On Tue October 12 2010, Bill wrote:
> Hello Steve,
>
> Good eye! That got rid of the compilation error.
>
> However, FIPS_mode_set(1) fails when it gets called from a "shared"
> library that links with the "static" version of the FIPS-capable
> OpenSSL library.
>
> Calling FIPS_mode_set(1) works fine when called directly from an
> executable that has been compiled with the static version of the FIPS
> capable OpenSSL library.
>
> The same scenario works fine on Mac OS X (Leopard and Snow Leopard).
> So it looks like this problem is specific to Ubuntu Linux.
>
Do a "file path_to/gcc" see if it is a compiled program or a script.
Depending on the update age of your Ubuntu distribution, you may find
that it is a script now.
That might make a difference if it is.
Mike
> Is there a trick to make this work?
>
> Here are the details:
>
> $ make
> gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
> rm -f libfoo.so
> FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-
> soname,libfoo.so.1 -o libfoo.so.1 foo.o \
> ./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++
> ln -s ./libfoo.so.1 ./libfoo.so
> gcc -o foobar foobar.cpp -Wall -I. -L. -lfoo -lstdc++
>
> $ ./foobar
> SSL: 0:755404910:fips.c:238:0:error:
> 2D06906E:lib(45):func(105):reason(110)
> FIPS_mode_set(1) failed
>
> $ ./cmd
> FIPS mode is enabled.
>
> $ cat foo.cpp
> #include <stdio.h>
> #include <foo.h>
> #include <openssl/err.h>
> #include <openssl/evp.h>
>
> int
> fips_check(void)
> {
> unsigned long fipscode;
> unsigned long code;
>
> if(1 == (fipscode = FIPS_mode_set(1))) {
> printf("FIPS_mode_set(1) succeeded\n");
> } else {
> char err_msg[256+1];
> int flags, line; char *report_data, *file;
>
> code = ERR_get_error_line_data(
> (const char**)&file,
> &line,
> (const char**)&report_data,
> &flags);
>
> ERR_error_string_n(code, err_msg, 256);
>
> printf("SSL: %lu:%lu:%s:%d:%d:%s\n",
> fipscode, code, file, line, flags, err_msg);
>
> printf("FIPS_mode_set(1) failed\n");
>
> }
>
> return 0;
> }
>
> $ cat cmd.cpp
> #include <stdio.h>
> #include <openssl/evp.h>
>
> int
> main()
> {
> if (FIPS_mode_set(1) == 0) {
> printf("Failed to enable FIPS mode\n");
> } else {
> printf("FIPS mode is enabled.\n");
> }
> }
>
> $ cat foo.h
> #ifdef __cplusplus
> extern "C" {
> #endif
> int fips_check(void);
> #ifdef __cplusplus
> }
> #endif
>
> $ cat makefile
> CC = gcc
> OPENSSLDIR = ./openssl-0.9.8o-fips
> LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
> INCLUDES = -I$(OPENSSLDIR)/include
> OBJ = foo.o
> LIB = libfoo.so.1
> CMD = cmd
> OPTS=-Wl,-soname,$(LIB)
>
> all: foobar cmd
>
> foobar: $(LIB) foobar2.cpp
> $(CC) -o $@ $...@.cpp -Wall -I. -L. -lfoo -lstdc++
>
> $(LIB): $(OBJ)
> rm -f libfoo.so
> FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared $(FIPS_OPTS) $(OPTS)
> -o $(LIB) $(OBJ) \
> $(LIBCRYPTO) -lstdc++
> ln -s ./libfoo.so.1 ./libfoo.so
>
> $(CMD): cmd.cpp
> FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(CMD).cpp -Wall \
> $(INCLUDES) $(LIBCRYPTO) -lstdc++
>
> $(OBJ): foo.cpp
> $(CC) -c foo.cpp -fPIC -Wall $(INCLUDES) -I.
>
> clean:
> rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar
>
> $ uname -a
> Linux ixoubuntu 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 22:02:19
> UTC 2010 i686 GNU/Linux
>
> $ cat /etc/lsb-release
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=10.04
> DISTRIB_CODENAME=lucid
> DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"
>
> $ gcc --version
> gcc (Ubuntu 4.4.3-4ubuntu5) 4.4.3
> Copyright (C) 2009 Free Software Foundation, Inc.
> This is free software; see the source for copying conditions. There
> is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
> PURPOSE.
>
>
> On Oct 12, 2010, at 2:36 PM, Dr. Stephen Henson wrote:
>
> > On Tue, Oct 12, 2010, Bill wrote:
> >
> >> Hello,
> >>
> >> I have followed the FIPS UserGuide 1.2 to build a FIPS object
> >> module and a
> >> FIPS capable OpenSSL.
> >>
> >> I used openssl-fips-1.2.tar.gz and openssl-0.9.8o.tar.gz to build
> >> these.
> >>
> >> On Ubuntu, when I try to build a shared library that links with the
> >> FIPS-capable OpenSSL static library, I get the following link error:
> >>
> >> $ make
> >> FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared
> >> -W1,-soname,libfoo.so.1 \
> >> -o libfoo.so.1 foo.o ./openssl-0.9.8o-fips/lib/libcrypto.a
> >> cc1: error: unrecognized command line option "-W1,-soname,libfoo.so.
> >> 1"
> >> make: *** [libfoo.so.1] Error 1
> >>
> >
> > That should be -Wl (letter l) and not -W1 (figure 1) shouldn't it?
> >
> > Steve.
> > --
> > Dr Stephen N. Henson. OpenSSL project core developer.
> > Commercial tech support now available see: http://www.openssl.org
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager majord...@openssl.org
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
