[Pkg-openssl-devel] Question about building FIPS-capable openssl 1.0.2k

Martin.Belanger at dell.com Martin.Belanger at dell.com
Wed Feb 8 19:21:44 UTC 2017 

Hi,

I work for Dell and we have developed our own FIPS canister. I'm trying to build openssl 1.0.2k from Jessie-backports with fips support and link our FIPS canister to it. So I basically did the following:

dget -x http://http.debian.net/debian/pool/main/o/openssl/openssl_1.0.2k-1~bpo8+1.dsc
dpkg-source -x ./openssl_1.0.2k-1~bpo8+1.dsc
cd ./openssl-1.0.2k

Then I edit ./debian/rules and change CONFARGS as follows:

From:

CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib  enable-tlsext no-ssl2 no-ssl3

To:

CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) fips --with-fipsdir=${DELL-CANISTER-DIR}/Debian/openssl/fips
Then I try to build with:

fakeroot ./debian/rules binary

But I get these errors:

make -f ../Makefile.shared -e \
    APPNAME=openssl OBJECTS="openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o srp.o" \
    LIBDEPS=" $LIBRARIES -ldl" \
    link_app.${shlib_target}
make[3]: Entering directory '/home/mbelanger/openssl/openssl-1.0.2k/apps'
speed.o: In function `speed_main':
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1291: undefined reference to `private_DES_set_key_unchecked'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1292: undefined reference to `private_DES_set_key_unchecked'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1293: undefined reference to `private_DES_set_key_unchecked'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1296: undefined reference to `private_AES_set_encrypt_key'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1297: undefined reference to `private_AES_set_encrypt_key'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1298: undefined reference to `private_AES_set_encrypt_key'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1301: undefined reference to `private_Camellia_set_key'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1302: undefined reference to `private_Camellia_set_key'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1303: undefined reference to `private_Camellia_set_key'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1306: undefined reference to `private_idea_set_encrypt_key'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1309: undefined reference to `private_SEED_set_key'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1312: undefined reference to `private_RC4_set_key'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1315: undefined reference to `private_RC2_set_key'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1321: undefined reference to `private_BF_set_key'
/home/mbelanger/openssl/openssl-1.0.2k/apps/speed.c:1324: undefined reference to `private_CAST_set_key'
collect2: error: ld returned 1 exit status
../Makefile.shared:171: recipe for target 'link_app.gnu' failed
make[3]: *** [link_app.gnu] Error 1
make[3]: Leaving directory '/home/mbelanger/openssl/openssl-1.0.2k/apps'
Makefile:156: recipe for target 'openssl' failed
make[2]: *** [openssl] Error 2
make[2]: Leaving directory '/home/mbelanger/openssl/openssl-1.0.2k/apps'
Makefile:294: recipe for target 'build_apps' failed
make[1]: *** [build_apps] Error 1
make[1]: Leaving directory '/home/mbelanger/openssl/openssl-1.0.2k'
debian/rules:53: recipe for target 'build-stamp' failed
make: *** [build-stamp] Error 2

Did I miss anything? Any "configure" arguments missing?

By the way, I successfully did the same thing with the upstream openssl 1.0.2k code. That is, I downloaded openssl 1.0.2k with wget http://www.openssl.org/source/openssl-1.0.2k.tar.gz and built it with the same "configure" options I listed above and that worked. So I'm not sure why it doesn't work when I try with Jessie-backports.

Thanks,

Martin Belanger
Sr. Engineer
Dell EMC.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20170208/e9b5d407/attachment.html>

More information about the Pkg-openssl-devel mailing list