On Wed October 13 2010, Bill wrote:
> Hello Mike,
>
> It is not a script:
>
> ===> Ubuntu 8.04
>
> $ cat /etc/lsb-release
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=8.04
> DISTRIB_CODENAME=hardy
> DISTRIB_DESCRIPTION="Ubuntu 8.04.4 LTS"
>
> $ which gcc
> /usr/bin/gcc
>
> $ file /usr/bin/gcc
> /usr/bin/gcc: symbolic link to `gcc-4.2'
>
> $ cd /usr/bin
>
> $ file gcc-4.2
> gcc-4.2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
> GNU/Linux 2.6.8, dynamically linked (uses shared libs), stripped
>
> ===> Ubuntu 10.04
>
> $ which gcc
> /usr/bin/gcc
>
> $ file /usr/bin/gcc
> /usr/bin/gcc: symbolic link to `gcc-4.4'
>
> $ cd /usr/bin
>
> $ file gcc-4.4
> gcc-4.4: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
> dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped
>
> $ cat /etc/lsb-release
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=10.04
> DISTRIB_CODENAME=lucid
> DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"
>
> Any ideas about how to make it work?
>
Not a clue.
Just that I follow other projects where the Ubuntu change did cause
problems. I don't have any links handy about what they needed to do.
Mike
> Thanks,
>
> Bill
>
> On Oct 13, 2010, at 6:01 AM, Michael S. Zick wrote:
>
> > On Tue October 12 2010, Bill wrote:
> >> Hello Steve,
> >>
> >> Good eye! That got rid of the compilation error.
> >>
> >> However, FIPS_mode_set(1) fails when it gets called from a "shared"
> >> library that links with the "static" version of the FIPS-capable
> >> OpenSSL library.
> >>
> >> Calling FIPS_mode_set(1) works fine when called directly from an
> >> executable that has been compiled with the static version of the FIPS
> >> capable OpenSSL library.
> >>
> >> The same scenario works fine on Mac OS X (Leopard and Snow Leopard).
> >> So it looks like this problem is specific to Ubuntu Linux.
> >>
> >
> > Do a "file path_to/gcc" see if it is a compiled program or a script.
> >
> > Depending on the update age of your Ubuntu distribution, you may find
> > that it is a script now.
> >
> > That might make a difference if it is.
> >
> > Mike
> >> Is there a trick to make this work?
> >>
> >> Here are the details:
> >>
> >> $ make
> >> gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
> >> rm -f libfoo.so
> >> FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-
> >> soname,libfoo.so.1 -o libfoo.so.1 foo.o \
> >> ./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++
> >> ln -s ./libfoo.so.1 ./libfoo.so
> >> gcc -o foobar foobar.cpp -Wall -I. -L. -lfoo -lstdc++
> >>
> >> $ ./foobar
> >> SSL: 0:755404910:fips.c:238:0:error:
> >> 2D06906E:lib(45):func(105):reason(110)
> >> FIPS_mode_set(1) failed
> >>
> >> $ ./cmd
> >> FIPS mode is enabled.
> >>
> >> $ cat foo.cpp
> >> #include <stdio.h>
> >> #include <foo.h>
> >> #include <openssl/err.h>
> >> #include <openssl/evp.h>
> >>
> >> int
> >> fips_check(void)
> >> {
> >> unsigned long fipscode;
> >> unsigned long code;
> >>
> >> if(1 == (fipscode = FIPS_mode_set(1))) {
> >> printf("FIPS_mode_set(1) succeeded\n");
> >> } else {
> >> char err_msg[256+1];
> >> int flags, line; char *report_data, *file;
> >>
> >> code = ERR_get_error_line_data(
> >> (const char**)&file,
> >> &line,
> >> (const char**)&report_data,
> >> &flags);
> >>
> >> ERR_error_string_n(code, err_msg, 256);
> >>
> >> printf("SSL: %lu:%lu:%s:%d:%d:%s\n",
> >> fipscode, code, file, line, flags, err_msg);
> >>
> >> printf("FIPS_mode_set(1) failed\n");
> >>
> >> }
> >>
> >> return 0;
> >> }
> >>
> >> $ cat cmd.cpp
> >> #include <stdio.h>
> >> #include <openssl/evp.h>
> >>
> >> int
> >> main()
> >> {
> >> if (FIPS_mode_set(1) == 0) {
> >> printf("Failed to enable FIPS mode\n");
> >> } else {
> >> printf("FIPS mode is enabled.\n");
> >> }
> >> }
> >>
> >> $ cat foo.h
> >> #ifdef __cplusplus
> >> extern "C" {
> >> #endif
> >> int fips_check(void);
> >> #ifdef __cplusplus
> >> }
> >> #endif
> >>
> >> $ cat makefile
> >> CC = gcc
> >> OPENSSLDIR = ./openssl-0.9.8o-fips
> >> LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
> >> INCLUDES = -I$(OPENSSLDIR)/include
> >> OBJ = foo.o
> >> LIB = libfoo.so.1
> >> CMD = cmd
> >> OPTS=-Wl,-soname,$(LIB)
> >>
> >> all: foobar cmd
> >>
> >> foobar: $(LIB) foobar2.cpp
> >> $(CC) -o $@ $...@.cpp -Wall -I. -L. -lfoo -lstdc++
> >>
> >> $(LIB): $(OBJ)
> >> rm -f libfoo.so
> >> FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared $(FIPS_OPTS) $
> >> (OPTS)
> >> -o $(LIB) $(OBJ) \
> >> $(LIBCRYPTO) -lstdc++
> >> ln -s ./libfoo.so.1 ./libfoo.so
> >>
> >> $(CMD): cmd.cpp
> >> FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(CMD).cpp -
> >> Wall \
> >> $(INCLUDES) $(LIBCRYPTO) -lstdc++
> >>
> >> $(OBJ): foo.cpp
> >> $(CC) -c foo.cpp -fPIC -Wall $(INCLUDES) -I.
> >>
> >> clean:
> >> rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar
> >>
> >> $ uname -a
> >> Linux ixoubuntu 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 22:02:19
> >> UTC 2010 i686 GNU/Linux
> >>
> >> $ cat /etc/lsb-release
> >> DISTRIB_ID=Ubuntu
> >> DISTRIB_RELEASE=10.04
> >> DISTRIB_CODENAME=lucid
> >> DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"
> >>
> >> $ gcc --version
> >> gcc (Ubuntu 4.4.3-4ubuntu5) 4.4.3
> >> Copyright (C) 2009 Free Software Foundation, Inc.
> >> This is free software; see the source for copying conditions. There
> >> is NO
> >> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
> >> PURPOSE.
> >>
> >>
> >> On Oct 12, 2010, at 2:36 PM, Dr. Stephen Henson wrote:
> >>
> >>> On Tue, Oct 12, 2010, Bill wrote:
> >>>
> >>>> Hello,
> >>>>
> >>>> I have followed the FIPS UserGuide 1.2 to build a FIPS object
> >>>> module and a
> >>>> FIPS capable OpenSSL.
> >>>>
> >>>> I used openssl-fips-1.2.tar.gz and openssl-0.9.8o.tar.gz to build
> >>>> these.
> >>>>
> >>>> On Ubuntu, when I try to build a shared library that links with the
> >>>> FIPS-capable OpenSSL static library, I get the following link
> >>>> error:
> >>>>
> >>>> $ make
> >>>> FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared
> >>>> -W1,-soname,libfoo.so.1 \
> >>>> -o libfoo.so.1 foo.o ./openssl-0.9.8o-fips/lib/libcrypto.a
> >>>> cc1: error: unrecognized command line option "-W1,-
> >>>> soname,libfoo.so.
> >>>> 1"
> >>>> make: *** [libfoo.so.1] Error 1
> >>>>
> >>>
> >>> That should be -Wl (letter l) and not -W1 (figure 1) shouldn't it?
> >>>
> >>> Steve.
> >>> --
> >>> Dr Stephen N. Henson. OpenSSL project core developer.
> >>> Commercial tech support now available see: http://www.openssl.org
> >>> ______________________________________________________________________
> >>> OpenSSL Project http://www.openssl.org
> >>> User Support Mailing List openssl-users@openssl.org
> >>> Automated List Manager majord...@openssl.org
> >>
> >> ______________________________________________________________________
> >> OpenSSL Project http://
> >> www.openssl.org
> >> User Support Mailing List openssl-
> >> us...@openssl.org
> >> Automated List Manager
> >> majord...@openssl.org
> >>
> >>
> >
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager majord...@openssl.org
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
