canroc wrote: > I am confused with what is required in builiding an application to use > encryption functions from a FIPS 140-2 capable openSSL library. > > If I link the shared library libcrypto.so (0.9.8j) into my application and > do a FIPS_mode_set(1) call, is that all that is necessary for set up in > order to have my application use the FIPS validated algorithms in openSSL? > Afterall I think the libcrypto.so will have a static link to fipscanister.a. > > Or.. is it necessary to link in fipscanister as would be done by using the > fipsld script? > > Thanks (I have read the Security Policy and User Guide a few times, but I am > still confused on this) >
The OpenSSL FIPS Object Module v1.2 (validation #1051) is for a statically linked module (fipscanister.o), and the corresponding Security Policy and User Guide documents are largely focused on aspects of that static linking. Most software validations are for shared modules, something the CMVP is a lot more comfortable with because the shared library file on disk fits the familiar paradigm of a hardware black box (the notion of a *running* software module, with paged virtual memory and separate text, data, stack memory segments, references to other shared libraries, etc., does *not* fit that paradigm and hence is generally avoided). But, once you have that validated static fipscanister.o, linking it into a shared library of your choice is no more difficult than statically linking it into an application program. The obvious shared library to link it into is the OpenSSL libcrypto, of course. As a convenience to users, the "fipsdo" option of FIPS compatible versions of OpenSSL will, in conjunction with a previously built OpenSSL FIPS Object Module, automagically create a libcrypto shared library containing fipscanister.o. This is documented in Appendix B of the User Guide. Note the resulting "FIPS compatible" OpenSSL can be used just like the good old OpenSSL we all know and love, or at runtime the FIPS mode of operation can be enabled where all crypto operations are performed in the validated fipscanister.o. This behavior was an important design goal because it allows software vendors to ship one binary to all customers. -Steve M. -- Steve Marquess Veridical Systems, Inc. marqu...@veridicalsystems.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org