Issue #6946 has been updated by MartinBosslet (Martin Bosslet).


I'm sorry for not responding earlier. The problem is that I simply can't get a FIPS version of OpenSSL linked with Ruby OpenSSL to complete this task. I'm trying OpenSSL 1.0.1c and openssl-fips-2.0.2. I can compile my 1.0.1c using the FIPS canister, and I also verified that FIPS mode is working correctly.

The problem is now linking the Ruby OpenSSL extension against it. I'm supposed to include /usr/local/ssl/fips-2.0/bin/ in $PATH and then to compile using

    make CC=fipsld FIPSLD_CC=gcc

On my 32 bit Linux machine this gives me a segfault during the linking phase and on my 64 bit machine I get:

linking shared-object openssl.so
/usr/bin/ld: /tmp/cc1Oph68.o: relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
/tmp/cc1Oph68.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
make: *** [openssl.so] Error 1

I checked, both the FIPS canister as well as OpenSSL were compiled using -fPIC, and -fPIC is also part of the CFLAGS in the Makefile generated for the OpenSSL extension. Ruby itself was compiled using -fPIC, too. The OpenSSL C library was linked statically (libcrypto.a & libssl.a). gcc version is 

gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)

I'd appreciate any help, I'm really stuck here. Has anyone got an idea what I do wrong or has anyone had success in linking Ruby OpenSSL to a FIPS version of native OpenSSL?
----------------------------------------
Feature #6946: FIPS support?
https://bugs.ruby-lang.org/issues/6946#change-34840

Author: vo.x (Vit Ondruch)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext
Target version: next minor


=begin
Hi, running the test suite on FIPS enabled system using 

 $ find test/ -type f -name test_*.rb -exec make test-all TESTS="-v '{}'" \;

command with patch from #6938 applied, it gives me a plenty of errors (see attached output.txt file). There are two kind of errors as far as I understand, some are more or less test suite errors (e.g. #6938), which should be easy to fix, while some others (e.g. #6943) would need bigger changes.

Is there any chance that Ruby will provide better support for FIPS and there errors get fixed?
=end



-- 
http://bugs.ruby-lang.org/