Steve Marquess wrote: > canroc wrote: > >> I am confused with what is required in builiding an application to use >> encryption functions from a FIPS 140-2 capable openSSL library. >> >> If I link the shared library libcrypto.so (0.9.8j) into my application and >> do a FIPS_mode_set(1) call, is that all that is necessary for set up in >> order to have my application use the FIPS validated algorithms in openSSL? >> Afterall I think the libcrypto.so will have a static link to fipscanister.a. >> >> Or.. is it necessary to link in fipscanister as would be done by using the >> fipsld script? >> >> Thanks (I have read the Security Policy and User Guide a few times, but I am >> still confused on this) >> >> > > The OpenSSL FIPS Object Module v1.2 (validation #1051) is for a > statically linked module (fipscanister.o), and the corresponding > Security Policy and User Guide documents are largely focused on aspects > of that static linking. Most software validations are for shared > modules, something the CMVP is a lot more comfortable with because the > shared library file on disk fits the familiar paradigm of a hardware > black box (the notion of a *running* software module, with paged virtual > memory and separate text, data, stack memory segments, references to > other shared libraries, etc., does *not* fit that paradigm and hence is > generally avoided). > > But, once you have that validated static fipscanister.o, linking it into > a shared library of your choice is no more difficult than statically > linking it into an application program. The obvious shared library to > link it into is the OpenSSL libcrypto, of course. > > As a convenience to users, the "fipsdo" option of FIPS compatible > versions of OpenSSL will, in conjunction with a previously built OpenSSL > FIPS Object Module, automagically create a libcrypto shared library > containing fipscanister.o. This is documented in Appendix B of the User > Guide. Note the resulting "FIPS compatible" OpenSSL can be used just > like the good old OpenSSL we all know and love, or at runtime the FIPS > mode of operation can be enabled where all crypto operations are > performed in the validated fipscanister.o. This behavior was an > important design goal because it allows software vendors to ship one > binary to all customers. >
Correction, should be 'As a convenience to users, the "fips" option of FIPS compatible versions of OpenSSSL...". The "fipsdso"option is a special purpose feature intended for use with "private label" binary validations. I should note that it does not work for all platforms. -Steve M. -- Steve Marquess Veridical Systems, Inc. marqu...@veridicalsystems.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
