The logic of invoking invoking the $fips_premain_dso to determine its hash using perl `commandline` syntax, and immediately asking the local linker to overwrite the binary is fundamentally flawed on win32 and probably aix and others, who cannot overwrite a currently executing file. There is no assurance from `commandline` that the program finished its execution. The correct logic uses system() and redirected file output.
Note this bug is sporadic, due to the arbitrary amount of time required for the system to terminate the initial $fips_premain_dso process. Note there is a related bug, some systems may not resolve an explicit libz.so/.dll without the adjustment of PATH/LIBPATH/LD_LIBRARY_PATH/SHLIB_PATH as appropriate, leaving $fips_premain_dso unable to be invoked, except on os's with rpath behavior (and even this may not work correctly if the libz path is not in its eventual target path). Index: util/fipslink.pl =================================================================== --- util/fipslink.pl (revision 6343) +++ util/fipslink.pl (working copy) @@ -41,13 +41,15 @@ system "$fips_link @ARGV"; die "First stage Link failure" if $? != 0; - print "$fips_premain_dso $fips_target\n"; -$fips_hash=`$fips_premain_dso $fips_target`; +system("$fips_premain_dso $fips_target >$fips_target.sha1"); +die "Get hash failure" if $? != 0; +$fips_hash= +open my $sha1_res, '<', $fips_target.".sha1" or die "Get hash failure"; +$fips_hash=<$sha1_res>; +close $sha1_res; chomp $fips_hash; -die "Get hash failure" if $? != 0; - print "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c\n"; system "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c"; die "Second stage Compile failure" if $? != 0; ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org