FIPS support with shared libraries on FreeBSD 9.1

[Larry Baird]

I am having issues with FIPS_mode() in a shared library on FreeBSD 9.1.
I have read and reread the "OpenSSL FIPS User Guide". It am sure I am
following the steps correctly.  If I link static with 'fipsld', FIPS_mode()
works correctly. As a sanity check, I tried the same openssl with fips build
process on both NetBSD 6.0.1 and Ubunto 12.10.  NetBSD failed and Ubunto
worked. Has anyone been able to get FIPS mode to work with shared openssl
libraries on any of the BSDs?

My test is:

    1) install openssl-fips-2.0.2 to ~/src
        a) Download openssl-fips-2.0.2.tar.gz
        b) cd ~/src
        c) tar -xfz openssl-fips-2.0.2.tar.gz
        d) cd openssl-fips-2.0.2
        e) ./config
        f) make
        g) sudo make install

    2) Install openssl-1.0.1e
        a) Download openssl-1.0.1e.tar.gz
        b) cd ~/src
        c) tar -xfz openssl-1.0.1e.tar.gz
        d) cd openssl-1.0.1e
        e) ./config fips shared
        f) make depend
        g) make

    3) Build test program using shared libraries (attached)
        a) cd src/fips
        b) cc -I../openssl-1.0.1e/include fips.c -L../openssl-1.0.1e -lcrypto 
-o fips
        c) export LD_LIBRARY_PATH=../openssl-1.0.1e
        d) ./fips
            Enabling FIPS MODE: failed

            Perhaps openssl not built with fips support?

            34376208808:error:2D06B06F:FIPS 
routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232:

    4) Build test program using static libraries
        a) cd src/fips
        b) PATH=/usr/local/ssl/fips-2.0/bin:$PATH
        c) export FIPSLD_CC=cc
        d) fipsld -I../openssl-1.0.1e/include fips.c -L../openssl-1.0.1e 
-lcrypto -o fips -static
        e) ./fips
                Enabling FIPS MODE: successful

In case attachment gets stripped, fips.c src is:

#include <stdio.h>
#include <string.h>
#include <openssl/err.h>
#include <openssl/crypto.h>

int main(int argc, char *argv[])
{
    //Setting up FIPS MODE:
    if ( FIPS_mode() ) {
        printf("FIPS MODE is already enabled\n");

    } else {
        printf("Enabling FIPS MODE: ");
        if( FIPS_mode_set( 2 ) ) {
            printf("successful\n");
        } else {
            printf("failed\n");

            printf("\nPerhaps openssl not built with fips support?\n\n");

            ERR_load_crypto_strings();
            ERR_print_errors_fp(stderr);
            exit( 1 );
        }
    }

    exit( 0 );
}

-- 
------------------------------------------------------------------------
Larry Baird
Global Technology Associates, Inc. 1992-2012    | http://www.gta.com
Celebrating Twenty Years of Software Innovation | Orlando, FL
Email: l...@gta.com                             | TEL 407-380-0220

#include <stdio.h>
#include <string.h>
#include <openssl/err.h>
#include <openssl/crypto.h>

int main(int argc, char *argv[])
{
    //Setting up FIPS MODE:
    if ( FIPS_mode() ) {
	printf("FIPS MODE is already enabled\n");

    } else {
	printf("Enabling FIPS MODE: ");
	if( FIPS_mode_set( 2 ) ) {
	    printf("successful\n");
	} else {
	    printf("failed\n");

	    printf("\nPerhaps openssl not built with fips support?\n\n");

	    ERR_load_crypto_strings();
	    ERR_print_errors_fp(stderr);
	    exit( 1 );
	}
    }

    exit( 0 );
}