We have some application which performs dynamic opening of libcrypto.a (ie at run time , this application uses the libcrypto.a) . How this application will get into the fips mode . should the application has to link with libcrypto,a statically at compile time or there is another way to handle this at dynamic runtime .
Thanks Joshi On Fri, May 8, 2009 at 8:06 PM, Steve Marquess < [email protected]> wrote: > Steve Marquess wrote: > > canroc wrote: > > > >> I am confused with what is required in builiding an application to use > >> encryption functions from a FIPS 140-2 capable openSSL library. > >> > >> If I link the shared library libcrypto.so (0.9.8j) into my application > and > >> do a FIPS_mode_set(1) call, is that all that is necessary for set up in > >> order to have my application use the FIPS validated algorithms in > openSSL? > >> Afterall I think the libcrypto.so will have a static link to > fipscanister.a. > >> > >> Or.. is it necessary to link in fipscanister as would be done by using > the > >> fipsld script? > >> > >> Thanks (I have read the Security Policy and User Guide a few times, but > I am > >> still confused on this) > >> > >> > > > > The OpenSSL FIPS Object Module v1.2 (validation #1051) is for a > > statically linked module (fipscanister.o), and the corresponding > > Security Policy and User Guide documents are largely focused on aspects > > of that static linking. Most software validations are for shared > > modules, something the CMVP is a lot more comfortable with because the > > shared library file on disk fits the familiar paradigm of a hardware > > black box (the notion of a *running* software module, with paged virtual > > memory and separate text, data, stack memory segments, references to > > other shared libraries, etc., does *not* fit that paradigm and hence is > > generally avoided). > > > > But, once you have that validated static fipscanister.o, linking it into > > a shared library of your choice is no more difficult than statically > > linking it into an application program. The obvious shared library to > > link it into is the OpenSSL libcrypto, of course. > > > > As a convenience to users, the "fipsdo" option of FIPS compatible > > versions of OpenSSL will, in conjunction with a previously built OpenSSL > > FIPS Object Module, automagically create a libcrypto shared library > > containing fipscanister.o. This is documented in Appendix B of the User > > Guide. Note the resulting "FIPS compatible" OpenSSL can be used just > > like the good old OpenSSL we all know and love, or at runtime the FIPS > > mode of operation can be enabled where all crypto operations are > > performed in the validated fipscanister.o. This behavior was an > > important design goal because it allows software vendors to ship one > > binary to all customers. > > > > Correction, should be 'As a convenience to users, the "fips" option of > FIPS compatible versions of OpenSSSL...". > > The "fipsdso"option is a special purpose feature intended for use with > "private label" binary validations. I should note that it does not work > for all platforms. > > -Steve M. > > > -- > Steve Marquess > Veridical Systems, Inc. > [email protected] > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] > -- Regards Joshi Chandran
