Found my own answer on an earlier thread. You need the option "-Wl,-Bsymbolic" to link a shared libary (that has static linked ssl-fips) correctly
On Mon, Sep 10, 2012 at 5:43 PM, Jason Todd <ja...@bluntstick.com> wrote: > So I can build a fips compliant executable and turn fips on/off (this is > on linux). > > But when I try to statically link the fips enabled openssl into a shared > object, the signature that it generates at runtime gets hosed. > > For example, here is my library: > > > > #include "FIPSTest.h" > #include <stdio.h> > #include <openssl/err.h> > #include <openssl/crypto.h> > #include <openssl/evp.h> > #include <openssl/fips.h> > #include <string.h> > > > > extern const void *FIPS_text_start(), *FIPS_text_end(); > extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[]; > extern unsigned char FIPS_signature[20]; > extern unsigned int FIPS_incore_fingerprint(unsigned char > *,unsigned int); > > > > void doFipsTest() { > unsigned char sig[EVP_MAX_MD_SIZE]; > unsigned int len,len2; > unsigned int i; > > > len=FIPS_incore_fingerprint(sig,sizeof(sig)); > > printf("FIPS_witness::%d\n",len); > printf("current FIPS_MODE: %ld\n",FIPS_mode()); > > printf(".text:%p+%d=%p\n",FIPS_text_start(), > (int)((size_t)FIPS_text_end()-(size_t)FIPS_text_start()), > FIPS_text_end()); > printf(".rodata:%p+%d=%p\n",FIPS_rodata_start, > (int)((size_t)FIPS_rodata_end-(size_t)FIPS_rodata_start), > FIPS_rodata_end); > > > printf("sig:"); > for (i=0;i<len;i++) { > printf("%02x",sig[i]); > } > printf("\n"); > printf("fips_sig:"); > for (i=0;i<(unsigned int)strlen((char *)FIPS_signature);i++) { > printf("%02x",FIPS_signature[i]); > } > printf("\n"); > > > > > long ret = FIPS_mode_set(1); > if(ret) { > printf("FIPS_MODE_set: passed : %ld\n",FIPS_mode()); > } else { > printf("FIPS_MODE_set: failed: %ld\n",FIPS_mode()); > ERR_load_crypto_strings(); > ERR_print_errors_fp(stderr); > exit(1); > } > > > fprintf(stderr,"current FIPS_MODE: %ld\n",FIPS_mode()); > > } > > > That compiles into a shared library: > FIPSLIBDIR=/usr/local/ssl/fips-2.0/lib FIPSLD_CC=gcc fipsld -o > libblahtest.so FIPSTest.c -fPIC -shared -I../target/include/ > -L../target/lib -lcrypto -ldl > > And then link that to just a shell main that calls the test: > > gcc -o libTest main.c -lblahtest -L. > > > But the signatures don't match during runtime: > > 3086362252:error:2D06B06F:FIPS > routines:FIPS_check_incore_fingerprint:fingerprint does not > match:fips.c:229: > FIPS_witness::20 > current FIPS_MODE: 0 > .text:0x461c84+323712=0x4b0d04 > .rodata:0x551d60+54144=0x55f0e0 > sig:75f0a9bf86f62839419e238afcee6e3e11f6de20 > fips_sig:063541af4498ccf10d68cdd24d285c2cc4019207 > FIPS_MODE_set: failed: 0 > > > However if i collapse that into just one executable, it will work. > > > Any ideas? > > > > > > > > > >