Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips

Thu, 20 Dec 2012 05:55:43 -0800 

I modified the example slightly to fit our configuration.

The fips build may have worked.  I get the following:


making install in fips/utl...
for i in fipsld fips_standalone_sha1 ; \
do \
                echo "installing $i"; \
                cp $i /usr/local/ssl/fips-2.0/bin/$i.new; \
                chmod 755 /usr/local/ssl/fips-2.0/bin/$i.new; \
                mv -f /usr/local/ssl/fips-2.0/bin/$i.new 
/usr/local/ssl/fips-2.0/bin/$i; \
done
installing fipsld
installing fips_standalone_sha1
cp -p -f fipscanister.o fipscanister.o.sha1 \
                fips_premain.c fips_premain.c.sha1 \
                /usr/local/ssl/fips-2.0/lib/; \
chmod 0444 /usr/local/ssl/fips-2.0/lib/fips*
making install in test...


During the make depend for OpenSSL I get several warnings similar to this:

makedepend: warning:  mdc2dgst.c: 69: #error MDC2 is disabled.
makedepend: warning:  mdc2_one.c: 150: #error("Unrecognized compiler 
protocol for variable argument lists")

Then, I get the following errors:

cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -KPIC 
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H 
-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN 
-DBN_DIV2W -DOPENSSL_BN_ASM_MONT -I/usr/local/ssl/fips-2.0/include 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM  -c  cmac.c
cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -KPIC 
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H 
-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN 
-DBN_DIV2W -DOPENSSL_BN_ASM_MONT -I/usr/local/ssl/fips-2.0/include 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM  -c  cm_ameth.c
cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -KPIC 
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H 
-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN 
-DBN_DIV2W -DOPENSSL_BN_ASM_MONT -I/usr/local/ssl/fips-2.0/include 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM  -c  cm_pmeth.c
ar  r ../../libcrypto.a cmac.o cm_ameth.o cm_pmeth.o
/usr/ccs/bin/ranlib ../../libcrypto.a || echo Never mind.
if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \
                (cd ..; make libcrypto.so.1.0.0); \
fi
[ -z "libcrypto" ] || cc -KPIC -DOPENSSL_PIC -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5 
-xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DOPENSSL_BN_ASM_MONT 
-I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM 
-DAES_ASM -DGHASH_ASM -Iinclude \
                -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso  \
                /usr/local/ssl/fips-2.0/lib/fips_premain.c 
/usr/local/ssl/fips-2.0/lib/fipscanister.o \
                libcrypto.a -lsocket -lnsl -ldl
ld: fatal: symbol 'bn_mul_mont_fpu' is multiply-defined:
                (file /usr/local/ssl/fips-2.0/lib//fipscanister.o 
type=FUNC; file libcrypto.a(sparcv9a-mont.o) type=FUNC);
ld: fatal: file processing errors. No output written to libcrypto.so.1.0.0
*** Error code 1
The following command caused the error:
if (/usr/local/ssl/fips-2.0/bin/fipsld -Wl,-V /dev/null 2>&1 | grep '^GNU 
ld' )>/dev/null; then \
                SHLIB_COMPAT=; SHLIB_SOVER=;  if [ -n "1.0.0;" ]; then 
prev="";  for v in `echo "1.0.0 ;" | cut -d';' -f1`; do 
SHLIB_SOVER_NODOT=$v;  SHLIB_SOVER=.$v;  if [ -n "$prev" ]; then 
SHLIB_COMPAT="$SHLIB_COMPAT .$prev";  fi;  prev=$v;  done;  fi; 
SHLIB=libcrypto.so;  SHLIB_SUFFIX=;  ALLSYMSFLAGS='-Wl,--whole-archive'; 
NOALLSYMSFLAGS='-Wl,--no-whole-archive';  SHAREDFLAGS="-KPIC -DOPENSSL_PIC 
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra 
-xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W 
-DOPENSSL_BN_ASM_MONT -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM 
-DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM -G -dy -z text -shared 
-Wl,-Bsymbolic -Wl,-soname=$SHLIB$SHLIB_SOVER$SHLIB_SUFFIX"; \
else \
                SHLIB_COMPAT=; SHLIB_SOVER=;  if [ -n "1.0.0;" ]; then 
prev="";  for v in `echo "1.0.0 ;" | cut -d';' -f1`; do 
SHLIB_SOVER_NODOT=$v;  SHLIB_SOVER=.$v;  if [ -n "$prev" ]; then 
SHLIB_COMPAT="$SHLIB_COMPAT .$prev";  fi;  prev=$v;  done;  fi; \
                MINUSZ='-z '; \
                (/usr/local/ssl/fips-2.0/bin/fipsld -v 2>&1 | grep gcc) > 
/dev/null && MINUSZ='-Wl,-z,'; \
                SHLIB=libcrypto.so; \
                SHLIB_SUFFIX=;\
                ALLSYMSFLAGS="${MINUSZ}allextract"; \
                NOALLSYMSFLAGS="${MINUSZ}defaultextract"; \
                SHAREDFLAGS="-KPIC -DOPENSSL_PIC -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5 
-xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DOPENSSL_BN_ASM_MONT 
-I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM 
-DAES_ASM -DGHASH_ASM -G -dy -z text -h $SHLIB$SHLIB_SOVER$SHLIB_SUFFIX 
-Wl,-Bsymbolic"; \
fi; \
SHOBJECTS="libcrypto.a "; ( :;    LIBDEPS="${LIBDEPS:--L.  -lsocket -lnsl 
-ldl}";  SHAREDCMD="${SHAREDCMD:-/usr/local/ssl/fips-2.0/bin/fipsld}"; 
SHAREDFLAGS="${SHAREDFLAGS:--KPIC -DOPENSSL_PIC -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5 
-xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DOPENSSL_BN_ASM_MONT 
-I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM 
-DAES_ASM -DGHASH_ASM -G -dy -z text}";  LIBPATH=`for x in $LIBDEPS; do 
echo $x; done | sed -e 's/^ *-L//;t' -e d | uniq`;  LIBPATH=`echo $LIBPATH 
| sed -e 's/ /:/g'`;  LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH 
${SHAREDCMD} ${SHAREDFLAGS}  -o $SHLIB$SHLIB_SOVER$SHLIB_SUFFIX 
$ALLSYMSFLAGS $SHOBJECTS $NOALLSYMSFLAGS $LIBDEPS  ) && if [ -n 
"$INHIBIT_SYMLINKS" ]; then :; else  prev=$SHLIB$SHLIB_SOVER$SHLIB_SUFFIX; 
 if [ -n "$SHLIB_COMPAT" ]; then  for x in $SHLIB_COMPAT; do  ( :; rm -f 
$SHLIB$x$SHLIB_SUFFIX;  ln -s $prev $SHLIB$x$SHLIB_SUFFIX ); 
prev=$SHLIB$x$SHLIB_SUFFIX;  done;  fi;  if [ -n "$SHLIB_SOVER" ]; then  ( 
:; rm -f $SHLIB$SHLIB_SUFFIX;  ln -s $prev $SHLIB$SHLIB_SUFFIX );  fi;  fi
make: Fatal error: Command failed for target `link_a.solaris’

Any help is greatly appreciated.

This is a PRIVATE message. If you are not the intended recipient, please 
delete without copying and kindly advise us by e-mail of the mistake in 
delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to 
any order or other contract unless pursuant to explicit written agreement 
or government initiative expressly permitting the use of e-mail for such 
purpose.



From:   Steve Marquess <marqu...@opensslfoundation.com>
To:     openssl-users@openssl.org
Cc:     Jerry Blasdel/USA/CSC@CSC
Date:   12/18/2012 09:21 AM
Subject:        Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips



On 12/18/2012 08:57 AM, Jerry Blasdel wrote:
> Steve,
> 
> That was a typing error.  I verified that I am building:
> 
> Extracting OpenSSL Fips source...
> openssl-fips-2.0.1/...
> 
> Extracting OpenSSL source...
> openssl-1.0.1c/ACKNOWLEDGMENTS...
> 
> 
> What steps can I take to help identify the problem with my FIPS capable
> built OpenSSL?

Well, start at the beginning. Have you tried building the "FIPS capable"
OpenSSL per section 4.2 and the examples in the User Guide?

Also see the example at:

  http://opensslfoundation.com/fips/2.0/platforms/linux-native/Makefile

which should work in any Linux or Linux-like system (just do "make").

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com

Reply via email to