Hello,
The problem is resolved with the linker option, -Wl,-Bsymbolic, when
building the library.
Here are the details:
On 32-bit Ubuntu 8.04, here is how to build a dynamic library that
statically links with the FIPS-capable crypto library from OpenSSL.
===> cmd.cpp
#include <stdio.h>
#include <openssl/evp.h>
int
main()
{
if (FIPS_mode_set(1) == 0) {
printf("Failed to enable FIPS mode\n");
} else {
printf("FIPS mode is enabled.\n");
}
}
===> foobar.cpp
#include <stdio.h>
int fips_check();
int
main()
{
fips_check();
}
===> foo.cpp
#include <stdio.h>
#include <openssl/evp.h>
#include <openssl/err.h>
int
fips_check()
{
unsigned long fipscode;
if (1 == FIPS_mode_set(1)) {
printf("FIPS mode is enabled.\n");
} else {
char err_msg[256+1];
int flags, line; char *report_data, *file;
unsigned long code;
code = ERR_get_error_line_data(
(const char**)&file,
&line,
(const char**)&report_data,
&flags);
ERR_error_string_n(code, err_msg, 256);
printf("SSL: %lu:%lu:%s:%d:%d:%s\n",
fipscode, code, file, line, flags, err_msg);
printf("Failed to enable FIPS mode\n");
}
}
===> makefile
CC = gcc
OPENSSLDIR = openssl-0.9.8q-fips
LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
INCLUDES = -I$(OPENSSLDIR)/include
OBJ = foo.o
LIB = libfoo.so.1
CMD = cmd
OPTS=-Wl,-Bsymbolic,-soname,$(LIB)
FIPSLD=$(OPENSSLDIR)/bin/fipsld
PROGS = cmd foobar
all: $(PROGS)
foobar: $(LIB)
$(CC) -o $@ [email protected] -L. -lfoo
$(LIB): $(OBJ)
rm -f $(LIB) libfoo.so
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared $(OPTS) -o $(LIB) $(OBJ)
$(LIBCRYPTO) -lstdc++
ln -s $(LIB) libfoo.so
$(CMD): cmd.cpp
FIPSLD_CC=$(CC) $(FIPSLD) -o $(CMD) $(CMD).cpp $(INCLUDES) $(LIBCRYPTO)
-lstdc++
$(OBJ): foo.cpp
$(CC) -c foo.cpp -fPIC $(INCLUDES)
clean:
rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar
===> Build
$ make
FIPSLD_CC=gcc openssl-0.9.8q-fips/bin/fipsld -o cmd cmd.cpp
-Iopenssl-0.9.8q-fips/include openssl-0.9.8q-fips/lib/libcrypto.a -lstdc++
gcc -c foo.cpp -fPIC -Iopenssl-0.9.8q-fips/include
rm -f libfoo.so.1 libfoo.so
FIPSLD_CC=gcc openssl-0.9.8q-fips/bin/fipsld -shared
-Wl,-Bsymbolic,-soname,libfoo.so.1 -o libfoo.so.1 foo.o
openssl-0.9.8q-fips/lib/libcrypto.a -lstdc++
ln -s libfoo.so.1 libfoo.so
gcc -o foobar foobar.cpp -L. -lfoo
===> Run
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.4 LTS"
$ uname -m
i686
$ ldd cmd
linux-gate.so.1 => (0xb76ee000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb75eb000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb749c000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7476000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb746b000)
/lib/ld-linux.so.2 (0xb76ef000)
$ ldd foobar
linux-gate.so.1 => (0xb775b000)
libfoo.so.1 => ./libfoo.so.1 (0xb76f2000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7595000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb74a1000)
/lib/ld-linux.so.2 (0xb775c000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb747c000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb7471000)
$ ./cmd
FIPS mode is enabled.
$ ./foobar
FIPS mode is enabled.
Bill
On Wed, Oct 13, 2010 at 1:21 PM, Bill Durant <[email protected]> wrote:
> Here is the result with fipsld in debug mode:
>
> $ make clean
> rm -rf libfoo.so.1 foo.o cmd *.so foobar foobar2
>
>
> $ make
> gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
> rm -f libfoo.so
> FIPSLIBDIR=openssl-0.9.8o-fips/lib FIPSLD_CC=gcc
> ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-soname,libfoo.so.1 \
>
> -o libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto
> -lstdc++
> + CC=gcc
> + [ -n gcc ]
> + [ x-shared != x -a x-shared != x-c -a x-shared != x-E ]
> + shift
> + [ x-Wl,-soname,libfoo.so.1 != x -a x-Wl,-soname,libfoo.so.1 != x-c -a
> x-Wl,-soname,libfoo.so.1 != x-E ]
> + shift
> + [ x-o != x -a x-o != x-c -a x-o != x-E ]
> + shift
> + [ xlibfoo.so.1 != x -a xlibfoo.so.1 != x-c -a xlibfoo.so.1 != x-E ]
> + shift
> + [ xfoo.o != x -a xfoo.o != x-c -a xfoo.o != x-E ]
> + shift
> + [ x-L./openssl-0.9.8o-fips/lib != x -a x-L./openssl-0.9.8o-fips/lib !=
> x-c -a x-L./openssl-0.9.8o-fips/lib != x-E ]
> + shift
> + [ x-lcrypto != x -a x-lcrypto != x-c -a x-lcrypto != x-E ]
> + shift
> + [ x-lstdc++ != x -a x-lstdc++ != x-c -a x-lstdc++ != x-E ]
> + shift
> + [ x != x -a x != x-c -a x != x-E ]
> + [ 0 -ge 1 ]
> + [ x-shared != x -a x-shared != x-o ]
> + shift
> + [ x-Wl,-soname,libfoo.so.1 != x -a x-Wl,-soname,libfoo.so.1 != x-o ]
> + shift
> + [ x-o != x -a x-o != x-o ]
> + echo libfoo.so.1
> + TARGET=libfoo.so.1
> + basename libfoo.so.1
> + [ -n libfoo.so.1 ]
> + [ x-shared != x -a x-shared != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ x-Wl,-soname,libfoo.so.1 != x -a x-Wl,-soname,libfoo.so.1 !=
> x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ x-o != x -a x-o != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ xlibfoo.so.1 != x -a xlibfoo.so.1 != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ xfoo.o != x -a xfoo.o != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ x-L./openssl-0.9.8o-fips/lib != x -a x-L./openssl-0.9.8o-fips/lib !=
> x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ x-lcrypto != x -a x-lcrypto != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ x-lstdc++ != x -a x-lstdc++ != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ x != x -a x != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + [ 0 -ge 1 ]
> + sed -e s|[^/]*$||
> + echo ./openssl-0.9.8o-fips/bin/fipsld
>
> + THERE=./openssl-0.9.8o-fips/bin/..
> + [ x-shared != x ]
> + shift
> + [ x-Wl,-soname,libfoo.so.1 != x ]
> + shift
> + [ x-o != x ]
> + shift
> + [ xlibfoo.so.1 != x ]
> + shift
> + [ xfoo.o != x ]
> + shift
> + [ x-L./openssl-0.9.8o-fips/lib != x ]
> + shift
> + [ x-lcrypto != x ]
> + shift
> + [ x-lstdc++ != x ]
> + shift
> + [ x != x ]
> + CANISTER_O=
> + [ -z ]
> + [ -n openssl-0.9.8o-fips/lib ]
> + CANISTER_O=openssl-0.9.8o-fips/lib/fipscanister.o
> + CANISTER_O_CMD=openssl-0.9.8o-fips/lib/fipscanister.o
> + [ -f openssl-0.9.8o-fips/lib/fipscanister.o ]
> + dirname openssl-0.9.8o-fips/lib/fipscanister.o
> + PREMAIN_C=openssl-0.9.8o-fips/lib/fips_premain.c
>
> + HMAC_KEY=etaonrishdlcupfm
> + TARGET=./libfoo.so.1
> + basename ./libfoo.so.1
> + FINGERTYPE=./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1
> + diff -w openssl-0.9.8o-fips/lib/fips_premain.c.sha1 -
> + sed s/(.*\//(/
> + ./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1
> openssl-0.9.8o-fips/lib/fips_premain.c
> + diff -w openssl-0.9.8o-fips/lib/fipscanister.o.sha1 -
> + sed s/(.*\//(/
> + ./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1
> openssl-0.9.8o-fips/lib/fipscanister.o
>
> + [ -f ./openssl-0.9.8o-fips/bin/../libcrypto.a ]
> + /bin/rm -f ./libfoo.so.1
> + gcc openssl-0.9.8o-fips/lib/fipscanister.o
> openssl-0.9.8o-fips/lib/fips_premain.c -shared -Wl,-soname,libfoo.so.1 -o
> libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto -lstdc++
>
> + [ -z ]
> + ./openssl-0.9.8o-fips/bin/../fips/fips_premain_dso ./libfoo.so.1
> + SIG=f2a427ac9a1d602b725e1d9ba0302b85979220d8
> + /bin/rm -f ./libfoo.so.1
> + [ -z f2a427ac9a1d602b725e1d9ba0302b85979220d8 ]
> + gcc openssl-0.9.8o-fips/lib/fipscanister.o
> -DHMAC_SHA1_SIG="f2a427ac9a1d602b725e1d9ba0302b85979220d8"
> openssl-0.9.8o-fips/lib/fips_premain.c -shared -Wl,-soname,libfoo.so.1 -o
> libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto -lstdc++
>
> ln -s ./libfoo.so.1 ./libfoo.so
> gcc -o foobar foobar.cpp -Wall -ldl -lstdc++
> gcc -o foobar2 foobar2.cpp -Wall -I. -L. -lfoo -lstdc++
> FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -o cmd cmd.cpp -Wall \
> -I./openssl-0.9.8o-fips/include
> ./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++
> + CC=gcc
> + [ -n gcc ]
> + [ x-o != x -a x-o != x-c -a x-o != x-E ]
> + shift
> + [ xcmd != x -a xcmd != x-c -a xcmd != x-E ]
> + shift
> + [ xcmd.cpp != x -a xcmd.cpp != x-c -a xcmd.cpp != x-E ]
> + shift
> + [ x-Wall != x -a x-Wall != x-c -a x-Wall != x-E ]
> + shift
> + [ x-I./openssl-0.9.8o-fips/include != x -a
> x-I./openssl-0.9.8o-fips/include != x-c -a x-I./openssl-0.9.8o-fips/include
> != x-E ]
> + shift
> + [ x./openssl-0.9.8o-fips/lib/libcrypto.a != x -a
> x./openssl-0.9.8o-fips/lib/libcrypto.a != x-c -a
> x./openssl-0.9.8o-fips/lib/libcrypto.a != x-E ]
> + shift
> + [ x-lstdc++ != x -a x-lstdc++ != x-c -a x-lstdc++ != x-E ]
> + shift
> + [ x != x -a x != x-c -a x != x-E ]
> + [ 0 -ge 1 ]
> + [ x-o != x -a x-o != x-o ]
> + echo cmd
> + TARGET=cmd
> + basename cmd
> + [ -n cmd ]
> + [ x-o != x -a x-o != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ xcmd != x -a xcmd != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ xcmd.cpp != x -a xcmd.cpp != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ x-Wall != x -a x-Wall != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ x-I./openssl-0.9.8o-fips/include != x -a
> x-I./openssl-0.9.8o-fips/include != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ x./openssl-0.9.8o-fips/lib/libcrypto.a != x -a
> x./openssl-0.9.8o-fips/lib/libcrypto.a != x-DDEBUG_FINGERPRINT_PREMAIN ]
>
> + shift
> + [ x-lstdc++ != x -a x-lstdc++ != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + shift
> + [ x != x -a x != x-DDEBUG_FINGERPRINT_PREMAIN ]
> + [ 0 -ge 1 ]
> + sed -e s|[^/]*$||
> + echo ./openssl-0.9.8o-fips/bin/fipsld
>
> + THERE=./openssl-0.9.8o-fips/bin/..
> + [ x-o != x ]
> + shift
> + [ xcmd != x ]
> + shift
> + [ xcmd.cpp != x ]
> + shift
> + [ x-Wall != x ]
> + shift
> + [ x-I./openssl-0.9.8o-fips/include != x ]
> + shift
> + [ x./openssl-0.9.8o-fips/lib/libcrypto.a != x ]
>
> + shift
> + [ x-lstdc++ != x ]
> + shift
> + [ x != x ]
> + CANISTER_O=
> + [ -z ]
> + [ -n openssl-0.9.8o-fips/lib ]
> + CANISTER_O=openssl-0.9.8o-fips/lib/fipscanister.o
> + CANISTER_O_CMD=openssl-0.9.8o-fips/lib/fipscanister.o
> + [ -f openssl-0.9.8o-fips/lib/fipscanister.o ]
> + dirname openssl-0.9.8o-fips/lib/fipscanister.o
> + PREMAIN_C=openssl-0.9.8o-fips/lib/fips_premain.c
>
> + HMAC_KEY=etaonrishdlcupfm
> + TARGET=./cmd
> + basename ./cmd
> + [ -x ./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1 ]
> + FINGERTYPE=./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1
> + diff -w openssl-0.9.8o-fips/lib/fipscanister.o.sha1 -
> + sed s/(.*\//(/
> + ./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1
> openssl-0.9.8o-fips/lib/fipscanister.o
> + diff -w openssl-0.9.8o-fips/lib/fips_premain.c.sha1 -
> + sed s/(.*\//(/
> + ./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1
> openssl-0.9.8o-fips/lib/fips_premain.c
> + /bin/rm -f ./cmd
> + gcc openssl-0.9.8o-fips/lib/fipscanister.o
> openssl-0.9.8o-fips/lib/fips_premain.c -o cmd cmd.cpp -Wall
> -I./openssl-0.9.8o-fips/include ./openssl-0.9.8o-fips/lib/libcrypto.a
> -lstdc++
>
> + [ -z ]
> + ./cmd
> + SIG=e955eac3d6725dd6ffe43eb6d1131fb602d87463
> + /bin/rm -f ./cmd
> + [ -z e955eac3d6725dd6ffe43eb6d1131fb602d87463 ]
> + gcc openssl-0.9.8o-fips/lib/fipscanister.o
> -DHMAC_SHA1_SIG="e955eac3d6725dd6ffe43eb6d1131fb602d87463"
> openssl-0.9.8o-fips/lib/fips_premain.c -o cmd cmd.cpp -Wall
> -I./openssl-0.9.8o-fips/include ./openssl-0.9.8o-fips/lib/libcrypto.a
> -lstdc++
>
> $ ldd foobar
> linux-gate.so.1 => (0x003ab000)
> libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x006e1000)
> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00e8a000)
> libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x0046c000)
> /lib/ld-linux.so.2 (0x009f7000)
> libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0x00d26000)
> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00fd7000)
>
> $ ldd foobar2
> linux-gate.so.1 => (0x00280000)
> libfoo.so.1 => ./libfoo.so.1 (0x007b6000)
> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x002e4000)
> libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x00b0b000)
> libcrypto.so.0.9.8 => /lib/i686/cmov/libcrypto.so.0.9.8 (0x00110000)
> libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0x00ac3000)
> /lib/ld-linux.so.2 (0x00a81000)
> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00281000)
> libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x00aa8000)
> libz.so.1 => /lib/libz.so.1 (0x00262000)
>
> $ ldd cmd
> linux-gate.so.1 => (0x0073c000)
> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00e3e000)
> libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x0030d000)
> libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0x006ef000)
> /lib/ld-linux.so.2 (0x00569000)
> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00cd9000)
>
>
> $ ./foobar
> SSL: 0:755404910:fips.c:238:0:error:2D06906E:lib(45):func(105):reason(110)
> FIPS_mode_set(1) failed
>
> $ ./foobar2
>
> SSL: 0:755404910:fips.c:238:0:error:2D06906E:lib(45):func(105):reason(110)
> FIPS_mode_set(1) failed
>
> $ ./cmd
> FIPS mode is enabled.
>
> Thanks,
>
> Bill
>
>
> On Oct 13, 2010, at 1:12 PM, Bill Durant wrote:
>
> On Oct 13, 2010, at 11:30 AM, Michael S. Zick wrote:
>>
>>> On Wed October 13 2010, Bill wrote:
>>>
>>>> Hello Mike,
>>>>
>>>> It is not a script:
>>>>
>>>> ===> Ubuntu 8.04
>>>>
>>>> $ cat /etc/lsb-release
>>>> DISTRIB_ID=Ubuntu
>>>> DISTRIB_RELEASE=8.04
>>>> DISTRIB_CODENAME=hardy
>>>> DISTRIB_DESCRIPTION="Ubuntu 8.04.4 LTS"
>>>>
>>>> $ which gcc
>>>> /usr/bin/gcc
>>>>
>>>> $ file /usr/bin/gcc
>>>> /usr/bin/gcc: symbolic link to `gcc-4.2'
>>>>
>>>> $ cd /usr/bin
>>>>
>>>> $ file gcc-4.2
>>>> gcc-4.2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
>>>> GNU/Linux 2.6.8, dynamically linked (uses shared libs), stripped
>>>>
>>>> ===> Ubuntu 10.04
>>>>
>>>> $ which gcc
>>>> /usr/bin/gcc
>>>>
>>>> $ file /usr/bin/gcc
>>>> /usr/bin/gcc: symbolic link to `gcc-4.4'
>>>>
>>>> $ cd /usr/bin
>>>>
>>>> $ file gcc-4.4
>>>> gcc-4.4: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
>>>> dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped
>>>>
>>>> $ cat /etc/lsb-release
>>>> DISTRIB_ID=Ubuntu
>>>> DISTRIB_RELEASE=10.04
>>>> DISTRIB_CODENAME=lucid
>>>> DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"
>>>>
>>>> Any ideas about how to make it work?
>>>>
>>>>
>>> Not a clue.
>>>
>>> Just that I follow other projects where the Ubuntu change did cause
>>> problems. I don't have any links handy about what they needed to do.
>>>
>>
>> Ok. thanks for the suggestions. Let me know if you come across a
>> solution.
>>
>> Thanks,
>>
>> Bill
>>
>>
>>> Mike
>>>
>>> Thanks,
>>>>
>>>> Bill
>>>>
>>>> On Oct 13, 2010, at 6:01 AM, Michael S. Zick wrote:
>>>>
>>>> On Tue October 12 2010, Bill wrote:
>>>>>
>>>>>> Hello Steve,
>>>>>>
>>>>>> Good eye! That got rid of the compilation error.
>>>>>>
>>>>>> However, FIPS_mode_set(1) fails when it gets called from a "shared"
>>>>>> library that links with the "static" version of the FIPS-capable
>>>>>> OpenSSL library.
>>>>>>
>>>>>> Calling FIPS_mode_set(1) works fine when called directly from an
>>>>>> executable that has been compiled with the static version of the FIPS
>>>>>> capable OpenSSL library.
>>>>>>
>>>>>> The same scenario works fine on Mac OS X (Leopard and Snow Leopard).
>>>>>> So it looks like this problem is specific to Ubuntu Linux.
>>>>>>
>>>>>>
>>>>> Do a "file path_to/gcc" see if it is a compiled program or a script.
>>>>>
>>>>> Depending on the update age of your Ubuntu distribution, you may find
>>>>> that it is a script now.
>>>>>
>>>>> That might make a difference if it is.
>>>>>
>>>>> Mike
>>>>>
>>>>>> Is there a trick to make this work?
>>>>>>
>>>>>> Here are the details:
>>>>>>
>>>>>> $ make
>>>>>> gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
>>>>>> rm -f libfoo.so
>>>>>> FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-
>>>>>> soname,libfoo.so.1 -o libfoo.so.1 foo.o \
>>>>>> ./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++
>>>>>> ln -s ./libfoo.so.1 ./libfoo.so
>>>>>> gcc -o foobar foobar.cpp -Wall -I. -L. -lfoo -lstdc++
>>>>>>
>>>>>> $ ./foobar
>>>>>> SSL: 0:755404910:fips.c:238:0:error:
>>>>>> 2D06906E:lib(45):func(105):reason(110)
>>>>>> FIPS_mode_set(1) failed
>>>>>>
>>>>>> $ ./cmd
>>>>>> FIPS mode is enabled.
>>>>>>
>>>>>> $ cat foo.cpp
>>>>>> #include <stdio.h>
>>>>>> #include <foo.h>
>>>>>> #include <openssl/err.h>
>>>>>> #include <openssl/evp.h>
>>>>>>
>>>>>> int
>>>>>> fips_check(void)
>>>>>> {
>>>>>> unsigned long fipscode;
>>>>>> unsigned long code;
>>>>>>
>>>>>> if(1 == (fipscode = FIPS_mode_set(1))) {
>>>>>> printf("FIPS_mode_set(1) succeeded\n");
>>>>>> } else {
>>>>>> char err_msg[256+1];
>>>>>> int flags, line; char *report_data, *file;
>>>>>>
>>>>>> code = ERR_get_error_line_data(
>>>>>> (const char**)&file,
>>>>>> &line,
>>>>>> (const char**)&report_data,
>>>>>> &flags);
>>>>>>
>>>>>> ERR_error_string_n(code, err_msg, 256);
>>>>>>
>>>>>> printf("SSL: %lu:%lu:%s:%d:%d:%s\n",
>>>>>> fipscode, code, file, line, flags, err_msg);
>>>>>>
>>>>>> printf("FIPS_mode_set(1) failed\n");
>>>>>>
>>>>>> }
>>>>>>
>>>>>> return 0;
>>>>>> }
>>>>>>
>>>>>> $ cat cmd.cpp
>>>>>> #include <stdio.h>
>>>>>> #include <openssl/evp.h>
>>>>>>
>>>>>> int
>>>>>> main()
>>>>>> {
>>>>>> if (FIPS_mode_set(1) == 0) {
>>>>>> printf("Failed to enable FIPS mode\n");
>>>>>> } else {
>>>>>> printf("FIPS mode is enabled.\n");
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> $ cat foo.h
>>>>>> #ifdef __cplusplus
>>>>>> extern "C" {
>>>>>> #endif
>>>>>> int fips_check(void);
>>>>>> #ifdef __cplusplus
>>>>>> }
>>>>>> #endif
>>>>>>
>>>>>> $ cat makefile
>>>>>> CC = gcc
>>>>>> OPENSSLDIR = ./openssl-0.9.8o-fips
>>>>>> LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
>>>>>> INCLUDES = -I$(OPENSSLDIR)/include
>>>>>> OBJ = foo.o
>>>>>> LIB = libfoo.so.1
>>>>>> CMD = cmd
>>>>>> OPTS=-Wl,-soname,$(LIB)
>>>>>>
>>>>>> all: foobar cmd
>>>>>>
>>>>>> foobar: $(LIB) foobar2.cpp
>>>>>> $(CC) -o $@ [email protected] -Wall -I. -L. -lfoo -lstdc++
>>>>>>
>>>>>> $(LIB): $(OBJ)
>>>>>> rm -f libfoo.so
>>>>>> FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared $(FIPS_OPTS) $
>>>>>> (OPTS)
>>>>>> -o $(LIB) $(OBJ) \
>>>>>> $(LIBCRYPTO) -lstdc++
>>>>>> ln -s ./libfoo.so.1 ./libfoo.so
>>>>>>
>>>>>> $(CMD): cmd.cpp
>>>>>> FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(CMD).cpp -
>>>>>> Wall \
>>>>>> $(INCLUDES) $(LIBCRYPTO) -lstdc++
>>>>>>
>>>>>> $(OBJ): foo.cpp
>>>>>> $(CC) -c foo.cpp -fPIC -Wall $(INCLUDES) -I.
>>>>>>
>>>>>> clean:
>>>>>> rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar
>>>>>>
>>>>>> $ uname -a
>>>>>> Linux ixoubuntu 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 22:02:19
>>>>>> UTC 2010 i686 GNU/Linux
>>>>>>
>>>>>> $ cat /etc/lsb-release
>>>>>> DISTRIB_ID=Ubuntu
>>>>>> DISTRIB_RELEASE=10.04
>>>>>> DISTRIB_CODENAME=lucid
>>>>>> DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"
>>>>>>
>>>>>> $ gcc --version
>>>>>> gcc (Ubuntu 4.4.3-4ubuntu5) 4.4.3
>>>>>> Copyright (C) 2009 Free Software Foundation, Inc.
>>>>>> This is free software; see the source for copying conditions. There
>>>>>> is NO
>>>>>> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
>>>>>> PURPOSE.
>>>>>>
>>>>>>
>>>>>> On Oct 12, 2010, at 2:36 PM, Dr. Stephen Henson wrote:
>>>>>>
>>>>>> On Tue, Oct 12, 2010, Bill wrote:
>>>>>>>
>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I have followed the FIPS UserGuide 1.2 to build a FIPS object
>>>>>>>> module and a
>>>>>>>> FIPS capable OpenSSL.
>>>>>>>>
>>>>>>>> I used openssl-fips-1.2.tar.gz and openssl-0.9.8o.tar.gz to build
>>>>>>>> these.
>>>>>>>>
>>>>>>>> On Ubuntu, when I try to build a shared library that links with the
>>>>>>>> FIPS-capable OpenSSL static library, I get the following link
>>>>>>>> error:
>>>>>>>>
>>>>>>>> $ make
>>>>>>>> FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared
>>>>>>>> -W1,-soname,libfoo.so.1 \
>>>>>>>> -o libfoo.so.1 foo.o
>>>>>>>> ./openssl-0.9.8o-fips/lib/libcrypto.a
>>>>>>>> cc1: error: unrecognized command line option "-W1,-
>>>>>>>> soname,libfoo.so.
>>>>>>>> 1"
>>>>>>>> make: *** [libfoo.so.1] Error 1
>>>>>>>>
>>>>>>>>
>>>>>>> That should be -Wl (letter l) and not -W1 (figure 1) shouldn't it?
>>>>>>>
>>>>>>> Steve.
>>>>>>> --
>>>>>>> Dr Stephen N. Henson. OpenSSL project core developer.
>>>>>>> Commercial tech support now available see: http://www.openssl.org
>>>>>>>
>>>>>>> ______________________________________________________________________
>>>>>>> OpenSSL Project
>>>>>>> http://www.openssl.org
>>>>>>> User Support Mailing List
>>>>>>> [email protected]
>>>>>>> Automated List Manager
>>>>>>> [email protected]
>>>>>>>
>>>>>>
>>>>>> ______________________________________________________________________
>>>>>> OpenSSL Project http://
>>>>>> www.openssl.org
>>>>>> User Support Mailing List openssl-
>>>>>> [email protected]
>>>>>> Automated List Manager
>>>>>> [email protected]
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> ______________________________________________________________________
>>>>> OpenSSL Project http://www.openssl.org
>>>>> User Support Mailing List [email protected]
>>>>> Automated List Manager [email protected]
>>>>>
>>>>
>>>> ______________________________________________________________________
>>>> OpenSSL Project http://www.openssl.org
>>>> User Support Mailing List [email protected]
>>>> Automated List Manager [email protected]
>>>>
>>>>
>>>>
>>>
>>> ______________________________________________________________________
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List [email protected]
>>> Automated List Manager [email protected]
>>>
>>
>>
>
