of a `Configure` command to be run from the
|
---|
130 | OpenSSL directory is:
|
---|
131 |
|
---|
132 | ./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu
|
---|
133 |
|
---|
134 | Do not forget to include any OpenSSL cross-compiling prefix and certificate
|
---|
135 | options when creating your libraries.
|
---|
136 |
|
---|
137 | The OpenSSL test suite will not run on your workstation. In order to verify the
|
---|
138 | build, you will need to perform the build and test steps in OSS in your NonStop
|
---|
139 | server. You can also build under gcc and run the test suite for Windows but that
|
---|
140 | is not equivalent.
|
---|
141 |
|
---|
142 | **Note:** In the event that you are attempting a FIPS-compliant cross-compile,
|
---|
143 | be aware that signatures may not match between builds done under OSS and under
|
---|
144 | cross-compiles as the compilers do not necessarily generate identical objects.
|
---|
145 | Anything and everything to do with FIPS is outside the scope of this document.
|
---|
146 | Refer to the FIPS security policy for more information.
|
---|
147 |
|
---|
148 | The following build configurations have been successfully attempted at one
|
---|
149 | point or another. If you are successful in your cross-compile efforts, please
|
---|
150 | update this list:
|
---|
151 |
|
---|
152 | - nonstop-nsx_64
|
---|
153 | - nonstop-nsx_64_put
|
---|
154 |
|
---|
155 | **Note:** Cross-compile builds for TNS/E have not been attempted, but should
|
---|
156 | follow the same considerations as for TNS/X above.
|
---|
157 |
|
---|
158 | Also see the NSDEE discussion below for more historical information.
|
---|
159 |
|
---|
160 | Cross Compiling with NSDEE
|
---|
161 | --------------------------
|
---|
162 |
|
---|
163 | **Note:** None of these builds have been tested by the platform maintainer and
|
---|
164 | are supplied for historical value. Please submit a Pull Request to OpenSSL
|
---|
165 | should these need to be adjusted.
|
---|
166 |
|
---|
167 | If you are attempting to build OpenSSL with NSDEE, you will need to specify
|
---|
168 | the following variables. The following set of compiler defines are required:
|
---|
169 |
|
---|
170 | # COMP_ROOT must be a full path for the build system (e.g. windows)
|
---|
171 | COMP_ROOT=$(cygpath -w /path/to/comp_root)
|
---|
172 | # CC must be executable by your shell
|
---|
173 | CC=/path/to/c99
|
---|
174 |
|
---|
175 | ### Optional Build Variables
|
---|
176 |
|
---|
177 | DBGFLAG="--debug"
|
---|
178 | CIPHENABLES="enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-rc4"
|
---|
179 |
|
---|
180 | ### Internal Known TNS/X to TNS/E Cross Compile Variables
|
---|
181 |
|
---|
182 | The following definition is required if you are building on TNS/X for TNS/E
|
---|
183 | and have access to a TNS/E machine on your EXPAND network - with an example
|
---|
184 | node named `\CS3`:
|
---|
185 |
|
---|
186 | SYSTEMLIBS="-L/E/cs3/usr/local/lib"
|
---|
187 |
|
---|
188 | Version Procedure (VPROC) Considerations
|
---|
189 | ----------------------------------------
|
---|
190 |
|
---|
191 | If you require a VPROC entry for platform version identification, use the
|
---|
192 | following variables:
|
---|
193 |
|
---|
194 | ### For Itanium
|
---|
195 |
|
---|
196 | OPENSSL_VPROC_PREFIX=T0085H06
|
---|
197 |
|
---|
198 | ### For x86
|
---|
199 |
|
---|
200 | OPENSSL_VPROC_PREFIX=T0085L01
|
---|
201 |
|
---|
202 | ### Common Definition
|
---|
203 |
|
---|
204 | export OPENSSL_VPROC=${OPENSSL_VPROC_PREFIX}_$(
|
---|
205 | . VERSION.dat
|
---|
206 | if [ -n "$PRE_RELEASE_TAG" ]; then
|
---|
207 | PRE_RELEASE_TAG="-$PRE_RELEASE_TAG"
|
---|
208 | fi
|
---|
209 | if [ -n "$BUILD_METADATA" ]; then
|
---|
210 | BUILD_METADATA="+$BUILD_METADATA"
|
---|
211 | fi
|
---|
212 | echo "$MAJOR.$MINOR.$PATCH$PRE_RELEASE_TAG$BUILD_METADATA" |\
|
---|
213 | sed -e 's/[-.+]/_/g'
|
---|
214 | )
|
---|
215 |
|
---|
216 | Example Configure Targets
|
---|
217 | -------------------------
|
---|
218 |
|
---|
219 | For OSS targets, the main DLL names will be `libssl.so` and `libcrypto.so`.
|
---|
220 | For GUARDIAN targets, DLL names will be `ssl` and `crypto`. The following
|
---|
221 | assumes that your PWD is set according to your installation standards.
|
---|
222 |
|
---|
223 | ./Configure nonstop-nsx --prefix=${PWD} \
|
---|
224 | --openssldir=${PWD}/ssl no-threads \
|
---|
225 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
226 | ./Configure nonstop-nsx_g --prefix=${PWD} \
|
---|
227 | --openssldir=${PWD}/ssl no-threads \
|
---|
228 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
229 | ./Configure nonstop-nsx_put --prefix=${PWD} \
|
---|
230 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
---|
231 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
232 | ./Configure nonstop-nsx_64 --prefix=${PWD} \
|
---|
233 | --openssldir=${PWD}/ssl no-threads \
|
---|
234 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
235 | ./Configure nonstop-nsx_64_put --prefix=${PWD} \
|
---|
236 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
---|
237 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
238 | ./Configure nonstop-nsx_g_tandem --prefix=${PWD} \
|
---|
239 | --openssldir=${PWD}/ssl no-threads \
|
---|
240 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
241 |
|
---|
242 | ./Configure nonstop-nse --prefix=${PWD} \
|
---|
243 | --openssldir=${PWD}/ssl no-threads \
|
---|
244 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
245 | ./Configure nonstop-nse_g --prefix=${PWD} \
|
---|
246 | --openssldir=${PWD}/ssl no-threads \
|
---|
247 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
248 | ./Configure nonstop-nse_put --prefix=${PWD} \
|
---|
249 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
---|
250 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
251 | ./Configure nonstop-nse_64 --prefix=${PWD} \
|
---|
252 | --openssldir=${PWD}/ssl no-threads \
|
---|
253 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
254 | ./Configure nonstop-nse_64_put --prefix=${PWD} \
|
---|
255 | --openssldir=${PWD}/ssl threads "-D_REENTRANT"
|
---|
256 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
257 | ./Configure nonstop-nse_g_tandem --prefix=${PWD} \
|
---|
258 | --openssldir=${PWD}/ssl no-threads \
|
---|
259 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|