[openssl-users] Question about using fipsld for shared objects

Heberlein, Kurt William kurt.w.heberlein at hp.com
Wed Jun 3 19:59:17 UTC 2015 

So, I am trying to create a shared object to implement some functionality in libpam.  It has dependencies on a number of dynamic objects, but I am trying to include statically linked copies of libcrypto and libssl.   These are coming from a FIPS capable version of OpenSSL (1.0.1)built and tested with a FIPS canister (2.0.9) that I created using the instructions in the Security Policy / User Guide.

This is in Debian Linux, using gcc.  I've created standalone executables this way, but cannot get past the fipsld link step while creating a shared object.   After the first link (which succeeds just fine), when fipsld tries to execute the DSO, there is a segmentation violation:
Program received signal SIGSEGV, Segmentation fault.
0x000055555561d1b9 in do_drbg_init ()
(gdb) where
#0  0x000055555561d1b9 in do_drbg_init ()
#1  0x00005555555da14e in do_drbg_instantiate ()

The Makefile looks like this:
# make CC=/usr/local/ssl/fips-2.0/bin/fipsld FIPSLD_CC=gcc
INSTALL=/usr/bin/install
CC=/usr/local/ssl/fips-2.0/bin/fipsld
FIPSLD_CC=gcc
DEBUG=-ggdb -DDEBUG_FINGERPRINT_PREMAIN
LIB = -L/usr/local/ssl/lib
LIBS = -lpam -lcrypt -lstdc++ -ldl
#LIBS = -lpam -lcrypt -lstdc++ -ldl /usr/local/ssl/fips-2.0/lib/fipscanister.o
INC = -I /usr/local/ssl/include -I ../../..
CFLAGS=-DFIPS_SSL -fPIC
ARCS = -Wl,-Bstatic -lssl -lcrypto -Wl,-Bdynamic

all: pam_sp_auth.so

pam_sp_auth.so: pam_sp_auth.o ../../../tpdpass.o ../../../tpd_pwd_cli.o
        $(CC) ${DEBUG} ${INC} ${CFLAGS} ${LIB} ${LDFLAGS} -shared -o pam_sp_auth.so ${LIBS} pam_sp_auth.o ../../../tpdpass.o \
                ../../../tpd_pwd_cli.o ${ARCS}

pam_sp_auth.o: pam_sp_auth.c ../../../tpdpass.h
        ${FIPSLD_CC} ${DEBUG} ${INC} ${CFLAGS} -c -o pam_sp_auth.o pam_sp_auth.c

clobber:
        rm -f pam_sp_auth.so pam_sp_auth.o


It is invoked with:
make CC=/usr/local/ssl/fips-2.0/bin/fipsld FIPSLD_CC=gcc
To make certain that it was not related to the static linkage, I reworked the make to link everything dynamically and I still hit the same issue.   Thoughts?   Thanks

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150603/c49dc566/attachment-0001.html>

More information about the openssl-users mailing list