[openssl-users] Problem building Linux shared library with static FIPS capable OpenSSL

Dr. Stephen Henson steve at openssl.org
Tue May 2 02:16:24 UTC 2017


On Mon, May 01, 2017, Nathan Glasser wrote:

> Hello,
> 
> We are using openssl-fips 2.0.14 with OpenSSL 1.0.2j.
> 
> We have a shared library on both Linux and Windows which uses static OpenSSL
> libraries. We'd like it to use static FIPS-capable OpenSSL libraries.
> 
> On Windows, everything is fine. On Linux, I have a problem. I am
> doing my tests on RedHat 6.0.
> 
> I am able to make standalone executables just fine, but shared library (.so)
> building does not work. I am linking using supplied the fipsld script.
> 
> The script gets error 139, which means a segmentation fault. Modifying
> the fipsld script to uncomment the "set -x" at the top shows me that
> the following is where the segmentation fault is occurring.
> 
> 	# generate signature...
> 	SIG=`"${TARGET}"`
> 
> It is attempting to run ${TARGET}, which is the .so file that has just been
> generated in the first link step. (It's not suprising to me that this results
> in a segmentation fault.) If I run the file which is left after the building
> aborts, I also get a segmentation fault.
> 
> I can see that there is another case - when the filename matches
> lib*|*.dll, which it does not.
> 
> If I try renaming the target to have "lib" at the start of the name,
> then when it runs this part
> 
> 	# generate signature...
> 	SIG=`"${PREMAIN_DSO}" "${TARGET}"`
> 
> it fails because there is no fips_premain_dso program. Nor can I find
> this anywhere in the openssl-fips or openssl packages. Should this have
> gotten built automatically in an earlier step?
> 
> I created a simplified test which consists of the fips_hmac sample (included
> in the OpenSSL Fips 2.0 manual), with main renamed to something else.
> 
> Can someone on this list please point me in the right direction for
> getting this to work? Thanks. Below are my makefile and build log.
> 

Try a shared build of the FIPS capable OpenSSL. You should then get
fips_premain_dso built as part of that process. Alternatively just do:

	make fips_premain_dso

The fips_premain_dso executable isn't anything special: all it does is load
the library. It should then print out the signature which can then be embedded
for the second link step.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org


More information about the openssl-users mailing list