[openssl-users] Build Openssl + FIPS - recursive fipsld

Luís Martins luis.pinto.martins at gmail.com
Mon May 21 21:34:11 UTC 2018 

Hi,

    I'm trying to build openssl with FIPS module on Ubuntu 14.04 32 bits,
but during one of the steps the fipsld tool starts being called recursively.

    It happens on this step:
sh -c ( :; LIBDEPS="${LIBDEPS:--L.. -lssl  -L.. -lcrypto -ldl
-L/usr/local/lib -lz}";
LDCMD="${LDCMD:-/usr/local/ssl/fips2.0/bin/fipsld}";
LDFLAGS="${LDFLAGS:--DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H -fPIC -O3 -fomit-frame-pointer -Wall
-I/usr/local/ssl/fips2.0/include}"; LIBPATH=`for x in $LIBDEPS; do echo $x;
done | sed -e 's/^ *-L//;t' -e d | uniq`; LIBPATH=`echo $LIBPATH | sed -e
's/ /:/g'`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS}
-o ${APPNAME:=openssl} openssl.o verify.o asn1pars.o req.o dgst.o dh.o
dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o
rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o genpkey.o
s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o
version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o
pkeyutl.o spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o srp.o
${LIBDEPS} )
fipsld -e /usr/local/ssl/fips2.0/bin/fipsld -DZLIB -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fPIC -O3 -fomit-frame-pointer
-Wall -I/usr/local/ssl/fips2.0/include -o openssl openssl.o verify.o
asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o
pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o
x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o s_time.o
apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o
pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o spkac.o smime.o cms.o rand.o
engine.o ocsp.o prime.o ts.o srp.o -L.. -lssl -L.. -lcrypto -ldl
-L/usr/local/lib -lz
fipsld -e /usr/local/ssl/fips2.0/bin/fipsld
/usr/local/ssl/fips2.0/lib//fipscanister.o
/usr/local/ssl/fips2.0/lib/fips_premain.c -DZLIB -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fPIC -O3 -fomit-frame-pointer
-Wall -I/usr/local/ssl/fips2.0/include -o openssl openssl.o verify.o
asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o
pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o
x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o s_time.o
apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o
pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o spkac.o smime.o cms.o rand.o
engine.o ocsp.o prime.o ts.o srp.o -L.. -lssl -L.. -lcrypto -ldl
-L/usr/local/lib -lz
fipsld -e /usr/local/ssl/fips2.0/bin/fipsld
/usr/local/ssl/fips2.0/lib/fips_premain.c
/usr/local/ssl/fips2.0/lib//fipscanister.o
/usr/local/ssl/fips2.0/lib/fips_premain.c -DZLIB -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fPIC -O3 -fomit-frame-pointer
-Wall -I/usr/local/ssl/fips2.0/include -o openssl openssl.o verify.o
asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o
pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o
x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o s_time.o
apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o
pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o spkac.o smime.o cms.o rand.o
engine.o ocsp.o prime.o ts.o srp.o -L.. -lssl -L.. -lcrypto -ldl
-L/usr/local/lib -lz

    It keeps calling fipsld recursively, with each call adding one more
"/usr/local/ssl/fips2.0/lib/fips_premain.c" to the command.
    Any idea what am I missing ?

    My build steps are:

export FIPSDIR="/usr/local/ssl/fips2.0"
export MACHINE=linux-generic32
export CC="/usr/local/ssl/fips2.0/bin/fipsld"
export FIPSLD_CC="gcc"
export FIPS_SIG="/tmp/openssl-fips-2.0.16/util/incore"

# build openssl fips module
cd /tmp/
curl -O https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz
gunzip -c openssl-fips-2.0.16.tar.gz | tar xf -
cd openssl-fips-2.0.16
./config
make
make install

# build openssl
cd /tmp
curl -O https://www.openssl.org/source/openssl-1.0.2n.tar.gz
tar -zxf openssl-1.0.2n.tar.gz
cd /tmp/openssl-1.0.2n
./Configure \
    --prefix=/usr/local \
    linux-generic32 \
    -fPIC \
    no-shared \
    no-capieng \
    fips \
    --with-fipsdir="/usr/local/ssl/fips2.0" \
    zlib \
    no-zlib-dynamic \
    --with-zlib-include="/usr/local/include" \
    --with-zlib-lib="/usr/local/lib"
make all -j1
make build_libs

--
Luís
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180521/7bfbcd28/attachment-0001.html>

More information about the openssl-users mailing list