shouldn't fipslink.pl include the fipscanister.lib in the link line?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

shouldn't fipslink.pl include the fipscanister.lib in the link line?

Sam Roberts
I'm having trouble linking on Windows with fipslink.pl, lots of FIPS_
symbols are unresolved.

AFAICT, they are defined by the canister, and fipslink.pl is supposed
to know this, and add them to the link libraries by itself, but it
doesn't seem to do this.

Looking at the linux fipsld, it does appear to have code to find and
add fipscanister.o to the link line.

Any idea what I am doing wrong, or not understanding about fipslink.pl?

Thanks,
Sam
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: shouldn't fipslink.pl include the fipscanister.lib in the link line?

Dr. Stephen Henson
On Thu, Jul 13, 2017, Sam Roberts wrote:

> I'm having trouble linking on Windows with fipslink.pl, lots of FIPS_
> symbols are unresolved.
>
> AFAICT, they are defined by the canister, and fipslink.pl is supposed
> to know this, and add them to the link libraries by itself, but it
> doesn't seem to do this.
>
> Looking at the linux fipsld, it does appear to have code to find and
> add fipscanister.o to the link line.
>
> Any idea what I am doing wrong, or not understanding about fipslink.pl?
>

First if you want to link to the OpenSSL DLLs then you don't need fipslink.pl
at all: just link to them as you would any other application.

If you do want to link against the static libraries then the easiest way to do
that is to examine the contents of nt.mak, look for FIPSLINK and adapt the
rule to your needs.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: shouldn't fipslink.pl include the fipscanister.lib in the link line?

Sam Roberts
On Thu, Jul 13, 2017 at 12:34 PM, Dr. Stephen Henson <[hidden email]> wrote:
> First if you want to link to the OpenSSL DLLs then you don't need fipslink.pl
> at all: just link to them as you would any other application.

I'm working on Node.js, it links statically, so this isn't an option for me.

> If you do want to link against the static libraries then the easiest way to do
> that is to examine the contents of nt.mak, look for FIPSLINK and adapt the
> rule to your needs.

Where is nt.mak? Its mentioned in the User Guide but I didn't find it
in the github repo, or tarballs for openssl 1.0.2j or 1.1.0c, or
tarballs for openssl-fips 2.0.9, or 2.0.16

Thanks,
Sam
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: shouldn't fipslink.pl include the fipscanister.lib in the link line?

Dr. Stephen Henson
On Thu, Jul 13, 2017, Sam Roberts wrote:

> On Thu, Jul 13, 2017 at 12:34 PM, Dr. Stephen Henson <[hidden email]> wrote:
>
> > If you do want to link against the static libraries then the easiest way to do
> > that is to examine the contents of nt.mak, look for FIPSLINK and adapt the
> > rule to your needs.
>
> Where is nt.mak? Its mentioned in the User Guide but I didn't find it
> in the github repo, or tarballs for openssl 1.0.2j or 1.1.0c, or
> tarballs for openssl-fips 2.0.9, or 2.0.16
>

It's created by OpenSSL when you follow the Windows build procedure.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: shouldn't fipslink.pl include the fipscanister.lib in the link line?

Sam Roberts
On Thu, Jul 13, 2017 at 1:41 PM, Dr. Stephen Henson <[hidden email]> wrote:

> On Thu, Jul 13, 2017, Sam Roberts wrote:
>> On Thu, Jul 13, 2017 at 12:34 PM, Dr. Stephen Henson <[hidden email]> wrote:
>> > If you do want to link against the static libraries then the easiest way to do
>> > that is to examine the contents of nt.mak, look for FIPSLINK and adapt the
>> > rule to your needs.
>>
>> Where is nt.mak? Its mentioned in the User Guide but I didn't find it
>> in the github repo, or tarballs for openssl 1.0.2j or 1.1.0c, or
>> tarballs for openssl-fips 2.0.9, or 2.0.16
>>
>
> It's created by OpenSSL when you follow the Windows build procedure.

No luck so far. I dowloaded openssl-1.0.2l did the `perl Configure ...
--with=fipsdir...` from section 4.3.3 and don't have a ms/nt.mak.

Or is it openssl-fips that is going to have the ms/nt.mak? I followed
the directions in section 4.3.1 and I have a ms/ntdll.mak, but no
nt.mak.

For context, I've never done the openssl perl build (until just now,
to try to get a nt.mak), because I'm working on Node.js. It has
openssl copied into its git repo as a dependency, and builds and
statically links it using a gyp based build system. This works fine
for Linux FIPS, but I'm trying to get it working for Windows FIPS.
First I need to figure out the fipslink.pl commands to call by hand,
then I'll have the fun of trying to convince gyp to generate ninja
files that call fipslink.pl correctly.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: shouldn't fipslink.pl include the fipscanister.lib in the link line?

Dr. Stephen Henson
On Thu, Jul 13, 2017, Sam Roberts wrote:

> On Thu, Jul 13, 2017 at 1:41 PM, Dr. Stephen Henson <[hidden email]> wrote:
> >>
> >> Where is nt.mak? Its mentioned in the User Guide but I didn't find it
> >> in the github repo, or tarballs for openssl 1.0.2j or 1.1.0c, or
> >> tarballs for openssl-fips 2.0.9, or 2.0.16
> >>
> >
> > It's created by OpenSSL when you follow the Windows build procedure.
>
> No luck so far. I dowloaded openssl-1.0.2l did the `perl Configure ...
> --with=fipsdir...` from section 4.3.3 and don't have a ms/nt.mak.
>

Are you compiling with VC++ that's the only compiler which is a supported for
FIPS and Windows.

If you are then you need the next step which is:

ms\do_nasm

to get ms\nt.mak

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: shouldn't fipslink.pl include the fipscanister.lib in the link line?

Sam Roberts
On Thu, Jul 13, 2017 at 7:46 PM, Dr. Stephen Henson <[hidden email]> wrote:

> On Thu, Jul 13, 2017, Sam Roberts wrote:
>
>> On Thu, Jul 13, 2017 at 1:41 PM, Dr. Stephen Henson <[hidden email]> wrote:
>> >>
>> >> Where is nt.mak? Its mentioned in the User Guide but I didn't find it
>> >> in the github repo, or tarballs for openssl 1.0.2j or 1.1.0c, or
>> >> tarballs for openssl-fips 2.0.9, or 2.0.16
>> >>
>> >
>> > It's created by OpenSSL when you follow the Windows build procedure.
>>
>> No luck so far. I dowloaded openssl-1.0.2l did the `perl Configure ...
>> --with=fipsdir...` from section 4.3.3 and don't have a ms/nt.mak.
>>
>
> Are you compiling with VC++ that's the only compiler which is a supported for
> FIPS and Windows.

yes, visual studio 2015

> If you are then you need the next step which is:
>
> ms\do_nasm
>
> to get ms\nt.mak


That worked to get me the file, thanks.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: shouldn't fipslink.pl include the fipscanister.lib in the link line?

Sam Roberts
In reply to this post by Sam Roberts
On Thu, Jul 13, 2017 at 11:07 AM, Sam Roberts <[hidden email]> wrote:
> I'm having trouble linking on Windows with fipslink.pl, lots of FIPS_
> symbols are unresolved.

OK, I attempted to do as ms/nt.mak does, rewriting it as a batch file:
https://github.com/sam-github/node/blob/fips-win-ninja/fipslink.bat,
no luck yet.

The args are passed in %2 as a response file from
https://github.com/sam-github/node/blob/574ddeff5197d097d7d872e2ef03127b95b4d5f9/out/Release/build.ninja#L70-L71,
the rsp file is
https://github.com/sam-github/node/blob/574ddeff5197d097d7d872e2ef03127b95b4d5f9/out/Release/openssl-cli.exe.rsp#L52

Note that the lib names used in the node gyp build of openssl vary a
bit from the perl/ms makefile build.

Anyhow, still the same link errors. My eventual goal is to build a
fips node on Windows (Linux works already), but one of its build
pre-reqs is the openssl CLI:

C:\Users\rsam\node\out\Release>c:\users\rsam\perl\bin\perl.exe c:\usr\local\ssl\
fips-2.0\bin\fipslink.pl /nologo /subsystem:console /opt:ref /debug /out:openssl
-cli.exe .\fips_premain.obj @openssl-cli.exe.rsp
Integrity check OK
"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\amd64\cl.exe" /Fo.\f
ips_premain.obj  -c c:\usr\local\ssl\fips-2.0\lib/fips_premain.c
Microsoft (R) C/C++ Optimizing Compiler Version 19.00.24210 for x64
Copyright (C) Microsoft Corporation.  All rights reserved.

fips_premain.c
link /nologo /subsystem:console /opt:ref /debug /out:openssl-cli.exe .\fips_prem
ain.obj @openssl-cli.exe.rsp
fips_premain.obj : error LNK2001: unresolved external symbol FIPS_text_start
fips_premain.obj : error LNK2001: unresolved external symbol FIPS_incore_fingerp
rint
fips_premain.obj : error LNK2001: unresolved external symbol FIPS_signature
crypto.lib(openssl.rand_lib.obj) : error LNK2001: unresolved external symbol FIP
S_rand_set_method
crypto.lib(openssl.rand_lib.obj) : error LNK2001: unresolved external symbol FIP
S_get_default_drbg
etc...


I'd love any suggestions, as-is, the only way I can think of to figure
out how FIPS builds are supposed to work is to do a pure-openssl fips
build, get a dump of all the compile and link commands done by the
generated makefiles, s and try working from there to reverse engineer
what the ninja/batch file build should be trying to do.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: shouldn't fipslink.pl include the fipscanister.lib in the link line?

Dr. Stephen Henson
On Wed, Jul 19, 2017, Sam Roberts wrote:

>
> Note that the lib names used in the node gyp build of openssl vary a
> bit from the perl/ms makefile build.
>
> Anyhow, still the same link errors. My eventual goal is to build a
> fips node on Windows (Linux works already), but one of its build
> pre-reqs is the openssl CLI:
>
> C:\Users\rsam\node\out\Release>c:\users\rsam\perl\bin\perl.exe c:\usr\local\ssl\
> fips-2.0\bin\fipslink.pl /nologo /subsystem:console /opt:ref /debug /out:openssl
> -cli.exe .\fips_premain.obj @openssl-cli.exe.rsp
> Integrity check OK
> "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\amd64\cl.exe" /Fo.\f
> ips_premain.obj  -c c:\usr\local\ssl\fips-2.0\lib/fips_premain.c
> Microsoft (R) C/C++ Optimizing Compiler Version 19.00.24210 for x64
> Copyright (C) Microsoft Corporation.  All rights reserved.
>
> fips_premain.c
> link /nologo /subsystem:console /opt:ref /debug /out:openssl-cli.exe .\fips_prem
> ain.obj @openssl-cli.exe.rsp
> fips_premain.obj : error LNK2001: unresolved external symbol FIPS_text_start
> fips_premain.obj : error LNK2001: unresolved external symbol FIPS_incore_fingerp
> rint
> fips_premain.obj : error LNK2001: unresolved external symbol FIPS_signature
> crypto.lib(openssl.rand_lib.obj) : error LNK2001: unresolved external symbol FIP
> S_rand_set_method
> crypto.lib(openssl.rand_lib.obj) : error LNK2001: unresolved external symbol FIP
> S_get_default_drbg
> etc...
>
>
> I'd love any suggestions, as-is, the only way I can think of to figure
> out how FIPS builds are supposed to work is to do a pure-openssl fips
> build, get a dump of all the compile and link commands done by the
> generated makefiles, s and try working from there to reverse engineer
> what the ninja/batch file build should be trying to do.

Try linking with fipscanister.lib too: that's where those symbols are located.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: shouldn't fipslink.pl include the fipscanister.lib in the link line?

Sam Roberts
On Wed, Jul 19, 2017 at 6:27 PM, Dr. Stephen Henson <[hidden email]> wrote:
> Try linking with fipscanister.lib too: that's where those symbols are located.

OK, I'd tried that before with no luck, but I tried harder. I found
that if my lib line has the fips_premain.obj, then the
fipscanister.lib, then the rest of the program's obj files and libs in
exactly that order, the symbols are resolved.

That's progress!

Now I'm hitting the dreaded MSVCRT conflicts with use of other libs problem.

Most of the application is compiled with /MT, but openssl-fips-2.0.16
is using /MD, could this be an issue? Can I/should I convince
ms\do_fips to build against the multi-threaded runtime?

It may also be other obj files causing the issue, the MSVC message is
not so helpful, I'm continuing to look.

I used /nodedefaultlib:msvcrt (even though its supposed to not be
recommended) and I got a link of openssl-cli, though with lots of
"LNK4049 locally defined symbol _exit imported", which sounds like its
another symbol of /MT and /MD mismatch.

I also almost got a link of node, but it died with
fipscanister.lib(cryptolib.obj): error LNK2001: unresolved symbol
__imp_wcsstr, and __imp___stdio_common_vsscanf, both of which sound
suspiciously like a problem with the runtime compilation flags to me.


Cheers,
Sam
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: shouldn't fipslink.pl include the fipscanister.lib in the link line?

Dr. Stephen Henson
On Thu, Jul 20, 2017, Sam Roberts wrote:

>
> Most of the application is compiled with /MT, but openssl-fips-2.0.16
> is using /MD, could this be an issue? Can I/should I convince
> ms\do_fips to build against the multi-threaded runtime?
>

Unfortunately you can't change that part of the build process in any way or
the result is no longer validated.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: shouldn't fipslink.pl include the fipscanister.lib in the link line?

Sam Roberts
On Thu, Jul 20, 2017 at 4:08 PM, Dr. Stephen Henson <[hidden email]> wrote:

> On Thu, Jul 20, 2017, Sam Roberts wrote:
>
>>
>> Most of the application is compiled with /MT, but openssl-fips-2.0.16
>> is using /MD, could this be an issue? Can I/should I convince
>> ms\do_fips to build against the multi-threaded runtime?
>>
>
> Unfortunately you can't change that part of the build process in any way or
> the result is no longer validated.

OK, then given https://msdn.microsoft.com/en-us/library/2kzt1wy3(VS.80).aspx
"All modules passed to a given invocation of the linker must have been
compiled with the same run-time library compiler option (/MD, /MT,
/LD)." a static link is impossible, it seems.

I don't think a DLL build will work for node.js given its
distribution/use model, but hypothetically, is there a way to hide
fipscanister in a single-threaded DLL, used by a multi-threaded app?
Are you aware of any multi-threaded OpenSSL FIPS apps on Windows?

node makes almost all of its openssl calls from a single thread, but
there are two exceptions, getting random seeds and pbkdf2, where the
cpu intensive or potentially blocking call is made from a thread pool.

Cheers,
Sam
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: shouldn't fipslink.pl include the fipscanister.lib in the link line?

Jakob Bohm-7
In reply to this post by Sam Roberts
On 21/07/2017 00:56, Sam Roberts wrote:

> On Wed, Jul 19, 2017 at 6:27 PM, Dr. Stephen Henson <[hidden email]> wrote:
>> Try linking with fipscanister.lib too: that's where those symbols are located.
> OK, I'd tried that before with no luck, but I tried harder. I found
> that if my lib line has the fips_premain.obj, then the
> fipscanister.lib, then the rest of the program's obj files and libs in
> exactly that order, the symbols are resolved.
>
> That's progress!
>
> Now I'm hitting the dreaded MSVCRT conflicts with use of other libs problem.
>
> Most of the application is compiled with /MT, but openssl-fips-2.0.16
> is using /MD, could this be an issue? Can I/should I convince
> ms\do_fips to build against the multi-threaded runtime?
>
> It may also be other obj files causing the issue, the MSVC message is
> not so helpful, I'm continuing to look.
>
> I used /nodedefaultlib:msvcrt (even though its supposed to not be
> recommended) and I got a link of openssl-cli, though with lots of
> "LNK4049 locally defined symbol _exit imported", which sounds like its
> another symbol of /MT and /MD mismatch.
That's the warning that something (hopefully only the fips blob and not
the fips-enabled OpenSSL) was compiled with /MD.  This should be harmless
as the linker generates the needed glue (dummy pointer variables pointing
to the symbol, so the /MD compiled code can dereference those as if they
were import table entries).

> I also almost got a link of node, but it died with
> fipscanister.lib(cryptolib.obj): error LNK2001: unresolved symbol
> __imp_wcsstr, and __imp___stdio_common_vsscanf, both of which sound
> suspiciously like a problem with the runtime compilation flags to me.
This is strange, as those two should also have been handled by the
LNK4049 mechanism,unless there is one of the following:

A) Mismatch between compiler versions or C runtime header versions
   between the FIPS canister compile and your final link.

B) Some oddity in how those two symbols are defined in your visual
   studio runtime version.

Either should be possible to work around with some tenacity.  Of cause
doing such work is not "supported" by Microsoft, but what is these days.

If the issue is item B, then linking in a stub file providing the two
missing functions (as wrappers around functions actually in the static
C runtime) might do the trick.

Of cause, you will need to do thorough testing of the resulting
program/dll to make sure there are no other C runtime differences
causing trouble.

P.S.

I kind of wonder what in the fips canister uses wcsstr(), but since
that cannot be changed while retaining the FIPS validation status,
that's just curiousness.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users