[openssl-users] Question about using fipsld for shared objects
Heberlein, Kurt William
kurt.w.heberlein at hp.com
Wed Jun 3 19:59:17 UTC 2015
So, I am trying to create a shared object to implement some functionality in libpam. It has dependencies on a number of dynamic objects, but I am trying to include statically linked copies of libcrypto and libssl. These are coming from a FIPS capable version of OpenSSL (1.0.1)built and tested with a FIPS canister (2.0.9) that I created using the instructions in the Security Policy / User Guide.
This is in Debian Linux, using gcc. I've created standalone executables this way, but cannot get past the fipsld link step while creating a shared object. After the first link (which succeeds just fine), when fipsld tries to execute the DSO, there is a segmentation violation:
Program received signal SIGSEGV, Segmentation fault.
0x000055555561d1b9 in do_drbg_init ()
(gdb) where
#0 0x000055555561d1b9 in do_drbg_init ()
#1 0x00005555555da14e in do_drbg_instantiate ()
The Makefile looks like this:
# make CC=/usr/local/ssl/fips-2.0/bin/fipsld FIPSLD_CC=gcc
INSTALL=/usr/bin/install
CC=/usr/local/ssl/fips-2.0/bin/fipsld
FIPSLD_CC=gcc
DEBUG=-ggdb -DDEBUG_FINGERPRINT_PREMAIN
LIB = -L/usr/local/ssl/lib
LIBS = -lpam -lcrypt -lstdc++ -ldl
#LIBS = -lpam -lcrypt -lstdc++ -ldl /usr/local/ssl/fips-2.0/lib/fipscanister.o
INC = -I /usr/local/ssl/include -I ../../..
CFLAGS=-DFIPS_SSL -fPIC
ARCS = -Wl,-Bstatic -lssl -lcrypto -Wl,-Bdynamic
all: pam_sp_auth.so
pam_sp_auth.so: pam_sp_auth.o ../../../tpdpass.o ../../../tpd_pwd_cli.o
$(CC) ${DEBUG} ${INC} ${CFLAGS} ${LIB} ${LDFLAGS} -shared -o pam_sp_auth.so ${LIBS} pam_sp_auth.o ../../../tpdpass.o \
../../../tpd_pwd_cli.o ${ARCS}
pam_sp_auth.o: pam_sp_auth.c ../../../tpdpass.h
${FIPSLD_CC} ${DEBUG} ${INC} ${CFLAGS} -c -o pam_sp_auth.o pam_sp_auth.c
clobber:
rm -f pam_sp_auth.so pam_sp_auth.o
It is invoked with:
make CC=/usr/local/ssl/fips-2.0/bin/fipsld FIPSLD_CC=gcc
To make certain that it was not related to the static linkage, I reworked the make to link everything dynamically and I still hit the same issue. Thoughts? Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150603/c49dc566/attachment-0001.html>
More information about the openssl-users
mailing list