Enforce FIPS callback is only enabled for static builds

CMakeLists.txt

@@ -738,13 +738,18 @@ if(FIPS)
   endif()
 
   if(NOT BUILD_SHARED_LIBS AND NOT (NOT WIN32 AND NOT APPLE))
-    message(FATAL_ERROR "Static FIPS build of AWS-LC is suported only on Linux")
+    message(FATAL_ERROR "Static FIPS build of AWS-LC is supported only on Linux")
   endif()
 
   if(WIN32 AND CMAKE_BUILD_TYPE_LOWER STREQUAL "debug")
     message(FATAL_ERROR "Windows Debug build is not supported with FIPS, use Release or RelWithDebInfo")
   endif()
 
+  string(REGEX MATCH "(^| )-DAWSLC_FIPS_FAILURE_CALLBACK($| )" FIPS_CALLBACK_ENABLED "${CMAKE_C_FLAGS}")
+  if(FIPS_CALLBACK_ENABLED AND BUILD_SHARED_LIBS)
+    message(FATAL_ERROR "AWSLC_FIPS_FAILURE_CALLBACK only supported with the static library build of AWS-LC")
+  endif ()
+
   add_definitions(-DBORINGSSL_FIPS)
   if(FIPS_BREAK_TEST)
     add_definitions("-DBORINGSSL_FIPS_BREAK_${FIPS_BREAK_TEST}=1")

crypto/fips_callback_test.cc

@@ -1,8 +1,6 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
-#if defined(__ELF__) && defined(__GNUC__)
-
 #include <gtest/gtest.h>
 #include <openssl/crypto.h>
 #include <openssl/curve25519.h>
@@ -15,7 +13,7 @@
 #include "internal.h"
 
 extern "C" {
-  OPENSSL_EXPORT void AWS_LC_fips_failure_callback(const char* message);
+  void AWS_LC_fips_failure_callback(const char* message);
 }
 
 int callback_call_count = 0;
@@ -164,5 +162,3 @@ TEST(FIPSCallback, PWCT) {
   }
   EVP_PKEY_free(dsa_raw);
 }
-
-#endif

crypto/fipsmodule/ec/ec_test.cc

@@ -1488,7 +1488,7 @@ TEST(ECTest, SmallGroupOrder) {
 #else
 // AWSLCAndroidTestRunner does not take tests that do |ASSERT_DEATH| very well.
 // GTEST issue: https://github.com/google/googletest/issues/1496.
-#if !defined(OPENSSL_ANDROID)
+#if !defined(OPENSSL_ANDROID) && !defined(AWSLC_FIPS_FAILURE_CALLBACK)
 
 TEST(ECDeathTest, SmallGroupOrderAndDie) {
   // Make a P-224 key and corrupt the group order to be small in order to fail

tests/ci/run_fips_tests.sh

@@ -32,7 +32,10 @@ if static_linux_supported || static_openbsd_supported; then
   fips_build_and_test -DCMAKE_BUILD_TYPE=Release
 
   echo "Testing AWS-LC static breakable build with custom callback enabled"
-  run_build -DFIPS=1 -DCMAKE_C_FLAGS="-DBORINGSSL_FIPS_BREAK_TESTS -DAWSLC_FIPS_FAILURE_CALLBACK"
+  run_build -DFIPS=1 \
+    -DCMAKE_C_FLAGS="-DBORINGSSL_FIPS_BREAK_TESTS -DAWSLC_FIPS_FAILURE_CALLBACK" \
+    -DCMAKE_CXX_FLAGS="-DAWSLC_FIPS_FAILURE_CALLBACK"
+  ./test_build_dir/crypto/crypto_test
   ./tests/ci/run_fips_callback_tests.sh
 
   echo "Testing AWS-LC static breakable release build"

tool/tool.cc

@@ -30,6 +30,16 @@
 
 #include "internal.h"
 
+#if defined(AWSLC_FIPS_FAILURE_CALLBACK)
+extern "C" {
+  void AWS_LC_fips_failure_callback(const char* message);
+}
+
+void AWS_LC_fips_failure_callback(const char* message) {
+    fprintf(stderr, "FIPS failure:\n%s", message);
+}
+#endif
+
 static bool version(const std::vector<std::string> &args) {
   printf("%s\n", AWSLC_VERSION_NUMBER_STRING);
   return true;