Re: Cannot build shared library on Linux with FIPS capable OpenSSL

Tue, 12 Oct 2010 19:52:00 -0700 

Hello Steve,

Good eye!  That got rid of the compilation error.
However, FIPS_mode_set(1) fails when it gets called from a "shared" library that links with the "static" version of the FIPS-capable OpenSSL library.
Calling FIPS_mode_set(1) works fine when called directly from an executable that has been compiled with the static version of the FIPS capable OpenSSL library.
The same scenario works fine on Mac OS X (Leopard and Snow Leopard). So it looks like this problem is specific to Ubuntu Linux. 

Is there a trick to make this work?

Here are the details:

$ make
gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
rm -f libfoo.so
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,- soname,libfoo.so.1 -o libfoo.so.1 foo.o \ 
                ./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
gcc -o foobar foobar.cpp -Wall -I. -L. -lfoo -lstdc++

$ ./foobar
SSL: 0:755404910:fips.c:238:0:error: 2D06906E:lib(45):func(105):reason(110) 
FIPS_mode_set(1) failed

$ ./cmd
FIPS mode is enabled.

$ cat foo.cpp
#include <stdio.h>
#include <foo.h>
#include <openssl/err.h>
#include <openssl/evp.h>

int
fips_check(void)
{
        unsigned long fipscode;
        unsigned long code;

        if(1 == (fipscode = FIPS_mode_set(1))) {
                printf("FIPS_mode_set(1) succeeded\n");
        } else {
                char err_msg[256+1];
                int flags, line; char *report_data, *file;

                code = ERR_get_error_line_data(
                        (const char**)&file,
                        &line,
                        (const char**)&report_data,
                        &flags);

                ERR_error_string_n(code, err_msg, 256);

                printf("SSL: %lu:%lu:%s:%d:%d:%s\n",
                        fipscode, code, file, line, flags, err_msg);

                printf("FIPS_mode_set(1) failed\n");

        }

        return 0;
}

$ cat cmd.cpp
#include <stdio.h>
#include <openssl/evp.h>

int
main()
{
        if (FIPS_mode_set(1) == 0) {
                printf("Failed to enable FIPS mode\n");
        } else {
                printf("FIPS mode is enabled.\n");
        }
}

$ cat foo.h
#ifdef __cplusplus
extern "C" {
#endif
int fips_check(void);
#ifdef __cplusplus
}
#endif

$ cat makefile
CC = gcc
OPENSSLDIR = ./openssl-0.9.8o-fips
LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
INCLUDES = -I$(OPENSSLDIR)/include
OBJ = foo.o
LIB = libfoo.so.1
CMD = cmd
OPTS=-Wl,-soname,$(LIB)

all: foobar cmd

foobar: $(LIB) foobar2.cpp
        $(CC) -o $@ $...@.cpp -Wall -I. -L. -lfoo -lstdc++

$(LIB): $(OBJ)
        rm -f libfoo.so
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared $(FIPS_OPTS) $(OPTS) -o $(LIB) $(OBJ) \ 
                $(LIBCRYPTO) -lstdc++
        ln -s ./libfoo.so.1 ./libfoo.so

$(CMD): cmd.cpp
        FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(CMD).cpp -Wall \
                $(INCLUDES) $(LIBCRYPTO) -lstdc++

$(OBJ): foo.cpp
        $(CC) -c foo.cpp -fPIC -Wall $(INCLUDES) -I.

clean:
        rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar

$ uname -a
Linux ixoubuntu 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 22:02:19 UTC 2010 i686 GNU/Linux 

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"

$ gcc --version
gcc (Ubuntu 4.4.3-4ubuntu5) 4.4.3
Copyright (C) 2009 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 


On Oct 12, 2010, at 2:36 PM, Dr. Stephen Henson wrote:


On Tue, Oct 12, 2010, Bill wrote:


Hello,
I have followed the FIPS UserGuide 1.2 to build a FIPS object module and a 
FIPS capable OpenSSL.
I used openssl-fips-1.2.tar.gz and openssl-0.9.8o.tar.gz to build these. 

On Ubuntu, when I try to build a shared library that links with the
FIPS-capable OpenSSL static library, I get the following link error:

$ make
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared
-W1,-soname,libfoo.so.1 \
                -o libfoo.so.1 foo.o ./openssl-0.9.8o-fips/lib/libcrypto.a
cc1: error: unrecognized command line option "-W1,-soname,libfoo.so. 1" 
make: *** [libfoo.so.1] Error 1



That should be -Wl (letter l) and not -W1 (figure 1) shouldn't it?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to