[openssl-users] Question about using fipsld for shared objects

Wed, 03 Jun 2015 13:07:34 -0700 

So, I am trying to create a shared object to implement some functionality in 
libpam.  It has dependencies on a number of dynamic objects, but I am trying to 
include statically linked copies of libcrypto and libssl.   These are coming 
from a FIPS capable version of OpenSSL (1.0.1)built and tested with a FIPS 
canister (2.0.9) that I created using the instructions in the Security Policy / 
User Guide.

This is in Debian Linux, using gcc.  I've created standalone executables this 
way, but cannot get past the fipsld link step while creating a shared object.   
After the first link (which succeeds just fine), when fipsld tries to execute 
the DSO, there is a segmentation violation:
Program received signal SIGSEGV, Segmentation fault.
0x000055555561d1b9 in do_drbg_init ()
(gdb) where
#0  0x000055555561d1b9 in do_drbg_init ()
#1  0x00005555555da14e in do_drbg_instantiate ()

The Makefile looks like this:
# make CC=/usr/local/ssl/fips-2.0/bin/fipsld FIPSLD_CC=gcc
INSTALL=/usr/bin/install
CC=/usr/local/ssl/fips-2.0/bin/fipsld
FIPSLD_CC=gcc
DEBUG=-ggdb -DDEBUG_FINGERPRINT_PREMAIN
LIB = -L/usr/local/ssl/lib
LIBS = -lpam -lcrypt -lstdc++ -ldl
#LIBS = -lpam -lcrypt -lstdc++ -ldl /usr/local/ssl/fips-2.0/lib/fipscanister.o
INC = -I /usr/local/ssl/include -I ../../..
CFLAGS=-DFIPS_SSL -fPIC
ARCS = -Wl,-Bstatic -lssl -lcrypto -Wl,-Bdynamic

all: pam_sp_auth.so

pam_sp_auth.so: pam_sp_auth.o ../../../tpdpass.o ../../../tpd_pwd_cli.o
        $(CC) ${DEBUG} ${INC} ${CFLAGS} ${LIB} ${LDFLAGS} -shared -o 
pam_sp_auth.so ${LIBS} pam_sp_auth.o ../../../tpdpass.o \
                ../../../tpd_pwd_cli.o ${ARCS}

pam_sp_auth.o: pam_sp_auth.c ../../../tpdpass.h
        ${FIPSLD_CC} ${DEBUG} ${INC} ${CFLAGS} -c -o pam_sp_auth.o pam_sp_auth.c

clobber:
        rm -f pam_sp_auth.so pam_sp_auth.o


It is invoked with:
make CC=/usr/local/ssl/fips-2.0/bin/fipsld FIPSLD_CC=gcc
To make certain that it was not related to the static linkage, I reworked the 
make to link everything dynamically and I still hit the same issue.   Thoughts? 
  Thanks


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to