[openssl-users] Problem building Linux shared library with static FIPS capable OpenSSL
Dr. Stephen Henson
steve at openssl.org
Tue May 2 02:16:24 UTC 2017
On Mon, May 01, 2017, Nathan Glasser wrote:
> Hello,
>
> We are using openssl-fips 2.0.14 with OpenSSL 1.0.2j.
>
> We have a shared library on both Linux and Windows which uses static OpenSSL
> libraries. We'd like it to use static FIPS-capable OpenSSL libraries.
>
> On Windows, everything is fine. On Linux, I have a problem. I am
> doing my tests on RedHat 6.0.
>
> I am able to make standalone executables just fine, but shared library (.so)
> building does not work. I am linking using supplied the fipsld script.
>
> The script gets error 139, which means a segmentation fault. Modifying
> the fipsld script to uncomment the "set -x" at the top shows me that
> the following is where the segmentation fault is occurring.
>
> # generate signature...
> SIG=`"${TARGET}"`
>
> It is attempting to run ${TARGET}, which is the .so file that has just been
> generated in the first link step. (It's not suprising to me that this results
> in a segmentation fault.) If I run the file which is left after the building
> aborts, I also get a segmentation fault.
>
> I can see that there is another case - when the filename matches
> lib*|*.dll, which it does not.
>
> If I try renaming the target to have "lib" at the start of the name,
> then when it runs this part
>
> # generate signature...
> SIG=`"${PREMAIN_DSO}" "${TARGET}"`
>
> it fails because there is no fips_premain_dso program. Nor can I find
> this anywhere in the openssl-fips or openssl packages. Should this have
> gotten built automatically in an earlier step?
>
> I created a simplified test which consists of the fips_hmac sample (included
> in the OpenSSL Fips 2.0 manual), with main renamed to something else.
>
> Can someone on this list please point me in the right direction for
> getting this to work? Thanks. Below are my makefile and build log.
>
Try a shared build of the FIPS capable OpenSSL. You should then get
fips_premain_dso built as part of that process. Alternatively just do:
make fips_premain_dso
The fips_premain_dso executable isn't anything special: all it does is load
the library. It should then print out the signature which can then be embedded
for the second link step.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list