Re: Cannot build shared library on Linux with FIPS capable OpenSSL

Tue, 12 Oct 2010 13:21:38 -0700 

Hello,

I found a workaround by linking with the FIPS capable "shared" library.
Please let know if any one has been successful in building a shared library on linux that links with the FIPS capable "static" library. 

Thanks,

Bill

On Oct 12, 2010, at 12:33 PM, Bill wrote:


Hello again,
Here is a better example that shows the problem. I would appreciate any clues on how to solve this. 

$ cat foo.cpp
#include <stdio.h>
#include <openssl/evp.h>

int
fips_check()
{
        if (FIPS_mode_set(1) == 0) {
                printf("Failed to enable FIPS mode\n");
        } else {
                printf("FIPS mode is enabled.\n");
        }
}
===

$ cat foobar.cpp
#include <stdio.h>

int fips_check();

int
main()
{
        fips_check();
}
===

$ cat cmd.cpp
#include <stdio.h>
#include <openssl/evp.h>

int
main()
{
        if (FIPS_mode_set(1) == 0) {
                printf("Failed to enable FIPS mode\n");
        } else {
                printf("FIPS mode is enabled.\n");
        }
}
===

$ cat makefile
CC = gcc
OPENSSLDIR = ./openssl-0.9.8o-fips
LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
INCLUDES = -I$(OPENSSLDIR)/include
OBJ = foo.o
LIB = libfoo.so.1
CMD = cmd
OPTS=-W1,-soname,$(LIB)

foobar: $(LIB)
        FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $@ [email protected] -L. -lfoo

$(LIB): $(OBJ)
        rm -f $(LIB) libfoo.so
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared $(OPTS) -o $(LIB) $ (OBJ) \ 
                $(LIBCRYPTO) -lstdc++
        ln -s $(LIB) libfoo.so

$(CMD): cmd.cpp
        FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(CMD).cpp \
                $(INCLUDES) $(LIBCRYPTO) -lstdc++

$(OBJ): foo.cpp
        $(CC) -c foo.cpp -fPIC $(INCLUDES)

clean:
        rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar
===

$ make clean
rm -rf libfoo.so.1 foo.o cmd *.so foobar

===> How to fix the following link error?

$ make
gcc -c foo.cpp -fPIC -I./openssl-0.9.8o-fips/include
rm -f libfoo.so.1 libfoo.so
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -W1,- soname,libfoo.so.1 -o libfoo.so.1 foo.o \ 
                ./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++
cc1: error: unrecognized command line option "-W1,-soname,libfoo.so.1"
make: *** [libfoo.so.1] Error 1

===> A standalone executable works fine

$ make cmd
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -o cmd cmd.cpp \
-I./openssl-0.9.8o-fips/include ./openssl-0.9.8o-fips/lib/ libcrypto.a -lstdc++ 

$ ./cmd
FIPS mode is enabled.

Thanks,

Bill

On Oct 12, 2010, at 12:13 PM, Bill wrote:


Hello,
I have followed the FIPS UserGuide 1.2 to build a FIPS object module and a FIPS capable OpenSSL.
I used openssl-fips-1.2.tar.gz and openssl-0.9.8o.tar.gz to build these.
On Ubuntu, when I try to build a shared library that links with the FIPS-capable OpenSSL static library, I get the following link error: 

$ make
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -W1,- soname,libfoo.so.1 \ 
                -o libfoo.so.1 foo.o ./openssl-0.9.8o-fips/lib/libcrypto.a
cc1: error: unrecognized command line option "-W1,-soname,libfoo.so. 1" 
make: *** [libfoo.so.1] Error 1
Is there a workaround or a recipe on how to build a shared library on Linux that links with the FIPS-capable OpenSSL static library? 

Here are the details:

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.4 LTS"

$ uname -a
Linux ubuntu804vm01 2.6.24-28-generic #1 SMP Thu Sep 16 15:01:14 UTC 2010 i686 GNU/Linux 

$ gcc --version
gcc (GCC) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)
Copyright (C) 2007 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 

$ ./openssl-0.9.8o-fips/bin/openssl version
OpenSSL 0.9.8o-fips 01 Jun 2010

===> An executable can be built with OpenSSL FIPS lib

$ make cmd
gcc -c foo.cpp -fPIC -I./openssl-0.9.8o-fips/include
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -o cmd foo.o ./ openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++ 

$ ./cmd
FIPS mode is enabled.

===> Unable to make a shared library with OpenSSL FIPS lib

$ make
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -W1,- soname,libfoo.so.1 \ 
                -o libfoo.so.1 foo.o ./openssl-0.9.8o-fips/lib/libcrypto.a
cc1: error: unrecognized command line option "-W1,-soname,libfoo.so. 1" 
make: *** [libfoo.so.1] Error 1

===> Here is foo.cpp and the makefile

$ cat foo.cpp
#include <stdio.h>
#include <openssl/evp.h>

int
main()
{
        if (FIPS_mode_set(1) == 0) {
                printf("Failed to enable FIPS mode\n");
        } else {
                printf("FIPS mode is enabled.\n");
        }
}

$ cat makefile
CC = gcc
OPENSSLDIR = ./openssl-0.9.8o-fips
LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
INCLUDES = -I$(OPENSSLDIR)/include
OBJ = foo.o
LIB = libfoo.so.1
CMD = cmd

$(LIB): $(OBJ)
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared -W1,-soname,$ (LIB) \ 
                -o $(LIB) $(OBJ) $(LIBCRYPTO)

$(CMD): $(OBJ)
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(OBJ) $ (LIBCRYPTO) -lstdc++ 

$(OBJ): foo.cpp
        $(CC) -c foo.cpp -fPIC $(INCLUDES)

clean:
        rm -rf $(LIB) $(OBJ) $(CMD)





______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to