Would you elaborate what is meant by 'strict binding' please. I have tried compiling with '-z now', I have tried RTLD_LAZY and RTLD_NOW as flags to dlopen and the env var LD_BIND_NOW also had no effect. I have reproduced the same issue of the shared lib Failing on both x86 and mips.
Has anyone created and used a shared library? -Matt Bancroft > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Kyle Hamilton > Sent: 18 January 2010 20:43 > To: openssl-users > Subject: Re: FIPS linked as a shared library > > The way that the FIPS module verifies its signature is that it forces > itself to load (via a pre-main() section) and then calculate the > checksum of the image in-core. Probably the reason why you're running > into issues is because of the fixup step of the dynamic linker. > > If you expect to use FIPS, you should link it as a hard dependency > (also known as 'strict binding', as opposed to 'lazy binding') so that > it can be loaded as early as possible, to minimize the chances of the > linker needing to run fixups after application-code memory allocation. > As you've found, the image in-core *must* match the original image > in-core when the signature was generated, and the linker changes the > pointers of where things are located when it has to. > > -Kyle H > > On Mon, Jan 18, 2010 at 2:48 AM, Bancroft, Matthew > <matt.bancr...@siemens-enterprise.com> wrote: > > Hello, > > > > I have generated the fipscanister.o and all associated > files as described in > > the user guide. All the checks ran ok. I have created an > application using > > the fipscanister.o which works fine. When I create the > shared library the > > run time check called when FIPS_mode_set() is called fails. > I have found > > that depending on where I am loading the library in my code > the signature > > generated is different. > > > > Hence my question, Is it really possible to create a shared > library, and not > > an application, using the FIPS module? > > > > The make file for the shared lib looks like this: > > > > CC = gcc > > LIBOBJS= $(BIN)/fipsShared.o > > > > libfipsShared.so: fipsShared.o > > FIPSLD_CC=$(CC) /openssl-fips-1.2/fips/fipsld -shared -o $@ $^ > > -DDEBUG_FINGERPRINT_PREMAIN /openssl-fips-1.2/libcrypto.a > > > > The build platform is a native MIPS, gcc-3.4.4, make 3.81, > uclibc.0.9.28. > > > > Regards, > > > > Matt Bancroft > > > > matt.bancr...@siemens-enterprise.com > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
