[openssl-dev] [openssl.org #4300] BUG: Solaris FIPS container does not redefine bn_mul_mont_fpu in fipssyms.h

Andy Polyakov via RT rt at openssl.org
Wed Feb 10 20:54:25 UTC 2016


Hi,

> When building an OpenSSL shared library on Solaris with FIPS support you get a multiply defined symbol error:
> 
> ld: fatal: symbol 'bn_mul_mont_fpu' is multiply-defined: 
> (file /usr/local/ssl/fips-2.0/lib//fipscanister.o type=FUNC; file 
> libcrypto.a(sparcv9a-mont.o) type=FUNC); 
> ld: fatal: file processing errors. No output written to libcrypto.so.1.0.0 
> make[4]: *** [link_a.solaris] Error 1 
> 
> 
> This traces back to the fipssyms.h header file NOT defining bn_mul_mont_fpu when building the fipscanister.  NOTE: the bn_mul_mont_fpu function in the SPARC assembly file (sparcv9a-mont.s) would also need to get redefined as fips_bn_mul_mont.

Quoting RT#3713:

"The
reason for why the problem in question (and similar) slip through is
that FIPS module validation procedure, exhausting as it is, does not
involve linking with "big" OpenSSL. As result one risks to remain
oblivious of them on rare platforms such as one in question till it
becomes too late. But luckily enough one can modify "big" OpenSSL to
accommodate such mishaps. Renaming symbols as general method or
case-specific workarounds ... is the way to go."

Once again, "renaming symbols" refers to renaming in "big" OpenSSL, not
in FIPS source, which can't be modified at will. As for case-specific
workarounds in this case adding '.weak $fname' right after '.global
$fname' in sparcv9a-mont.pl in "big" OpenSSL should do the trick. Could
you verify and report back?


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4300
Please log in as guest with password guest if prompted



More information about the openssl-dev mailing list