]>
Commit | Line | Data |
---|---|---|
648cf924 RB |
1 | NOTES FOR THE HPE NONSTOP PLATFORM |
2 | ============================== | |
3 | ||
4 | Requirement details | |
5 | ------------------- | |
6 | ||
7 | In addition to the requirements and instructions listed | |
8 | in [INSTALL.md](INSTALL.md), the following are required as well: | |
9 | ||
10 | * The TNS/X platform supports hardware randomization. | |
11 | Specify the `--with-rand-seed=rdcpu` option to the `./Configure` script. | |
12 | This is recommended but not required. `egd` is supported at 3.0 but cannot | |
13 | be used if FIPS is selected. | |
14 | * The TNS/E platform does not support hardware randomization, so | |
15 | specify the `--with-rand-seed=egd` option to the `./Configure` script. | |
16 | ||
17 | About c99 compiler | |
18 | ------------------ | |
19 | ||
20 | The c99 compiler is required for building OpenSSL from source. While c11 | |
21 | may work, it has not been broadly tested. c99 is the only compiler | |
0339382a | 22 | prerequisite needed to build OpenSSL 3.0 on this platform. |
648cf924 RB |
23 | |
24 | Threading Models | |
25 | ---------------- | |
26 | ||
5cd17920 RB |
27 | OpenSSL can be built either using the POSIX User Threads (PUT) threading model, |
28 | or with threading support disabled. Select the following build configuration | |
29 | for each on the TNS/X (L-Series) platform: | |
648cf924 | 30 | |
5cd17920 RB |
31 | * `nonstop-nsx` or default will select an unthreaded 32-bit build. |
32 | * `nonstop-nsx_64` selects an unthreaded 64-bit memory and file length build. | |
648cf924 | 33 | * `nonstop-nsx_put` selects the PUT build. |
5cd17920 RB |
34 | * `nonstop-nsx_64_put` selects the 64-bit memory and file length PUT build. |
35 | ||
36 | The SPT threading model is no longer supported as of OpenSSL 3.2. | |
648cf924 RB |
37 | |
38 | ### TNS/E Considerations | |
39 | ||
40 | The TNS/E platform is build using the same set of builds specifying `nse` | |
41 | instead of `nsx` in the set above. | |
42 | ||
43 | You cannot build for TNS/E for FIPS, so you must specify the `no-fips` | |
d318fc95 | 44 | option to `./Configure`. |
648cf924 | 45 | |
7b262527 RB |
46 | Linking and Loading Considerations |
47 | ---------------------------------- | |
48 | ||
49 | Because of how the NonStop Common Runtime Environment (CRE) works, there are | |
50 | restrictions on how programs can link and load with OpenSSL libraries. | |
51 | On current NonStop platforms, programs cannot both statically link OpenSSL | |
52 | libraries and dynamically load OpenSSL shared libraries concurrently. If this | |
53 | is done, there is a high probability of encountering a SIGSEGV condition | |
54 | relating to `atexit()` processing when a shared library is unloaded and when | |
55 | the program terminates. This limitation applies to all OpenSSL shared library | |
56 | components. | |
57 | ||
99fb31c1 RB |
58 | A control has been added as of 3.3.x to disable calls to `atexit()` within the |
59 | `libcrypto` builds (specifically in `crypto/init.c`). This switch can be | |
60 | controlled using `disable-atexit` or `enable-atexit`, and is disabled by default | |
61 | for NonStop builds. If you need to have `atexit()` functionality, set | |
62 | `enabled-atexit` when configuring OpenSSL to enable the `atexit()` call to | |
63 | register `OPENSSL_cleanup()` automatically. Preferably, you can explicitly call | |
64 | `OPENSSL_cleanup()` from your application. | |
7b262527 | 65 | |
648cf924 RB |
66 | About Prefix and OpenSSLDir |
67 | --------------------------- | |
68 | ||
69 | Because there are many potential builds that must co-exist on any given | |
70 | NonStop node, managing the location of your build distribution is crucial. | |
71 | Keep each destination separate and distinct. Mixing any mode described in | |
72 | this document can cause application instability. The recommended approach | |
73 | is to specify the OpenSSL version and threading model in your configuration | |
74 | options, and keeping your memory and float options consistent, for example: | |
75 | ||
76 | * For 1.1 `--prefix=/usr/local-ssl1.1 --openssldir=/usr/local-ssl1.1/ssl` | |
77 | * For 1.1 PUT `--prefix=/usr/local-ssl1.1_put --openssldir=/usr/local-ssl1.1_put/ssl` | |
1501de33 RL |
78 | |
79 | As of 3.0, the NonStop configurations use the multilib attribute to distinguish | |
80 | between different models: | |
81 | ||
648cf924 | 82 | * For 3.0 `--prefix=/usr/local-ssl3.0 --openssldir=/usr/local-ssl3.0/ssl` |
1501de33 RL |
83 | |
84 | The PUT model is placed in `${prefix}/lib-put` for 32-bit models and | |
85 | `${prefix}/lib64-put` for 64-bit models. | |
648cf924 RB |
86 | |
87 | Use the `_RLD_LIB_PATH` environment variable in OSS to select the appropriate | |
88 | directory containing `libcrypto.so` and `libssl.so`. In GUARDIAN, use the | |
89 | `=_RLD_LIB_PATH` search define to locate the GUARDIAN subvolume where OpenSSL | |
90 | is installed. | |
91 | ||
92 | Float Considerations | |
93 | -------------------- | |
94 | ||
95 | OpenSSL is built using IEEE Float mode by default. If you need a different | |
96 | IEEE mode, create a new configuration specifying `tfloat-x86-64` (for Tandem | |
97 | Float) or `nfloat-x86-64` (for Neutral Float). | |
98 | ||
99 | Memory Models | |
100 | ------------- | |
101 | ||
102 | The current OpenSSL default memory model uses the default platform address | |
103 | model. If you need a different address model, you must specify the appropriate | |
104 | c99 options for compile (`CFLAGS`) and linkers (`LDFLAGS`). | |
105 | ||
d720e603 RB |
106 | Cross Compiling on Windows |
107 | -------------------------- | |
108 | ||
109 | To configure and compile OpenSSL, you will need to set up a Cygwin environment. | |
110 | The Cygwin tools should include bash, make, and any other normal tools required | |
111 | for building programs. | |
112 | ||
113 | Your `PATH` must include the bin directory for the c99 cross-compiler, as in: | |
114 | ||
115 | export PATH=/cygdrive/c/Program\ Files\ \(x86\)/HPE\ NonStop/L16.05/usr/bin:$PATH | |
116 | ||
117 | This should be set before Configure is run. For the c99 cross-compiler to work | |
118 | correctly, you also need the `COMP_ROOT` set, as in: | |
119 | ||
120 | export COMP_ROOT="C:\Program Files (x86)\HPE NonStop\L16.05" | |
121 | ||
122 | `COMP_ROOT` needs to be in Windows form. | |
123 | ||
124 | `Configure` must specify the `no-makedepend` option otherwise errors will | |
125 | result when running the build because the c99 cross-compiler does not support | |
126 | the `gcc -MT` option. An example of a `Configure` command to be run from the | |
127 | OpenSSL directory is: | |
128 | ||
129 | ./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu | |
130 | ||
131 | Do not forget to include any OpenSSL cross-compiling prefix and certificate | |
132 | options when creating your libraries. | |
133 | ||
134 | The OpenSSL test suite will not run on your workstation. In order to verify the | |
135 | build, you will need to perform the build and test steps in OSS in your NonStop | |
136 | server. You can also build under gcc and run the test suite for Windows but that | |
137 | is not equivalent. | |
138 | ||
139 | **Note:** In the event that you are attempting a FIPS-compliant cross-compile, | |
140 | be aware that signatures may not match between builds done under OSS and under | |
141 | cross-compiles as the compilers do not necessarily generate identical objects. | |
142 | Anything and everything to do with FIPS is outside the scope of this document. | |
143 | Refer to the FIPS security policy for more information. | |
144 | ||
145 | The following build configurations have been successfully attempted at one | |
146 | point or another. If you are successful in your cross-compile efforts, please | |
147 | update this list: | |
148 | ||
149 | - nonstop-nsx_64 | |
150 | - nonstop-nsx_64_put | |
151 | ||
152 | **Note:** Cross-compile builds for TNS/E have not been attempted, but should | |
5cd17920 | 153 | follow the same considerations as for TNS/X above. |
d720e603 RB |
154 | |
155 | Also see the NSDEE discussion below for more historical information. | |
156 | ||
648cf924 RB |
157 | Cross Compiling with NSDEE |
158 | -------------------------- | |
159 | ||
d720e603 RB |
160 | **Note:** None of these builds have been tested by the platform maintainer and |
161 | are supplied for historical value. Please submit a Pull Request to OpenSSL | |
162 | should these need to be adjusted. | |
648cf924 RB |
163 | |
164 | If you are attempting to build OpenSSL with NSDEE, you will need to specify | |
165 | the following variables. The following set of compiler defines are required: | |
166 | ||
167 | # COMP_ROOT must be a full path for the build system (e.g. windows) | |
168 | COMP_ROOT=$(cygpath -w /path/to/comp_root) | |
169 | # CC must be executable by your shell | |
170 | CC=/path/to/c99 | |
171 | ||
172 | ### Optional Build Variables | |
173 | ||
174 | DBGFLAG="--debug" | |
175 | CIPHENABLES="enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-rc4" | |
176 | ||
177 | ### Internal Known TNS/X to TNS/E Cross Compile Variables | |
178 | ||
179 | The following definition is required if you are building on TNS/X for TNS/E | |
180 | and have access to a TNS/E machine on your EXPAND network - with an example | |
181 | node named `\CS3`: | |
182 | ||
183 | SYSTEMLIBS="-L/E/cs3/usr/local/lib" | |
184 | ||
185 | Version Procedure (VPROC) Considerations | |
186 | ---------------------------------------- | |
187 | ||
188 | If you require a VPROC entry for platform version identification, use the | |
189 | following variables: | |
190 | ||
191 | ### For Itanium | |
192 | ||
193 | OPENSSL_VPROC_PREFIX=T0085H06 | |
194 | ||
195 | ### For x86 | |
196 | ||
197 | OPENSSL_VPROC_PREFIX=T0085L01 | |
198 | ||
199 | ### Common Definition | |
200 | ||
201 | export OPENSSL_VPROC=${OPENSSL_VPROC_PREFIX}_$( | |
202 | . VERSION.dat | |
203 | if [ -n "$PRE_RELEASE_TAG" ]; then | |
204 | PRE_RELEASE_TAG="-$PRE_RELEASE_TAG" | |
205 | fi | |
83a5bd80 RL |
206 | if [ -n "$BUILD_METADATA" ]; then |
207 | BUILD_METADATA="+$BUILD_METADATA" | |
208 | fi | |
648cf924 RB |
209 | echo "$MAJOR.$MINOR.$PATCH$PRE_RELEASE_TAG$BUILD_METADATA" |\ |
210 | sed -e 's/[-.+]/_/g' | |
211 | ) | |
212 | ||
213 | Example Configure Targets | |
214 | ------------------------- | |
215 | ||
216 | For OSS targets, the main DLL names will be `libssl.so` and `libcrypto.so`. | |
217 | For GUARDIAN targets, DLL names will be `ssl` and `crypto`. The following | |
218 | assumes that your PWD is set according to your installation standards. | |
219 | ||
220 | ./Configure nonstop-nsx --prefix=${PWD} \ | |
221 | --openssldir=${PWD}/ssl no-threads \ | |
222 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} | |
223 | ./Configure nonstop-nsx_g --prefix=${PWD} \ | |
224 | --openssldir=${PWD}/ssl no-threads \ | |
225 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} | |
226 | ./Configure nonstop-nsx_put --prefix=${PWD} \ | |
227 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \ | |
228 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} | |
648cf924 RB |
229 | ./Configure nonstop-nsx_64 --prefix=${PWD} \ |
230 | --openssldir=${PWD}/ssl no-threads \ | |
231 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} | |
232 | ./Configure nonstop-nsx_64_put --prefix=${PWD} \ | |
233 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \ | |
234 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} | |
235 | ./Configure nonstop-nsx_g_tandem --prefix=${PWD} \ | |
236 | --openssldir=${PWD}/ssl no-threads \ | |
237 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} | |
238 | ||
239 | ./Configure nonstop-nse --prefix=${PWD} \ | |
240 | --openssldir=${PWD}/ssl no-threads \ | |
241 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} | |
242 | ./Configure nonstop-nse_g --prefix=${PWD} \ | |
243 | --openssldir=${PWD}/ssl no-threads \ | |
244 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} | |
245 | ./Configure nonstop-nse_put --prefix=${PWD} \ | |
246 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \ | |
247 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} | |
648cf924 RB |
248 | ./Configure nonstop-nse_64 --prefix=${PWD} \ |
249 | --openssldir=${PWD}/ssl no-threads \ | |
250 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} | |
251 | ./Configure nonstop-nse_64_put --prefix=${PWD} \ | |
252 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" | |
253 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} | |
254 | ./Configure nonstop-nse_g_tandem --prefix=${PWD} \ | |
255 | --openssldir=${PWD}/ssl no-threads \ | |
256 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} |