Steve, I'm having similar issues. This is all being done on Ubuntu 10.10.
At first, I tried to get our FIPS 1.2 version to compile, so we could remain consistent with our 0.9.8 OpenSSL that we use in Windows, but we're getting all of the 32-bit unsigned error junk from binutils. So we decided to attempt to get FIPS 2.0 Test with the latest OpenSSL 1.0.1 Snapshot to work instead. We get the FIPS 2.0 to compile and install, and it puts the fipscanister under our /usr/local/ssl/fips-2.0 location; however, when we attempt to make the OpenSSL 1.0.1 snapshot work with the built FIPS, we get a problem. Essentially we're doing: ./config fips (it tells us to do the make depends, which we've tried, and we've ignored, it doesn't seem to matter) make We get compilation errors because the the libcrypto library is conflicting with the fipscanister object in the following areas. ../libcrypto.a(aes-x86_64.o): In function `asm_AES_encrypt': (.text+0x460): multiple definition of `asm_AES_encrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x33fa0): first defined here ../libcrypto.a(aes-x86_64.o): In function `asm_AES_decrypt': (.text+0x9f0): multiple definition of `asm_AES_decrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34530): first defined here ../libcrypto.a(aes-x86_64.o): In function `asm_AES_cbc_encrypt': (.text+0xfa0): multiple definition of `asm_AES_cbc_encrypt' /usr/local/ssl/fips-2.0/lib//fipscanister.o:(.text+0x34ad0): first defined here We're unsure how to overcome this, having tried various --with-fipslibdir scenarios to no avail. We'd like two answers to this... 1. Is there a way to get FIPS 1.2 to compile against 0.9.8 on Ubuntu with binutils 2.20.51? If so, which patch will work. We can't seem to find one that can correctly modify the constants in the md5 and sha1 assembly code to make this compile for the fips canister. 2. What are we doing wrong with the FIPS 2.0 test above? Dr. Stephen Henson wrote: > > On Tue, Jun 28, 2011, Tyrel Haveman wrote: > >> All, >> >> I'm having a problem when building OpenSSL 1.0.1 along with fips-2.0. >> My layout is like this: >> /home/tyrel/openssl-test/openssl <-- contains the 1.0.1 branch from CVS >> /home/tyrel/openssl-test/fips <-- contains the extract fips-2.0 >> snapshot tarball >> >> My build steps are (from the openssl-test dir): >> >> cd fips >> ./config no-asm no-hw --prefix="/home/tyrel/openssl-test/dep" >> make >> make install >> cd .. >> >> cd openssl >> export FIPSDIR=/home/tyrel/openssl-test/dep >> export FIPSLIBDIR=/home/tyrel/openssl-test/dep/lib >> ./config fips no-asm no-hw --prefix="/home/tyrel/openssl-test/dep" >> make depend >> make >> make install >> >> The config script indicated that I should run make depend because >> "you've disabled or enabled at least one algorithm". But make depend >> is the step that is failing. Log is below. >> >> It's worth noting that even though make depend fails, I can run make >> just fine. Is make depend even necessary, then, in this case? >> > > You don't need to run "make depend". Also the steps you use above should > be changed. > > Set FIPSDIR only and no other environment variables before you even > build the test 2.0 module. You can only do: > > ./config > make > make install > > for the FIPS test 2.0 module build. No other options are permitted. In the > past no-asm was permitted but this time no one has (so far) sponsored the > C only build. > > For the FIPS capable build you can include additional options but > don't set --prefix in the FIPS capable build to the same directory as > FIPSDIR. The test 2.0 module and the FIPS capable OpenSSL should go in > different places. > > You can skip make depend. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://old.nabble.com/Build-Error-on-1.0.1-with-FIPS-tp31948446p33164693.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
