1NOTES FOR THE HPE NONSTOP PLATFORM 2============================== 3 4Requirement details 5------------------- 6 7In addition to the requirements and instructions listed 8in [INSTALL.md](INSTALL.md), the following are required as well: 9 10 * The TNS/X platform supports hardware randomization. 11 Specify the `--with-rand-seed=rdcpu` option to the `./Configure` script. 12 This is recommended but not required. `egd` is supported at 3.0 but cannot 13 be used if FIPS is selected. 14 * The TNS/E platform does not support hardware randomization, so 15 specify the `--with-rand-seed=egd` option to the `./Configure` script. 16 17About c99 compiler 18------------------ 19 20The c99 compiler is required for building OpenSSL from source. While c11 21may work, it has not been broadly tested. c99 is the only compiler 22prerequisite needed to build OpenSSL 3.0 on this platform. 23 24Threading Models 25---------------- 26 27OpenSSL can be built either using the POSIX User Threads (PUT) threading model, 28or with threading support disabled. Select the following build configuration 29for each on the TNS/X (L-Series) platform: 30 31 * `nonstop-nsx` or default will select an unthreaded 32-bit build. 32 * `nonstop-nsx_64` selects an unthreaded 64-bit memory and file length build. 33 * `nonstop-nsx_64_klt` selects the 64-bit memory and file length KLT build. 34 * `nonstop-nsx_put` selects the PUT build. 35 * `nonstop-nsx_64_put` selects the 64-bit memory and file length PUT build. 36 37The KLT threading model is a newly released model on NonStop. It implements 38kernel-level threading. KLT provides much closer threading to what OpenSSL 39uses for Linux-like threading models. KLT continues to use the pthread library 40API. There is no supported 32-bit or Guardian builds for KLT. Note: KLT is 41not currently available but is planned for post-2024. 42 43The SPT threading model is no longer supported as of OpenSSL 3.2. 44 45The PUT model is incompatible with the QUIC capability. This capability should 46be disabled when building with PUT. 47 48### TNS/E Considerations 49 50The TNS/E platform is build using the same set of builds specifying `nse` 51instead of `nsx` in the set above. 52 53You cannot build for TNS/E for FIPS, so you must specify the `no-fips` 54option to `./Configure`. 55 56Linking and Loading Considerations 57---------------------------------- 58 59Because of how the NonStop Common Runtime Environment (CRE) works, there are 60restrictions on how programs can link and load with OpenSSL libraries. 61On current NonStop platforms, programs cannot both statically link OpenSSL 62libraries and dynamically load OpenSSL shared libraries concurrently. If this 63is done, there is a high probability of encountering a SIGSEGV condition 64relating to `atexit()` processing when a shared library is unloaded and when 65the program terminates. This limitation applies to all OpenSSL shared library 66components. 67 68A control has been added as of 3.3.x to disable calls to `atexit()` within the 69`libcrypto` builds (specifically in `crypto/init.c`). This switch can be 70controlled using `disable-atexit` or `enable-atexit`, and is disabled by default 71for NonStop builds. If you need to have `atexit()` functionality, set 72`enabled-atexit` when configuring OpenSSL to enable the `atexit()` call to 73register `OPENSSL_cleanup()` automatically. Preferably, you can explicitly call 74`OPENSSL_cleanup()` from your application. 75 76About Prefix and OpenSSLDir 77--------------------------- 78 79Because there are many potential builds that must co-exist on any given 80NonStop node, managing the location of your build distribution is crucial. 81Keep each destination separate and distinct. Mixing any mode described in 82this document can cause application instability. The recommended approach 83is to specify the OpenSSL version and threading model in your configuration 84options, and keeping your memory and float options consistent, for example: 85 86 * For 1.1 `--prefix=/usr/local-ssl1.1 --openssldir=/usr/local-ssl1.1/ssl` 87 * For 1.1 PUT `--prefix=/usr/local-ssl1.1_put --openssldir=/usr/local-ssl1.1_put/ssl` 88 89As of 3.0, the NonStop configurations use the multilib attribute to distinguish 90between different models: 91 92 * For 3.0 `--prefix=/usr/local-ssl3.0 --openssldir=/usr/local-ssl3.0/ssl` 93 94The PUT model is placed in `${prefix}/lib-put` for 32-bit models and 95`${prefix}/lib64-put` for 64-bit models. 96 97Use the `_RLD_LIB_PATH` environment variable in OSS to select the appropriate 98directory containing `libcrypto.so` and `libssl.so`. In GUARDIAN, use the 99`=_RLD_LIB_PATH` search define to locate the GUARDIAN subvolume where OpenSSL 100is installed. 101 102Float Considerations 103-------------------- 104 105OpenSSL is built using IEEE Float mode by default. If you need a different 106IEEE mode, create a new configuration specifying `tfloat-x86-64` (for Tandem 107Float) or `nfloat-x86-64` (for Neutral Float). 108 109Memory Models 110------------- 111 112The current OpenSSL default memory model uses the default platform address 113model. If you need a different address model, you must specify the appropriate 114c99 options for compile (`CFLAGS`) and linkers (`LDFLAGS`). 115 116Cross Compiling on Windows 117-------------------------- 118 119To configure and compile OpenSSL, you will need to set up a Cygwin environment. 120The Cygwin tools should include bash, make, and any other normal tools required 121for building programs. 122 123Your `PATH` must include the bin directory for the c99 cross-compiler, as in: 124 125 export PATH=/cygdrive/c/Program\ Files\ \(x86\)/HPE\ NonStop/L16.05/usr/bin:$PATH 126 127This should be set before Configure is run. For the c99 cross-compiler to work 128correctly, you also need the `COMP_ROOT` set, as in: 129 130 export COMP_ROOT="C:\Program Files (x86)\HPE NonStop\L16.05" 131 132`COMP_ROOT` needs to be in Windows form. 133 134An example of a `Configure` command to be run from the OpenSSL directory is: 135 136 ./Configure nonstop-nsx_64 --with-rand-seed=rdcpu 137 138Do not forget to include any OpenSSL cross-compiling prefix and certificate 139options when creating your libraries. 140 141The OpenSSL test suite will not run on your workstation. In order to verify the 142build, you will need to perform the build and test steps in OSS in your NonStop 143server. You can also build under gcc and run the test suite for Windows but that 144is not equivalent. 145 146**Note:** In the event that you are attempting a FIPS-compliant cross-compile, 147be aware that signatures may not match between builds done under OSS and under 148cross-compiles as the compilers do not necessarily generate identical objects. 149Anything and everything to do with FIPS is outside the scope of this document. 150Refer to the FIPS security policy for more information. 151 152The following build configurations have been successfully attempted at one 153point or another. If you are successful in your cross-compile efforts, please 154update this list: 155 156- nonstop-nsx_64 157- nonstop-nsx_64_put 158 159**Note:** Cross-compile builds for TNS/E have not been attempted, but should 160follow the same considerations as for TNS/X above. 161 162Also see the NSDEE discussion below for more historical information. 163 164Cross Compiling with NSDEE 165-------------------------- 166 167**Note:** None of these builds have been tested by the platform maintainer and 168are supplied for historical value. Please submit a Pull Request to OpenSSL 169should these need to be adjusted. 170 171If you are attempting to build OpenSSL with NSDEE, you will need to specify 172the following variables. The following set of compiler defines are required: 173 174 # COMP_ROOT must be a full path for the build system (e.g. windows) 175 COMP_ROOT=$(cygpath -w /path/to/comp_root) 176 # CC must be executable by your shell 177 CC=/path/to/c99 178 179### Optional Build Variables 180 181 DBGFLAG="--debug" 182 CIPHENABLES="enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-rc4" 183 184### Internal Known TNS/X to TNS/E Cross Compile Variables 185 186The following definition is required if you are building on TNS/X for TNS/E 187and have access to a TNS/E machine on your EXPAND network - with an example 188node named `\CS3`: 189 190 SYSTEMLIBS="-L/E/cs3/usr/local/lib" 191 192Version Procedure (VPROC) Considerations 193---------------------------------------- 194 195If you require a VPROC entry for platform version identification, use the 196following variables: 197 198### For Itanium 199 200 OPENSSL_VPROC_PREFIX=T0085H06 201 202### For x86 203 204 OPENSSL_VPROC_PREFIX=T0085L01 205 206### Common Definition 207 208 export OPENSSL_VPROC=${OPENSSL_VPROC_PREFIX}_$( 209 . VERSION.dat 210 if [ -n "$PRE_RELEASE_TAG" ]; then 211 PRE_RELEASE_TAG="-$PRE_RELEASE_TAG" 212 fi 213 if [ -n "$BUILD_METADATA" ]; then 214 BUILD_METADATA="+$BUILD_METADATA" 215 fi 216 echo "$MAJOR.$MINOR.$PATCH$PRE_RELEASE_TAG$BUILD_METADATA" |\ 217 sed -e 's/[-.+]/_/g' 218 ) 219 220Example Configure Targets 221------------------------- 222 223For OSS targets, the main DLL names will be `libssl.so` and `libcrypto.so`. 224The following assumes that your PWD is set according to your installation 225standards. 226 227 ./Configure nonstop-nsx --prefix=${PWD} \ 228 --openssldir=${PWD}/ssl no-threads \ 229 --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} 230 ./Configure nonstop-nsx_put --prefix=${PWD} \ 231 --openssldir=${PWD}/ssl threads "-D_REENTRANT" \ 232 --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} 233 ./Configure nonstop-nsx_64 --prefix=${PWD} \ 234 --openssldir=${PWD}/ssl no-threads \ 235 --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} 236 ./Configure nonstop-nsx_64_put --prefix=${PWD} \ 237 --openssldir=${PWD}/ssl threads "-D_REENTRANT" \ 238 --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} 239 240 ./Configure nonstop-nse --prefix=${PWD} \ 241 --openssldir=${PWD}/ssl no-threads \ 242 --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} 243 ./Configure nonstop-nse_g --prefix=${PWD} \ 244 --openssldir=${PWD}/ssl no-threads \ 245 --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} 246 ./Configure nonstop-nse_put --prefix=${PWD} \ 247 --openssldir=${PWD}/ssl threads "-D_REENTRANT" \ 248 --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} 249 ./Configure nonstop-nse_64 --prefix=${PWD} \ 250 --openssldir=${PWD}/ssl no-threads \ 251 --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} 252 ./Configure nonstop-nse_64_put --prefix=${PWD} \ 253 --openssldir=${PWD}/ssl threads "-D_REENTRANT" 254 --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} 255
