Re: Cannot build shared library on Linux with FIPS capable OpenSSL

Bill Durant Wed, 13 Oct 2010 13:22:14 -0700

On Oct 13, 2010, at 11:27 AM, Dr. Stephen Henson wrote:

On Wed, Oct 13, 2010, Bill wrote:

Hi Steve,

Thank you for the suggestion but It did not help:

$ make
gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
rm -f libfoo.so
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared
-Wl,-soname,libfoo.so.1 \
                -o libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto 
-lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
gcc -o foobar foobar.cpp -Wall -ldl -lstdc++
gcc -o foobar2 foobar2.cpp -Wall -I. -L. -lfoo -lstdc++
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -o cmd cmd.cpp -Wall \

-I./openssl-0.9.8o-fips/include ./openssl-0.9.8o-fips/lib/libcrypto.a

-lstdc++

Install the validated module somewhere and set the environmentvariableFIPSLIBDIR to that directory before calling fipsld. Then use the -Loption to

the 0.9.8o fips capable OpenSSL.



Hello Steve,

I have applied your suggestion with a fresh install of the FIPScapable OpenSSL but the problem persists:


$ make clean
rm -rf libfoo.so.1 foo.o cmd *.so foobar foobar2

$ make
gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
rm -f libfoo.so

FIPSLIBDIR=openssl-0.9.8o-fips/lib FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-soname,libfoo.so.1 \

                -o libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto 
-lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
gcc -o foobar foobar.cpp -Wall -ldl -lstdc++
gcc -o foobar2 foobar2.cpp -Wall -I. -L. -lfoo -lstdc++
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -o cmd cmd.cpp -Wall \

-I./openssl-0.9.8o-fips/include ./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++


$ ./foobar

SSL: 0:755404910:fips.c:238:0:error:2D06906E:lib(45):func(105):reason(110)

FIPS_mode_set(1) failed

$ ./foobar2

./foobar2: error while loading shared libraries: libfoo.so.1: cannotopen shared object file: No such file or directory


$ ./cmd
FIPS mode is enabled.

$ cat makefile
CC = gcc
OPENSSLDIR = ./openssl-0.9.8o-fips
LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
INCLUDES = -I$(OPENSSLDIR)/include
OBJ = foo.o
LIB = libfoo.so.1
CMD = cmd
OPTS=-Wl,-soname,$(LIB)

all: foobar foobar2 cmd

foobar: $(LIB) foobar.cpp
        $(CC) -o $@ $...@.cpp -Wall -ldl -lstdc++

foobar2: $(LIB) foobar2.cpp
        $(CC) -o $@ $...@.cpp -Wall -I. -L. -lfoo -lstdc++

$(LIB): $(OBJ)
        rm -f libfoo.so

FIPSLIBDIR=openssl-0.9.8o-fips/lib FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared $(FIPS_OPTS) $(OPTS) \

                -o $(LIB) $(OBJ) -L$(OPENSSLDIR)/lib -lcrypto -lstdc++
        ln -s ./libfoo.so.1 ./libfoo.so

$(CMD): cmd.cpp
        FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(CMD).cpp -Wall \
                $(INCLUDES) $(LIBCRYPTO) -lstdc++

$(OBJ): foo.cpp
        $(CC) -c foo.cpp -fPIC -Wall $(INCLUDES) -I.

clean:
        rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar foobar2

$ ll ./openssl-0.9.8o-fips/lib
total 5024
drwxr-xr-x 2 bdurant bdurant    4096 2010-10-13 12:59 engines
-r--r--r-- 1 bdurant bdurant  305263 2010-10-13 12:59 fipscanister.o

-r--r--r-- 1 bdurant bdurant 68 2010-10-13 12:59fipscanister.o.sha1

-r--r--r-- 1 bdurant bdurant    5396 2010-10-13 12:59 fips_premain.c

-r--r--r-- 1 bdurant bdurant 68 2010-10-13 12:59fips_premain.c.sha1

-rw-r--r-- 1 bdurant bdurant 2414458 2010-10-13 12:59 libcrypto.a

lrwxrwxrwx 1 bdurant bdurant 18 2010-10-13 12:59 libcrypto.so ->libcrypto.so.0.9.8

-r-xr-xr-x 1 bdurant bdurant 1603396 2010-10-13 12:59 libcrypto.so.0.9.8
-rw-r--r-- 1 bdurant bdurant  454006 2010-10-13 12:59 libssl.a

lrwxrwxrwx 1 bdurant bdurant 15 2010-10-13 12:59 libssl.so ->libssl.so.0.9.8

-r-xr-xr-x 1 bdurant bdurant  334014 2010-10-13 12:59 libssl.so.0.9.8
drwxr-xr-x 2 bdurant bdurant    4096 2010-10-13 12:59 pkgconfig
<--- bdur...@ixoubuntu[ubuntu 10.04 LTS(lucid)]:/home/bdurant/crita --->

$ openssl-0.9.8o-fips/bin/openssl version
OpenSSL 0.9.8o-fips 01 Jun 2010

$ echo $FIPSLIBDIR
openssl-0.9.8o-fips/lib

What else could it be?

Thanks,

Bill


Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: Cannot build shared library on Linux with FIPS capable OpenSSL

Reply via email to