[openssl-users] Problem building Linux shared library with static FIPS capable OpenSSL

Dr. Stephen Henson steve at openssl.org
Tue May 2 02:16:24 UTC 2017

On Mon, May 01, 2017, Nathan Glasser wrote:

> Hello,
> We are using openssl-fips 2.0.14 with OpenSSL 1.0.2j.
> We have a shared library on both Linux and Windows which uses static OpenSSL
> libraries. We'd like it to use static FIPS-capable OpenSSL libraries.
> On Windows, everything is fine. On Linux, I have a problem. I am
> doing my tests on RedHat 6.0.
> I am able to make standalone executables just fine, but shared library (.so)
> building does not work. I am linking using supplied the fipsld script.
> The script gets error 139, which means a segmentation fault. Modifying
> the fipsld script to uncomment the "set -x" at the top shows me that
> the following is where the segmentation fault is occurring.
> 	# generate signature...
> 	SIG=`"${TARGET}"`
> It is attempting to run ${TARGET}, which is the .so file that has just been
> generated in the first link step. (It's not suprising to me that this results
> in a segmentation fault.) If I run the file which is left after the building
> aborts, I also get a segmentation fault.
> I can see that there is another case - when the filename matches
> lib*|*.dll, which it does not.
> If I try renaming the target to have "lib" at the start of the name,
> then when it runs this part
> 	# generate signature...
> it fails because there is no fips_premain_dso program. Nor can I find
> this anywhere in the openssl-fips or openssl packages. Should this have
> gotten built automatically in an earlier step?
> I created a simplified test which consists of the fips_hmac sample (included
> in the OpenSSL Fips 2.0 manual), with main renamed to something else.
> Can someone on this list please point me in the right direction for
> getting this to work? Thanks. Below are my makefile and build log.

Try a shared build of the FIPS capable OpenSSL. You should then get
fips_premain_dso built as part of that process. Alternatively just do:

	make fips_premain_dso

The fips_premain_dso executable isn't anything special: all it does is load
the library. It should then print out the signature which can then be embedded
for the second link step.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list