Jon,
I've not made any meaningful progress yet, but found a few interesting things.
> I'm using fipslink.pl as is and didn't have to modify it. Did you have to
> modify yours before you called ntdll.mak? It's used in there.
I didn't have to modify it to build openssl but when I looked carefully, I
found that fipslink.pl was used to compile libeay32.dll, but not for
openssl.exe.
Link libeay32.dll in ntdll.mak. Note that FIPSLINK is used and O_FIPSCANISTER
is included along with fips_premain.obj:
$(O_CRYPTO): $(CRYPTOOBJ) $(O_FIPSCANISTER) $(PREMAIN_DSO_EXE)
SET FIPS_LINK=$(LINK)
SET FIPS_CC=$(CC)
SET FIPS_CC_ARGS=/Fo$(OBJ_D)\fips_premain.obj $(SHLIB_CFLAGS) -c
SET PREMAIN_DSO_EXE=$(PREMAIN_DSO_EXE)
SET FIPS_SHA1_EXE=$(FIPS_SHA1_EXE)
SET FIPS_TARGET=$(O_CRYPTO)
SET FIPSLIB_D=$(FIPSLIB_D)
$(FIPSLINK) $(MLFLAGS) /map /base:$(BASEADDR) /out:$(O_CRYPTO)
/def:ms/LIBEAY32.def @<<
$(SHLIB_EX_OBJ) $(CRYPTOOBJ) $(O_FIPSCANISTER) $(EX_LIBS)
$(OBJ_D)\fips_premain.obj
<<
IF EXIST $@.manifest mt -nologo -manifest $@.manifest
-outputresource:$@;2
Link openssl.exe in ntdll.mak. Note that it does not use FIPSLINK! Is it an
oversight? I'm not sure.
$(BIN_D)\$(E_EXE).exe: $(E_OBJ) $(LIBS_DEP)
$(LINK) $(LFLAGS) /out:$(BIN_D)\$(E_EXE).exe @<<
$(APP_EX_OBJ) $(E_OBJ) $(L_LIBS) $(EX_LIBS)
<<
IF EXIST $@.manifest mt -nologo -manifest $@.manifest
-outputresource:$@;1
The binary I'm trying to build is an EXE so the example in ntdll.mak isn't much
help. Also, the change I made by adding "perl" (see below) was after building
openssl and since $fips_premain_dso is defined to be an EXE, not perl script,
it would have worked for the EXE. Now with my change, if rebuild openssl, it
would probably fail.
> Also not that I had to edit fipslink.pl to make it run. I added "perl" to
> these two lines (about line 57 & 58):
> print "perl $fips_premain_dso $fips_target\n"; system("perl $fips_premain_dso
> $fips_target >$fips_target.sha1");
> My equivalent of your @"link.rsp" does not have fips_premain in it. I
> thought fipslink compiled and linked that for me.
In the example for libeay32 that I've copied in this email (above), it shows
$(FIPSLINK) with both O_FIPSANISTER and fips_premain.obj. They put it on the
command-line. I chose to put it in my rsp file. It should be equivalent to
the linker. From what I observed, fipslink does complie fips_premain.c
automatically, but it doesn't automatically include the .obj from that in the
link stage. There seems to be lack of consistency for this. Here it is in
fipslink.pl:
print "$fips_link @ARGV\n";
system "$fips_link @ARGV";
It looks like you and I are bumping up against very similar issues. I'd love
to hear from someone who has successfully done this using the prescribed method.
Thanks,
Lester
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jon Evers
Sent: Wednesday, February 06, 2013 1:16 PM
To: openssl-users@openssl.org
Subject: RE: fipslink
LM,
Thanks for jumping in the bus with me :) I haven't had a chance to work through
your last email, but was planning to soon. I see you attached your make file
also, which I need to try out.
I get very similar errors, but not the same functions.
Mine look like:
VED.obj : Error LNK2019: unresolved external symbol _FIPS_hmac_ctx_cleanup
referenced in function void __cdecl dofile(struct _iobuf *)"
(?dofile@@YAXPAU_iobuif@@@Z)
And similar for:
FIPS_hmac_final
FIPS_hmac_update
FIPS_hmac_init_ex
FIPS_evp_sha1
FIPS_hmac_ctx_init
I'm using fipslink.pl as is and didn't have to modify it. Did you have to
modify yours before you called ntdll.mak? It's used in there.
Also, it looks like you are stuck on fips_premain. I don't include that in my
makefile directly because fipslink.pl is suppose to do it for me. fips_premain
compiles and I don't have any link errors from fips_premain.obj.
My equivalent of your @"link.rsp" does not have fips_premain in it. I thought
fipslink compiled and linked that for me.
M my fipslink.pl dies at "First stage Link Failure" - Line 55, which is the
same place you get to.
I can't really copy my make files because they are on a secure system, so I
have to type everything here.
Thanks,
-Jon
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Memmott, Lester
Sent: Wednesday, February 06, 2013 11:40 AM
To: openssl-users@openssl.org
Subject: RE: fipslink
Jon,
I’m having trouble with fipslink as well and thought it might help to compare
notes. These are the linker errors I’m getting using Visual Studio 2008:
fips_premain.obj : error LNK2001: unresolved external symbol "unsigned char *
FIPS_signature" (?FIPS_signature@@3PAEA) fips_premain.obj : error LNK2001:
unresolved external symbol "void const * __cdecl FIPS_text_start(void)"
(?FIPS_text_start@@YAPBXXZ) fips_premain.obj : error LNK2001: unresolved
external symbol "unsigned int __cdecl FIPS_incore_fingerprint(unsigned char
*,unsigned int)" (?FIPS_incore_fingerprint@@YAIPAEI@Z)
What linker errors do you get?
Below are more details on how I did this using a batch file to setup the
environment variables that calls the perl script.
Also not that I had to edit fipslink.pl to make it run. I added "perl" to
these two lines (about line 57 & 58):
print "perl $fips_premain_dso $fips_target\n"; system("perl $fips_premain_dso
$fips_target >$fips_target.sha1");
Thanks,
LM
=======================================================
I created this batch file to run the perl script:
@echo off
rem This batch file is intended to build FipsSample.exe in a FIPS enabled
fashion.
rem Built the project first in Visual Studio 2008 and then run this as a post
build step.
rem See section 5.3.2 "Linking under Windows" of the OpenSSL FIPS User Guide
for details about this.
rem http://www.openssl.org/docs/fips/UserGuide-2.0.pdf
rem Note: I think the docs are wrong on a couple of items.
rem It should be FIPS_SHA1_EXE and not PREMAIN_SHA1_EXE.
rem Associated files: link.rsp
@echo on
set FIPSLIB_D=c:\openssl-fips-2.0.2\out32dll
set FIPS_CC=cl
set FIPS_CC_ARGS=/O2 /Oi /GL /I "C:\openssl-1.0.1c\inc32" /D "WIN32" /D
"NDEBUG" /D "_CONSOLE" /D "_MBCS" /FD /EHsc /MD /Gy /Fo"Release\\"
/Fd"Release\vc90.pdb" /W3 /c /Zi /TP set FIPS_LINK=link set
FIPS_SHA1_EXE=C:\openssl-fips-2.0.2\out32dll\fips_standalone_sha1.exe
rem The following wasn't documented in the user guide but the script tries to
use it. msincore seems like the right script, but I'm not sure.
set FIPS_SIG=C:\openssl-fips-2.0.2\util\msincore
rem Not used to compile an EXE: set
PREMAIN_DSO_EXE=C:\openssl-1.0.1c\out32dll\fips_premain_dso.exe
set PREMAIN_DSO_EXE=
set FIPS_TARGET=..\Release\FipsSample.exe
perl c:\openssl-fips-2.0.2\util\fipslink.pl @"link.rsp"
=======================================================
link.rsp:
/OUT:"C:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.exe"
/INCREMENTAL:NO /LIBPATH:"C:\openssl-1.0.1c\out32dll" /MANIFEST
/MANIFESTFILE:"Release\FipsSample.exe.intermediate.manifest"
/MANIFESTUAC:"level='asInvoker' uiAccess='false'" /DEBUG
/PDB:"c:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.pdb"
/SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG /DYNAMICBASE /NXCOMPAT /MACHINE:X86
libeay32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib
advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib
".\Release\FipsSample.obj"
".\Release\stdafx.obj"
".\Release\fips_premain.obj"
=======================================================
Build Output:
C:\openssl-TestUtils\FipsSample - Clean\FipsSample>g
C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set
FIPSLIB_D=c:\openssl-fips-2.0.2\out32dll
C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set FIPS_CC=cl
C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set FIPS_CC_ARGS=/O2 /Oi /GL
/I "C:\openssl-1.0.1c\inc32" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS"
/FD /EHsc /MD /Gy /Fo"Release\\" /Fd"Release\vc90.pdb" /W3 /c /Zi /TP
C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set FIPS_LINK=link
C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set
FIPS_SHA1_EXE=C:\openssl-fips-2.0.2\out32dll\fips_standalone_sha1.exe
C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set
FIPS_SIG=C:\openssl-fips-2.0.2\util\msincore
C:\openssl-TestUtils\FipsSample - Clean\FipsSample>rem Not used to comple an
EXE: set PREMAIN_DSO_EXE=C:\openssl-1.0.1c\out32dll\fips_premain_dso.exe
C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set PREMAIN_DSO_EXE=
C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set
FIPS_TARGET=..\Release\FipsSample.exe
C:\openssl-TestUtils\FipsSample - Clean\FipsSample>perl
c:\openssl-fips-2.0.2\util\fipslink.pl @"link.rsp"
Integrity check OK
cl /O2 /Oi /GL /I "C:\openssl-1.0.1c\inc32" /D "WIN32" /D "NDEBUG" /D
"_CONSOLE" /D "_MBCS" /FD /EHsc /MD /Gy /Fo"Release\\" /Fd"Release\vc90.pdb"
/W3 /c /Zi /T P c:\openssl-fips-2.0.2\out32dll/fips_premain.c
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.
fips_premain.c
link @link.rsp
Microsoft (R) Incremental Linker Version 9.00.30729.01 Copyright (C) Microsoft
Corporation. All rights reserved.
"/OUT:C:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.exe"
/INCREMENTAL:NO "/LIBPATH:C:\openssl-1.0.1c\out32dll" /MANIFEST
"/MANIFESTFILE:Release\Fip sSample.exe.intermediate.manifest"
"/MANIFESTUAC:level='asInvoker' uiAccess='false'" /DEBUG
"/PDB:c:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.pdb "
/SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG /DYNAMICBASE /NXCOMPAT /MACHINE:X86
libeay32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi
32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib
".\Release\FipsSample.obj"
".\Release\stdafx.obj"
".\Release\fips_premain.obj"
fips_premain.obj : error LNK2001: unresolved external symbol "unsigned char *
FIPS_signature" (?FIPS_signature@@3PAEA) fips_premain.obj : error LNK2001:
unresolved external symbol "void const * __cdecl FIPS_text_start(void)"
(?FIPS_text_start@@YAPBXXZ) fips_premain.obj : error LNK2001: unresolved
external symbol "unsigned int __cdecl FIPS_incore_fingerprint(unsigned char
*,unsigned int)" (?FIPS_incore_fingerpr
int@@YAIPAEI@Z)
C:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.exe : fatal error
LNK1120: 3 unresolved externals First stage Link failure at
c:\openssl-fips-2.0.2\util\fipslink.pl line 55.
=======================================================
---------------------------------------------------------------------------------------------------------------------------
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jon Evers
Sent: Tuesday, February 05, 2013 2:09 PM
To: openssl-users@openssl.org
Subject: fipslink
Does anyone have a windows make file that uses fipslink to build an executable
that they can forward to me?
Alternatively a Visual Studio project that uses that would also help?
The smaller and simpler the project the better.
I’m trying to build a windows executable that uses the fips libraries and I
think I’m not using this utility correctly. I’m stuck with linker errors.
Thanks,
-Jon Evers
:I"Ϯrm
(Z+K�+1x
h[z(Z+
fy��fh)z{,
Live customer support is available 24/7/365 from the U.S. for all customers
worldwide and locally in other countries. Find out more at www.go2vanguard.com.
Enable Yourself Learn more about Vanguard zSecurity University training classes
offered online, on-demand by request, or in a traditional classroom setting in
cities worldwide. www.go2vanguard.com
This e-mail and any attachments are intended solely for the use of the
addressee and may contain information that is PRIVILEGED and CONFIDENTIAL. If
you are not the intended recipient of this e-mail, you are hereby notified that
any dissemination of this e-mail or any attachments is strictly prohibited. If
you have received this e-mail in error, please do not read this email, please
delete all copies of this e-mail and any attachments and notify the sender
immediately. Thank you.
� zt , - i 0^ % � Һ h � X ^ % ǫ ^ %
