[openssl-dev] [openssl.org #4300] BUG: Solaris FIPS container does not redefine bn_mul_mont_fpu in fipssyms.h
Engstrom, John via RT
rt at openssl.org
Mon Feb 15 20:09:53 UTC 2016
Sorry this has taken me so long to respond to. Just as you suspected adding .weak makes the build of “big” OpenSSL work just fine. I assume that bn_mul_mont_fpu is something that in all likelihood won’t change since .weak will tell the linker to use the first definition of bn_mul_mont_fpu which I assume is the one defined in fipscanister.o?
Thanks,
John Engstrom
> On Feb 10, 2016, at 2:54 PM, Andy Polyakov via RT <rt at openssl.org> wrote:
>
> Hi,
>
>> When building an OpenSSL shared library on Solaris with FIPS support you get a multiply defined symbol error:
>>
>> ld: fatal: symbol 'bn_mul_mont_fpu' is multiply-defined:
>> (file /usr/local/ssl/fips-2.0/lib//fipscanister.o type=FUNC; file
>> libcrypto.a(sparcv9a-mont.o) type=FUNC);
>> ld: fatal: file processing errors. No output written to libcrypto.so.1.0.0
>> make[4]: *** [link_a.solaris] Error 1
>>
>>
>> This traces back to the fipssyms.h header file NOT defining bn_mul_mont_fpu when building the fipscanister. NOTE: the bn_mul_mont_fpu function in the SPARC assembly file (sparcv9a-mont.s) would also need to get redefined as fips_bn_mul_mont.
>
> Quoting RT#3713:
>
> "The
> reason for why the problem in question (and similar) slip through is
> that FIPS module validation procedure, exhausting as it is, does not
> involve linking with "big" OpenSSL. As result one risks to remain
> oblivious of them on rare platforms such as one in question till it
> becomes too late. But luckily enough one can modify "big" OpenSSL to
> accommodate such mishaps. Renaming symbols as general method or
> case-specific workarounds ... is the way to go."
>
> Once again, "renaming symbols" refers to renaming in "big" OpenSSL, not
> in FIPS source, which can't be modified at will. As for case-specific
> workarounds in this case adding '.weak $fname' right after '.global
> $fname' in sparcv9a-mont.pl in "big" OpenSSL should do the trick. Could
> you verify and report back?
>
>
> --
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4300
> Please log in as guest with password guest if prompted
>
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4300
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list