Found my own answer on an earlier thread. You need the option "-Wl,-Bsymbolic"
to link a shared libary (that has static linked ssl-fips) correctly
On Mon, Sep 10, 2012 at 5:43 PM, Jason Todd <ja...@bluntstick.com> wrote:
> So I can build a fips compliant executable and turn fips on/off (this is
> on linux).
>
> But when I try to statically link the fips enabled openssl into a shared
> object, the signature that it generates at runtime gets hosed.
>
> For example, here is my library:
>
>
>
> #include "FIPSTest.h"
> #include <stdio.h>
> #include <openssl/err.h>
> #include <openssl/crypto.h>
> #include <openssl/evp.h>
> #include <openssl/fips.h>
> #include <string.h>
>
>
>
> extern const void *FIPS_text_start(), *FIPS_text_end();
> extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
> extern unsigned char FIPS_signature[20];
> extern unsigned int FIPS_incore_fingerprint(unsigned char
> *,unsigned int);
>
>
>
> void doFipsTest() {
> unsigned char sig[EVP_MAX_MD_SIZE];
> unsigned int len,len2;
> unsigned int i;
>
>
> len=FIPS_incore_fingerprint(sig,sizeof(sig));
>
> printf("FIPS_witness::%d\n",len);
> printf("current FIPS_MODE: %ld\n",FIPS_mode());
>
> printf(".text:%p+%d=%p\n",FIPS_text_start(),
> (int)((size_t)FIPS_text_end()-(size_t)FIPS_text_start()),
> FIPS_text_end());
> printf(".rodata:%p+%d=%p\n",FIPS_rodata_start,
> (int)((size_t)FIPS_rodata_end-(size_t)FIPS_rodata_start),
> FIPS_rodata_end);
>
>
> printf("sig:");
> for (i=0;i<len;i++) {
> printf("%02x",sig[i]);
> }
> printf("\n");
> printf("fips_sig:");
> for (i=0;i<(unsigned int)strlen((char *)FIPS_signature);i++) {
> printf("%02x",FIPS_signature[i]);
> }
> printf("\n");
>
>
>
>
> long ret = FIPS_mode_set(1);
> if(ret) {
> printf("FIPS_MODE_set: passed : %ld\n",FIPS_mode());
> } else {
> printf("FIPS_MODE_set: failed: %ld\n",FIPS_mode());
> ERR_load_crypto_strings();
> ERR_print_errors_fp(stderr);
> exit(1);
> }
>
>
> fprintf(stderr,"current FIPS_MODE: %ld\n",FIPS_mode());
>
> }
>
>
> That compiles into a shared library:
> FIPSLIBDIR=/usr/local/ssl/fips-2.0/lib FIPSLD_CC=gcc fipsld -o
> libblahtest.so FIPSTest.c -fPIC -shared -I../target/include/
> -L../target/lib -lcrypto -ldl
>
> And then link that to just a shell main that calls the test:
>
> gcc -o libTest main.c -lblahtest -L.
>
>
> But the signatures don't match during runtime:
>
> 3086362252:error:2D06B06F:FIPS
> routines:FIPS_check_incore_fingerprint:fingerprint does not
> match:fips.c:229:
> FIPS_witness::20
> current FIPS_MODE: 0
> .text:0x461c84+323712=0x4b0d04
> .rodata:0x551d60+54144=0x55f0e0
> sig:75f0a9bf86f62839419e238afcee6e3e11f6de20
> fips_sig:063541af4498ccf10d68cdd24d285c2cc4019207
> FIPS_MODE_set: failed: 0
>
>
> However if i collapse that into just one executable, it will work.
>
>
> Any ideas?
>
>
>
>
>
>
>
>
>
>
