Another mistake I made was specifying FIPSLD_CC=gcc instead of FIPSLD_CC=g++.
Now, when I link, I get the following error: /usr/local/src/openssl-fips-1.2/fips/fipsld -Wl,-O3 -D_REENTRANT -DACE_HAS_AIO_CALLS -D_GNU_SOURCE -I/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers$ /usr/local/src/openssl-fips-1.2/fips/../fips/fips_premain.c:71: error: initializer-string for array of chars is too long I have seen another posting referencing the gcc/g++ differences related to this error. I believe it had to do with not being able to fix the error since the source file changes would invalidate the FIPS modules. Is there any work around besides compiling with gcc instead of g++? Thanks, Paul ----- Original Message ----- From: "Daugherty" <p...@nextalk.com> To: openssl-users@openssl.org Sent: Monday, November 9, 2009 8:01:36 AM GMT -07:00 US/Canada Mountain Subject: Re: Linking and execution problems with a FIPS-capable OpenSSL distribution It was a mistake. Any help on the actual issue? ----- Original Message ----- From: "Michael S. Zick" <open...@morethan.org> To: openssl-users@openssl.org Sent: Sunday, November 8, 2009 5:51:45 AM GMT -07:00 US/Canada Mountain Subject: Re: Linking and execution problems with a FIPS-capable OpenSSL distribution Any reason for the double posting? Wouldn't just one address do? Mike On Fri November 6 2009, Daugherty wrote: > Synopsis: > -------- > > Linking and execution problems with a FIPS-capable OpenSSL distribution. > > System: > ------ > > openSUSE 11.0 (i586) > Linux version 2.6.25.20-0.4-pae > gcc (SUSE Linux) 4.3.1 > OpenSSL 0.9.8g 19 Oct 2007 (currently installed) > Includes are in /usr/include/openssl > Libs are in /usr/lib > > Fips/OpenSSL Versions: > --------------------- > > openssl-fips-1.2.tar.gz > openssl-0.9.8l.tar.gz > > Goal of this post: > ----------------- > > 1. Additional clarification on the linking process as described in the User > Guide and comment as to whether my workarounds are correct and in accordance > with the Security Policy. > > 2. Help on overcoming the "fingerprint does not match" runtime error. > > Description: > ----------- > > I have read the UserGuide-1.2.pdf and SecurityPolicy-1.2.pdf numerous times > and have also scoured the news groups searching for a solution to my problem. > > > I am trying to link fipscanister.o and libssl into a shared library, > specifically, the ACE_SSL library that is part of the latest ACE distribution > from the ACE/TAO group. The User Guide is somewhat vague on whether this can > be done. From my understanding, linking fipscanister.o and libssl into a > shared library is possible since my shared library is considered an > application as defined in the User Guide. > > So here is what I am doing... > > Per the User Guide, I do the usual after successfully performing the two > verification steps: > > openssl-fips-1.2 # ./config fipscanisterbuild > make > make install > > openssl-0.9.8l # ./config fips > make > make install > > As a non-su user, I modify the environment per the User Guide as follows: > > export FIPSLD_CC=gcc > export CC=/usr/local/ssl/fips/bin/fipsld > export CXX=/usr/local/ssl/fips/bin/fipsld > > I also copied the openssl include directory from > /usr/local/ssl/fips/include/openssl to /usr/local/include which will be found > by gcc. If I did not do this, gcc would find my existing openssl headers > located at /usr/include/openssl. > > Finally, I modify my LD_LIBRARY_PATH environment variable to include > /usr/local/ssl/fips/lib prior to the /usr/lib include so that ld will find > the Fips-capable OpenSSL library. > > When I execute the ACE_SSL shared library make, I get the following output > and error: > > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -Wl,-O3 -D_REENTRANT -DACE_HAS_AIO_CALLS > -D_GNU_SOURCE -I/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_L$ > /usr/local/ssl/fips/bin/fipsld: line 94: > /usr/local/ssl/fips/bin/../fips/fips_standalone_sha1: No such file or > directory > 1d0 > < HMAC-SHA1(fips_premain.c)= 9e5ddba185ac446e0cf36fcf8e1b3acffe5d0b2c > /usr/local/ssl/fips/bin/../lib/fips_premain.c fingerprint mismatch > > > The fips_standalone_sha1 program is located in: > > /usr/local/src/openssl-fips-1.2/fips/fips_standalone_sha1 > /usr/local/src/openssl-0.9.8l/fips/fips_standalone_sha1 > > So, I modified the environment as follows to have access to > fips_standalone_sha1: > > export FIPSLD_CC=gcc > export CC=/usr/local/src/openssl-fips-1.2/fips/fipsld > export CXX=/usr/local/src/openssl-fips-1.2/fips/fipsld > > This succeeds in linking the shared library; however, it seems like the > fips_standalone_sha1 and other dependent files should have been copied to > /usr/local/ssl/fips/fips as the headers, modules, and libraries were. It > seems that the User Guide could add some explanation on the various duplicate > file copies. > > Anyways, I then compile and link my application to the shared library created > above using gcc/ld instead of fipsld. I also tried compiling and linking my > application with fipsld but it did not make a difference. > > When my application runs and calls FIPS_mode_set, I get an error of > "fingerprint does not match." > > Relevant Environment When Building/Linking the ACE_SSL Shared Library > with fipscanister.o and libssl: > --------------------------------------------------------------------- > > LD_LIBRARY_PATH = > :/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_Linux/lib:/usr/lib/oracle/xe/app/oracle/product/10.2.0\ > /server/lib:/usr/local/ssl/fips/lib:/usr/local/lib:/usr/lib: > FIPSLD_CC=gcc > CC=/usr/local/src/openssl-fips-1.2/fips/fipsld > CXX=/usr/local/src/openssl-fips-1.2/fips/fipsld > > Relevant Environment When Building/Linking my Application to the > ACE_SSL dynamic library: > --------------------------------------------------------------------- > > LD_LIBRARY_PATH = > :/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_Linux/lib:/usr/lib/oracle/xe/app/oracle/product/10.2.0\ > /server/lib:/usr/local/ssl/fips/lib:/usr/local/lib:/usr/lib: > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
