On Oct 13, 2010, at 9:47 AM, Dr. Stephen Henson wrote:
On Tue, Oct 12, 2010, Bill wrote:
Hello Steve,
Good eye! That got rid of the compilation error.
However, FIPS_mode_set(1) fails when it gets called from a "shared"
library
that links with the "static" version of the FIPS-capable OpenSSL
library.
Calling FIPS_mode_set(1) works fine when called directly from an
executable
that has been compiled with the static version of the FIPS capable
OpenSSL
library.
The same scenario works fine on Mac OS X (Leopard and Snow
Leopard). So it
looks like this problem is specific to Ubuntu Linux.
Is there a trick to make this work?
Here are the details:
$ make
gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
rm -f libfoo.so
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared
-Wl,-soname,libfoo.so.1 -o libfoo.so.1 foo.o \
./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
gcc -o foobar foobar.cpp -Wall -I. -L. -lfoo -lstdc++
Instead of an explicit path to libcrypto.a try -L/path -lcrypto
If that doesn't help uncomment out the set -x a the top of fipsld
and post the
debug output.
Hi Steve,
Thank you for the suggestion but It did not help:
$ make
gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
rm -f libfoo.so
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-
soname,libfoo.so.1 \
-o libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto
-lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
gcc -o foobar foobar.cpp -Wall -ldl -lstdc++
gcc -o foobar2 foobar2.cpp -Wall -I. -L. -lfoo -lstdc++
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -o cmd cmd.cpp -Wall \
-I./openssl-0.9.8o-fips/include ./openssl-0.9.8o-fips/lib/
libcrypto.a -lstdc++
$ ./foobar
SSL: 0:755404910:fips.c:238:0:error:
2D06906E:lib(45):func(105):reason(110)
FIPS_mode_set(1) failed
$ ./foobar2
SSL: 0:755404910:fips.c:238:0:error:
2D06906E:lib(45):func(105):reason(110)
FIPS_mode_set(1) failed
$ ./cmd
FIPS mode is enabled.
$ ls ./openssl-0.9.8o-fips/lib
engines fips_premain.c libcrypto.so libssl.so
fipscanister.o fips_premain.c.sha1 libcrypto.so.0.9.8
libssl.so.0.9.8
fipscanister.o.sha1 libcrypto.a libssl.a pkgconfig
$ cat foobar.cpp
#include <stdio.h>
#include <dlfcn.h>
typedef int (*func_t)(void);
int
main()
{
void *handle = NULL;
func_t func = NULL;
handle = dlopen("./libfoo.so.1", RTLD_LAZY);
if (handle == NULL) {
printf("dlopen: %s\n", dlerror());
return -1;
}
func = (func_t)dlsym(handle, "fips_check");
if (func == NULL) {
printf("dlsym: %s\n", dlerror());
return -1;
}
(*(func))();
dlclose(handle);
}
$ cat foobar2.cpp
#include <stdio.h>
#include <foo.h>
int
main()
{
fips_check();
}
$ cat cmd.cpp
#include <stdio.h>
#include <openssl/evp.h>
int
main()
{
if (FIPS_mode_set(1) == 0) {
printf("Failed to enable FIPS mode\n");
} else {
printf("FIPS mode is enabled.\n");
}
}
$ cat makefile
CC = gcc
OPENSSLDIR = ./openssl-0.9.8o-fips
LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
INCLUDES = -I$(OPENSSLDIR)/include
OBJ = foo.o
LIB = libfoo.so.1
CMD = cmd
OPTS=-Wl,-soname,$(LIB)
all: foobar foobar2 cmd
foobar: $(LIB) foobar.cpp
$(CC) -o $@ $...@.cpp -Wall -ldl -lstdc++
foobar2: $(LIB) foobar2.cpp
$(CC) -o $@ $...@.cpp -Wall -I. -L. -lfoo -lstdc++
$(LIB): $(OBJ)
rm -f libfoo.so
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared $(FIPS_OPTS) $(OPTS) \
-o $(LIB) $(OBJ) -L$(OPENSSLDIR)/lib -lcrypto -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
$(CMD): cmd.cpp
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(CMD).cpp -Wall \
$(INCLUDES) $(LIBCRYPTO) -lstdc++
$(OBJ): foo.cpp
$(CC) -c foo.cpp -fPIC -Wall $(INCLUDES) -I.
clean:
rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar foobar2
===> Here is the debug output of fipsld:
$ make clean
rm -rf libfoo.so.1 foo.o cmd *.so foobar foobar2
$ make
gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
rm -f libfoo.so
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-
soname,libfoo.so.1 \
-o libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto
-lstdc++
+ CC=gcc
+ [ -n gcc ]
+ [ x-shared != x -a x-shared != x-c -a x-shared != x-E ]
+ shift
+ [ x-Wl,-soname,libfoo.so.1 != x -a x-Wl,-soname,libfoo.so.1 != x-c -
a x-Wl,-soname,libfoo.so.1 != x-E ]
+ shift
+ [ x-o != x -a x-o != x-c -a x-o != x-E ]
+ shift
+ [ xlibfoo.so.1 != x -a xlibfoo.so.1 != x-c -a xlibfoo.so.1 != x-E ]
+ shift
+ [ xfoo.o != x -a xfoo.o != x-c -a xfoo.o != x-E ]
+ shift
+ [ x-L./openssl-0.9.8o-fips/lib != x -a x-L./openssl-0.9.8o-fips/lib !
= x-c -a x-L./openssl-0.9.8o-fips/lib != x-E ]
+ shift
+ [ x-lcrypto != x -a x-lcrypto != x-c -a x-lcrypto != x-E ]
+ shift
+ [ x-lstdc++ != x -a x-lstdc++ != x-c -a x-lstdc++ != x-E ]
+ shift
+ [ x != x -a x != x-c -a x != x-E ]
+ [ 0 -ge 1 ]
+ [ x-shared != x -a x-shared != x-o ]
+ shift
+ [ x-Wl,-soname,libfoo.so.1 != x -a x-Wl,-soname,libfoo.so.1 != x-o ]
+ shift
+ [ x-o != x -a x-o != x-o ]
+ echo libfoo.so.1
+ TARGET=libfoo.so.1
+ basename libfoo.so.1
+ [ -n libfoo.so.1 ]
+ [ x-shared != x -a x-shared != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ x-Wl,-soname,libfoo.so.1 != x -a x-Wl,-soname,libfoo.so.1 != x-
DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ x-o != x -a x-o != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ xlibfoo.so.1 != x -a xlibfoo.so.1 != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ xfoo.o != x -a xfoo.o != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ x-L./openssl-0.9.8o-fips/lib != x -a x-L./openssl-0.9.8o-fips/lib !
= x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ x-lcrypto != x -a x-lcrypto != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ x-lstdc++ != x -a x-lstdc++ != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ x != x -a x != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ [ 0 -ge 1 ]
+ sed -e+ echo ./openssl-0.9.8o-fips/bin/fipsld
s|[^/]*$||
+ THERE=./openssl-0.9.8o-fips/bin/..
+ [ x-shared != x ]
+ shift
+ [ x-Wl,-soname,libfoo.so.1 != x ]
+ shift
+ [ x-o != x ]
+ shift
+ [ xlibfoo.so.1 != x ]
+ shift
+ [ xfoo.o != x ]
+ shift
+ [ x-L./openssl-0.9.8o-fips/lib != x ]
+ shift
+ [ x-lcrypto != x ]
+ shift
+ [ x-lstdc++ != x ]
+ shift
+ [ x != x ]
+ CANISTER_O=
+ [ -z ]
+ [ -n ]
+ [ -f ./openssl-0.9.8o-fips/bin/../fips/fipscanister.o ]
+ [ -f ./openssl-0.9.8o-fips/bin/../lib/fipscanister.o ]
+ CANISTER_O=./openssl-0.9.8o-fips/bin/../lib/fipscanister.o
+ CANISTER_O_CMD=./openssl-0.9.8o-fips/bin/../lib/fipscanister.o
+ [ -f ./openssl-0.9.8o-fips/bin/../lib/fipscanister.o ]
+ dirname ./openssl-0.9.8o-fips/bin/../lib/fipscanister.o
+ PREMAIN_C=./openssl-0.9.8o-fips/bin/../lib/fips_premain.c
+ HMAC_KEY=etaonrishdlcupfm
+ TARGET=./libfoo.so.1
+ basename ./libfoo.so.1
+ FINGERTYPE=./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1
+ diff -w ./openssl-0.9.8o-fips/bin/../lib/fips_premain.c.sha1 -
+ sed s/(.*\//(/
+ ./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1 ./
openssl-0.9.8o-fips/bin/../lib/fips_premain.c
+ diff -w ./openssl-0.9.8o-fips/bin/../lib/fipscanister.o.sha1 -
+ + ./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1 ./
openssl-0.9.8o-fips/bin/../lib/fipscanister.o
sed s/(.*\//(/
+ [ -f ./openssl-0.9.8o-fips/bin/../libcrypto.a ]
+ /bin/rm -f ./libfoo.so.1
+ gcc ./openssl-0.9.8o-fips/bin/../lib/fipscanister.o ./openssl-0.9.8o-
fips/bin/../lib/fips_premain.c -shared -Wl,-soname,libfoo.so.1 -o
libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto -lstdc++
+ [ -z ]
+ ./openssl-0.9.8o-fips/bin/../fips/fips_premain_dso ./libfoo.so.1
+ SIG=f2a427ac9a1d602b725e1d9ba0302b85979220d8
+ /bin/rm -f ./libfoo.so.1
+ [ -z f2a427ac9a1d602b725e1d9ba0302b85979220d8 ]
+ gcc ./openssl-0.9.8o-fips/bin/../lib/fipscanister.o -
DHMAC_SHA1_SIG="f2a427ac9a1d602b725e1d9ba0302b85979220d8" ./
openssl-0.9.8o-fips/bin/../lib/fips_premain.c -shared -Wl,-
soname,libfoo.so.1 -o libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -
lcrypto -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
gcc -o foobar foobar.cpp -Wall -ldl -lstdc++
gcc -o foobar2 foobar2.cpp -Wall -I. -L. -lfoo -lstdc++
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -o cmd cmd.cpp -Wall \
-I./openssl-0.9.8o-fips/include ./openssl-0.9.8o-fips/lib/
libcrypto.a -lstdc++
+ CC=gcc
+ [ -n gcc ]
+ [ x-o != x -a x-o != x-c -a x-o != x-E ]
+ shift
+ [ xcmd != x -a xcmd != x-c -a xcmd != x-E ]
+ shift
+ [ xcmd.cpp != x -a xcmd.cpp != x-c -a xcmd.cpp != x-E ]
+ shift
+ [ x-Wall != x -a x-Wall != x-c -a x-Wall != x-E ]
+ shift
+ [ x-I./openssl-0.9.8o-fips/include != x -a x-I./openssl-0.9.8o-fips/
include != x-c -a x-I./openssl-0.9.8o-fips/include != x-E ]
+ shift
+ [ x./openssl-0.9.8o-fips/lib/libcrypto.a != x -a x./openssl-0.9.8o-
fips/lib/libcrypto.a != x-c -a x./openssl-0.9.8o-fips/lib/libcrypto.a !
= x-E ]
+ shift
+ [ x-lstdc++ != x -a x-lstdc++ != x-c -a x-lstdc++ != x-E ]
+ shift
+ [ x != x -a x != x-c -a x != x-E ]
+ [ 0 -ge 1 ]
+ [ x-o != x -a x-o != x-o ]
+ echo cmd
+ TARGET=cmd
+ basename cmd
+ [ -n cmd ]
+ [ x-o != x -a x-o != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ xcmd != x -a xcmd != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ xcmd.cpp != x -a xcmd.cpp != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ x-Wall != x -a x-Wall != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ x-I./openssl-0.9.8o-fips/include != x -a x-I./openssl-0.9.8o-fips/
include != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ x./openssl-0.9.8o-fips/lib/libcrypto.a != x -a x./openssl-0.9.8o-
fips/lib/libcrypto.a != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ x-lstdc++ != x -a x-lstdc++ != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ shift
+ [ x != x -a x != x-DDEBUG_FINGERPRINT_PREMAIN ]
+ [ 0 -ge 1 ]
+ echo ./openssl-0.9.8o-fips/bin/fipsld
+ sed -e s|[^/]*$||
+ THERE=./openssl-0.9.8o-fips/bin/..
+ [ x-o != x ]
+ shift
+ [ xcmd != x ]
+ shift
+ [ xcmd.cpp != x ]
+ shift
+ [ x-Wall != x ]
+ shift
+ [ x-I./openssl-0.9.8o-fips/include != x ]
+ shift
+ [ x./openssl-0.9.8o-fips/lib/libcrypto.a != x ]
+ shift
+ [ x-lstdc++ != x ]
+ shift
+ [ x != x ]
+ CANISTER_O=
+ [ -z ]
+ [ -n ]
+ [ -f ./openssl-0.9.8o-fips/bin/../fips/fipscanister.o ]
+ [ -f ./openssl-0.9.8o-fips/bin/../lib/fipscanister.o ]
+ CANISTER_O=./openssl-0.9.8o-fips/bin/../lib/fipscanister.o
+ CANISTER_O_CMD=./openssl-0.9.8o-fips/bin/../lib/fipscanister.o
+ [ -f ./openssl-0.9.8o-fips/bin/../lib/fipscanister.o ]
+ dirname ./openssl-0.9.8o-fips/bin/../lib/fipscanister.o
+ PREMAIN_C=./openssl-0.9.8o-fips/bin/../lib/fips_premain.c
+ HMAC_KEY=etaonrishdlcupfm
+ TARGET=./cmd
+ basename ./cmd
+ [ -x ./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1 ]
+ FINGERTYPE=./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1
+ diff -w ./openssl-0.9.8o-fips/bin/../lib/fipscanister.o.sha1 -
+ sed s/(.*\//(/
+ ./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1 ./
openssl-0.9.8o-fips/bin/../lib/fipscanister.o
+ diff -w ./openssl-0.9.8o-fips/bin/../lib/fips_premain.c.sha1 -
+ sed s/(.*\//(/
+ ./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1 ./
openssl-0.9.8o-fips/bin/../lib/fips_premain.c
+ /bin/rm -f ./cmd
+ gcc ./openssl-0.9.8o-fips/bin/../lib/fipscanister.o ./openssl-0.9.8o-
fips/bin/../lib/fips_premain.c -o cmd cmd.cpp -Wall -I./openssl-0.9.8o-
fips/include ./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++
+ [ -z ]
+ ./cmd
+ SIG=e955eac3d6725dd6ffe43eb6d1131fb602d87463
+ /bin/rm -f ./cmd
+ [ -z e955eac3d6725dd6ffe43eb6d1131fb602d87463 ]
+ gcc ./openssl-0.9.8o-fips/bin/../lib/fipscanister.o -
DHMAC_SHA1_SIG="e955eac3d6725dd6ffe43eb6d1131fb602d87463" ./
openssl-0.9.8o-fips/bin/../lib/fips_premain.c -o cmd cmd.cpp -Wall -I./
openssl-0.9.8o-fips/include ./openssl-0.9.8o-fips/lib/libcrypto.a -
lstdc++
$ ./foobar
SSL: 0:755404910:fips.c:238:0:error:
2D06906E:lib(45):func(105):reason(110)
FIPS_mode_set(1) failed
$ ./foobar2
SSL: 0:755404910:fips.c:238:0:error:
2D06906E:lib(45):func(105):reason(110)
FIPS_mode_set(1) failed
$ ./cmd
FIPS mode is enabled.
Thanks!
Bill
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
