[Bug 2146582] [NEW] 'do_fips_lock_init' undeclared
Alan Moore
2146582 at bugs.launchpad.net
Fri Mar 27 17:30:28 UTC 2026
Public bug reported:
Based on archive latest(5ebe7d27f81c9bbb8c0282e1206a8804afb2a29f)
openssl, change no-fips to enable-fips, the build will fail with the
following error:
```
../crypto/fips_mode.c:21:1: error: return type defaults to 'int' [-Wimplicit-int]
21 | DEFINE_RUN_ONCE_STATIC(do_fips_lock_init)
| ^~~~~~~~~~~~~~~~~~~~~~
../crypto/fips_mode.c: In function 'DEFINE_RUN_ONCE_STATIC':
../crypto/fips_mode.c:21:1: warning: old-style function definition [-Wold-style-definition]
../crypto/fips_mode.c:21:1: error: type of 'do_fips_lock_init' defaults to 'int' [-Wimplicit-int]
../crypto/fips_mode.c: In function 'ossl_fips_mode':
../crypto/fips_mode.c:31:8: error: implicit declaration of function 'RUN_ONCE' [-Wimplicit-function-declaration]
31 | if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
| ^~~~~~~~
../crypto/fips_mode.c:31:34: error: 'do_fips_lock_init' undeclared (first use in this function); did you mean 'fips_lock_init'?
31 | if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
| ^~~~~~~~~~~~~~~~~
| fips_lock_init
../crypto/fips_mode.c:31:34: note: each undeclared identifier is reported only once for each function it appears in
gcc -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include -Iproviders/fips/include -I.. -I../crypto -I../include -I../providers/implementations/include -I../providers/common/include -I../providers/fips/include -DAES_ASM -DBSAES_ASM -DECP_NISTZ256_ASM -DFIPS_MODULE -DGHASH_ASM -DKECCAK1600_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DX25519_ASM -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/x86_64-linux-gnu/engines-3\"" -DMODULESDIR="\"/usr/lib/x86_64-linux-gnu/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -DZLIB -DZSTD -DNDEBUG -MMD -MF crypto/libfips-lib-params_from_text.d.tmp -c -o crypto/libfips-lib-params_from_text.o ../crypto/params_from_text.c
../crypto/fips_mode.c: In function 'ossl_init_fips':
../crypto/fips_mode.c:48:36: error: 'do_fips_lock_init' undeclared (first use in this function); did you mean 'fips_lock_init'?
48 | if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
| ^~~~~~~~~~~~~~~~~
| fips_lock_init
gcc -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include -Iproviders/fips/include -I.. -I../crypto -I../include -I../providers/implementations/include -I../providers/common/include -I../providers/fips/include -DAES_ASM -DBSAES_ASM -DECP_NISTZ256_ASM -DFIPS_MODULE -DGHASH_ASM -DKECCAK1600_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DX25519_ASM -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/x86_64-linux-gnu/engines-3\"" -DMODULESDIR="\"/usr/lib/x86_64-linux-gnu/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -DZLIB -DZSTD -DNDEBUG -MMD -MF crypto/libfips-lib-params_idx.d.tmp -c -o crypto/libfips-lib-params_idx.o crypto/params_idx.c
../crypto/fips_mode.c: In function 'ossl_set_fips':
../crypto/fips_mode.c:90:34: error: 'do_fips_lock_init' undeclared (first use in this function); did you mean 'fips_lock_init'?
90 | if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
| ^~~~~~~~~~~~~~~~~
| fips_lock_init
gcc -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include -Iproviders/fips/include -I.. -I../crypto -I../include -I../providers/implementations/include -I../providers/common/include -I../providers/fips/include -DAES_ASM -DBSAES_ASM -DECP_NISTZ256_ASM -DFIPS_MODULE -DGHASH_ASM -DKECCAK1600_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DX25519_ASM -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/x86_64-linux-gnu/engines-3\"" -DMODULESDIR="\"/usr/lib/x86_64-linux-gnu/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -DZLIB -DZSTD -DNDEBUG -MMD -MF crypto/libfips-lib-provider_core.d.tmp -c -o crypto/libfips-lib-provider_core.o ../crypto/provider_core.c
make[1]: *** [Makefile:26840: crypto/libfips-lib-fips_mode.o] Error 1
make[1]: *** Waiting for unfinished jobs....
```
Step to reproduce:
1. Checkout the ubuntu/devel branch and apply the patches via `gbp pq import`
2. change debian/rules into enable-fips:
```
- enable-tfo enable-zstd enable-zlib no-fips enable-jitter
+ enable-tfo enable-zstd enable-zlib enable-fips enable-jitter
```
3. ./Configure openssl: `make -f debian/rules override_dh_auto_configure`
4. build: make -C build_shared all -j$(nproc)
5. get the error
Root cause:
In include/internal/thread_once.h, the DEFINE_RUN_ONCE_STATIC is
protected by `#if !defined(FIPS_MODULE) ||
defined(ALLOW_RUN_ONCE_IN_FIPS)`. enable-fips will be converted to
-DFIPS_MODULE by perl during build and skip the necessary macro
definition snippet.
Fix:
Change `#include "internal/thread_once.h"` in crypto/fips_mode.c into
```
#define ALLOW_RUN_ONCE_IN_FIPS
#include "internal/thread_once.h"
```
Result:
### Building `make -C build_shared all -j$(nproc)`
```
rm -f apps/openssl
${LDCMD:-gcc} -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -Wa,--noexecstack -Wall -O3 -L. \
-o apps/openssl \
apps/lib/openssl-bin-cmp_mock_srv.o \
apps/openssl-bin-asn1parse.o apps/openssl-bin-ca.o \
..
..
apps/openssl-bin-x509.o \
apps/libapps.a -lssl -lcrypto -l:libjitterentropy.a -lz -lzstd -ldl -pthread
make[1]: Leaving directory '/tmp/openssl/build_shared'
make: Leaving directory '/tmp/openssl/build_shared'
```
### Testing `make -C build_shared tests -j$(nproc)`
Only failed case:
```
04-test_auto_fips_mode.t ................ 1/?
Failed to activate "fips" provider.
Falling back to "default" provider.
Library will not be in FIPS mode.
# ERROR: (ptr) 'sha256 == NULL' failed @ ../test/fips_auto_enable_test.c:44
# 0x62813b644740
# C0632ED270700000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:../providers/fips/self_test.c:359:
# C0632ED270700000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:../providers/fips/self_test.c:443:
# C0632ED270700000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:../providers/fips/fipsprov.c:943:
# C0632ED270700000:error:078C0105:common libcrypto routines:provider_init:init fail:../crypto/provider_core.c:1055:name=fips
# OPENSSL_TEST_RAND_SEED=1774629820
not ok 1 - test_fips_auto
# ------------------------------------------------------------------------------
../../util/wrap.pl ../../test/fips_auto_enable_test -fips => 1
not ok 5 - running fips_auto_enable_test -fips
# ------------------------------------------------------------------------------
Failed to activate "fips" provider.
Falling back to "default" provider.
Library will not be in FIPS mode.
# ERROR: (ptr) 'sha256 == NULL' failed @ ../test/fips_auto_enable_test.c:44
# 0x5c163a489c60
# C06311DCF37F0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:../providers/fips/self_test.c:359:
# C06311DCF37F0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:../providers/fips/self_test.c:443:
# C06311DCF37F0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:../providers/fips/fipsprov.c:943:
# C06311DCF37F0000:error:078C0105:common libcrypto routines:provider_init:init fail:../crypto/provider_core.c:1055:name=fips
# OPENSSL_TEST_RAND_SEED=1774629820
not ok 1 - test_fips_auto
# ------------------------------------------------------------------------------
../../util/wrap.pl ../../test/fips_auto_enable_test -context -fips => 1
not ok 6 - running fips_auto_enable_test -context -fips
# ------------------------------------------------------------------------------
04-test_auto_fips_mode.t ................ Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/7 subtests
```
As indicates by the error stack "missing config" is the cause. The
module-mac is known to not working under our building. (hardcoded
fipskey != runtime calculated mac)
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2146582
Title:
'do_fips_lock_init' undeclared
Status in openssl package in Ubuntu:
New
Bug description:
Based on archive latest(5ebe7d27f81c9bbb8c0282e1206a8804afb2a29f)
openssl, change no-fips to enable-fips, the build will fail with the
following error:
```
../crypto/fips_mode.c:21:1: error: return type defaults to 'int' [-Wimplicit-int]
21 | DEFINE_RUN_ONCE_STATIC(do_fips_lock_init)
| ^~~~~~~~~~~~~~~~~~~~~~
../crypto/fips_mode.c: In function 'DEFINE_RUN_ONCE_STATIC':
../crypto/fips_mode.c:21:1: warning: old-style function definition [-Wold-style-definition]
../crypto/fips_mode.c:21:1: error: type of 'do_fips_lock_init' defaults to 'int' [-Wimplicit-int]
../crypto/fips_mode.c: In function 'ossl_fips_mode':
../crypto/fips_mode.c:31:8: error: implicit declaration of function 'RUN_ONCE' [-Wimplicit-function-declaration]
31 | if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
| ^~~~~~~~
../crypto/fips_mode.c:31:34: error: 'do_fips_lock_init' undeclared (first use in this function); did you mean 'fips_lock_init'?
31 | if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
| ^~~~~~~~~~~~~~~~~
| fips_lock_init
../crypto/fips_mode.c:31:34: note: each undeclared identifier is reported only once for each function it appears in
gcc -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include -Iproviders/fips/include -I.. -I../crypto -I../include -I../providers/implementations/include -I../providers/common/include -I../providers/fips/include -DAES_ASM -DBSAES_ASM -DECP_NISTZ256_ASM -DFIPS_MODULE -DGHASH_ASM -DKECCAK1600_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DX25519_ASM -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/x86_64-linux-gnu/engines-3\"" -DMODULESDIR="\"/usr/lib/x86_64-linux-gnu/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -DZLIB -DZSTD -DNDEBUG -MMD -MF crypto/libfips-lib-params_from_text.d.tmp -c -o crypto/libfips-lib-params_from_text.o ../crypto/params_from_text.c
../crypto/fips_mode.c: In function 'ossl_init_fips':
../crypto/fips_mode.c:48:36: error: 'do_fips_lock_init' undeclared (first use in this function); did you mean 'fips_lock_init'?
48 | if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
| ^~~~~~~~~~~~~~~~~
| fips_lock_init
gcc -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include -Iproviders/fips/include -I.. -I../crypto -I../include -I../providers/implementations/include -I../providers/common/include -I../providers/fips/include -DAES_ASM -DBSAES_ASM -DECP_NISTZ256_ASM -DFIPS_MODULE -DGHASH_ASM -DKECCAK1600_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DX25519_ASM -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/x86_64-linux-gnu/engines-3\"" -DMODULESDIR="\"/usr/lib/x86_64-linux-gnu/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -DZLIB -DZSTD -DNDEBUG -MMD -MF crypto/libfips-lib-params_idx.d.tmp -c -o crypto/libfips-lib-params_idx.o crypto/params_idx.c
../crypto/fips_mode.c: In function 'ossl_set_fips':
../crypto/fips_mode.c:90:34: error: 'do_fips_lock_init' undeclared (first use in this function); did you mean 'fips_lock_init'?
90 | if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
| ^~~~~~~~~~~~~~~~~
| fips_lock_init
gcc -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include -Iproviders/fips/include -I.. -I../crypto -I../include -I../providers/implementations/include -I../providers/common/include -I../providers/fips/include -DAES_ASM -DBSAES_ASM -DECP_NISTZ256_ASM -DFIPS_MODULE -DGHASH_ASM -DKECCAK1600_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DX25519_ASM -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/x86_64-linux-gnu/engines-3\"" -DMODULESDIR="\"/usr/lib/x86_64-linux-gnu/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -DZLIB -DZSTD -DNDEBUG -MMD -MF crypto/libfips-lib-provider_core.d.tmp -c -o crypto/libfips-lib-provider_core.o ../crypto/provider_core.c
make[1]: *** [Makefile:26840: crypto/libfips-lib-fips_mode.o] Error 1
make[1]: *** Waiting for unfinished jobs....
```
Step to reproduce:
1. Checkout the ubuntu/devel branch and apply the patches via `gbp pq import`
2. change debian/rules into enable-fips:
```
- enable-tfo enable-zstd enable-zlib no-fips enable-jitter
+ enable-tfo enable-zstd enable-zlib enable-fips enable-jitter
```
3. ./Configure openssl: `make -f debian/rules override_dh_auto_configure`
4. build: make -C build_shared all -j$(nproc)
5. get the error
Root cause:
In include/internal/thread_once.h, the DEFINE_RUN_ONCE_STATIC is
protected by `#if !defined(FIPS_MODULE) ||
defined(ALLOW_RUN_ONCE_IN_FIPS)`. enable-fips will be converted to
-DFIPS_MODULE by perl during build and skip the necessary macro
definition snippet.
Fix:
Change `#include "internal/thread_once.h"` in crypto/fips_mode.c into
```
#define ALLOW_RUN_ONCE_IN_FIPS
#include "internal/thread_once.h"
```
Result:
### Building `make -C build_shared all -j$(nproc)`
```
rm -f apps/openssl
${LDCMD:-gcc} -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -Wa,--noexecstack -Wall -O3 -L. \
-o apps/openssl \
apps/lib/openssl-bin-cmp_mock_srv.o \
apps/openssl-bin-asn1parse.o apps/openssl-bin-ca.o \
..
..
apps/openssl-bin-x509.o \
apps/libapps.a -lssl -lcrypto -l:libjitterentropy.a -lz -lzstd -ldl -pthread
make[1]: Leaving directory '/tmp/openssl/build_shared'
make: Leaving directory '/tmp/openssl/build_shared'
```
### Testing `make -C build_shared tests -j$(nproc)`
Only failed case:
```
04-test_auto_fips_mode.t ................ 1/?
Failed to activate "fips" provider.
Falling back to "default" provider.
Library will not be in FIPS mode.
# ERROR: (ptr) 'sha256 == NULL' failed @ ../test/fips_auto_enable_test.c:44
# 0x62813b644740
# C0632ED270700000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:../providers/fips/self_test.c:359:
# C0632ED270700000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:../providers/fips/self_test.c:443:
# C0632ED270700000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:../providers/fips/fipsprov.c:943:
# C0632ED270700000:error:078C0105:common libcrypto routines:provider_init:init fail:../crypto/provider_core.c:1055:name=fips
# OPENSSL_TEST_RAND_SEED=1774629820
not ok 1 - test_fips_auto
# ------------------------------------------------------------------------------
../../util/wrap.pl ../../test/fips_auto_enable_test -fips => 1
not ok 5 - running fips_auto_enable_test -fips
# ------------------------------------------------------------------------------
Failed to activate "fips" provider.
Falling back to "default" provider.
Library will not be in FIPS mode.
# ERROR: (ptr) 'sha256 == NULL' failed @ ../test/fips_auto_enable_test.c:44
# 0x5c163a489c60
# C06311DCF37F0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:../providers/fips/self_test.c:359:
# C06311DCF37F0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:../providers/fips/self_test.c:443:
# C06311DCF37F0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:../providers/fips/fipsprov.c:943:
# C06311DCF37F0000:error:078C0105:common libcrypto routines:provider_init:init fail:../crypto/provider_core.c:1055:name=fips
# OPENSSL_TEST_RAND_SEED=1774629820
not ok 1 - test_fips_auto
# ------------------------------------------------------------------------------
../../util/wrap.pl ../../test/fips_auto_enable_test -context -fips => 1
not ok 6 - running fips_auto_enable_test -context -fips
# ------------------------------------------------------------------------------
04-test_auto_fips_mode.t ................ Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/7 subtests
```
As indicates by the error stack "missing config" is the cause. The
module-mac is known to not working under our building. (hardcoded
fipskey != runtime calculated mac)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2146582/+subscriptions
More information about the foundations-bugs
mailing list