Eventually I solved this problem. Here is the set of commands I need to use to
generate the shared fips-capable openssl libraries:
su
cd fips // wherever that may be
./config
make
make install
// this installs fipscanister.o and adjacent files into /usr/local/ssl/fips-2.0/
cd openssl // still as root
./config fips shared
make depend
make
make install
// this installs libssl.so* and libcrypto.so* into /usr/local/ssl/lib
// I couldn’t get ldconfig to work for me, so I did this
export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH
When I make my tiny application, I use the following directive in my Makefile:
DRIVER = encryption_driver
#export FIPSLD_CC = gcc // don't need this for .so
#export CC = fipsld // don't need this for .so
CC = gcc
CFLAGS = -Wall
INCLUDES = -I/usr/local/ssl/include/
LFLAGS = -L/usr/local/ssl/lib
LIBS = -lcrypto -lssl -ldl
$(DRIVER): $(DRIVER).c $(DRIVER).h
$(CC) $(CFLAGS) -o $@ $(INCLUDES) $(LFLAGS) $(LIBS) $^
Subsequently, a call to FIPS_mode_set in my encryption_driver returns without
error.
This was very difficult to debug in my actual product build sequence. Several
executables are generated from the build and it turns out some were linking in
an old version of openssl in some archaic location on the build machine (boo!)
I made a lot of calls to ldd to discover this.
Hopefully this is helpful to someone else out there...
Cassie
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
