[openssl-dev] [openssl.org #4300] BUG: Solaris FIPS container does not redefine bn_mul_mont_fpu in fipssyms.h

Engstrom, John via RT rt at openssl.org
Mon Feb 15 20:09:53 UTC 2016 

Sorry this has taken me so long to respond to.  Just as you suspected adding .weak makes the build of “big” OpenSSL work just fine.  I assume that bn_mul_mont_fpu is something that in all likelihood won’t change since .weak will tell the linker to use the first definition of bn_mul_mont_fpu which I assume is the one defined in fipscanister.o?

Thanks,
John Engstrom

> On Feb 10, 2016, at 2:54 PM, Andy Polyakov via RT <rt at openssl.org> wrote:
> 
> Hi,
> 
>> When building an OpenSSL shared library on Solaris with FIPS support you get a multiply defined symbol error:
>> 
>> ld: fatal: symbol 'bn_mul_mont_fpu' is multiply-defined: 
>> (file /usr/local/ssl/fips-2.0/lib//fipscanister.o type=FUNC; file 
>> libcrypto.a(sparcv9a-mont.o) type=FUNC); 
>> ld: fatal: file processing errors. No output written to libcrypto.so.1.0.0 
>> make[4]: *** [link_a.solaris] Error 1 
>> 
>> 
>> This traces back to the fipssyms.h header file NOT defining bn_mul_mont_fpu when building the fipscanister.  NOTE: the bn_mul_mont_fpu function in the SPARC assembly file (sparcv9a-mont.s) would also need to get redefined as fips_bn_mul_mont.
> 
> Quoting RT#3713:
> 
> "The
> reason for why the problem in question (and similar) slip through is
> that FIPS module validation procedure, exhausting as it is, does not
> involve linking with "big" OpenSSL. As result one risks to remain
> oblivious of them on rare platforms such as one in question till it
> becomes too late. But luckily enough one can modify "big" OpenSSL to
> accommodate such mishaps. Renaming symbols as general method or
> case-specific workarounds ... is the way to go."
> 
> Once again, "renaming symbols" refers to renaming in "big" OpenSSL, not
> in FIPS source, which can't be modified at will. As for case-specific
> workarounds in this case adding '.weak $fname' right after '.global
> $fname' in sparcv9a-mont.pl in "big" OpenSSL should do the trick. Could
> you verify and report back?
> 
> 
> -- 
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4300
> Please log in as guest with password guest if prompted
> 


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4300
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list