On Fri, Sep 11, 2009, Lin Hwang wrote: > Hi, > > I am an Openssl newby. Recently I am trying to build FIPS module and FIPS > capable lib on a Linux system. > I notice that all the fips_xxxtest programs at link time all go through > fipsld and linked with a digest. I expect > the same thing with application "openssl", but I don't see it happens when > I check the build log. When I run > the command, it worked !! For example when I ran "openssl version", it > shows me "OpenSSL 0.9.8j-fips 07 Jan > 2009". Why there is no fingerprint, but it seems to pass FIPS_mode_set > without problem? >
The openssl utility doesn't enter FIPS mode unless the environment variable OPENSSL_FIPS=1 . Now the reason this works is because in shared library builds the openssl utility is linked to the openssl shared library and *that* has the fingerprint set at build time. Other fips_* utilities do not use the openssl shared library at all, they link to the validated module fipscaniser.o from the validated build and only rely on functionality in that object file. This is done to demonstrate that the utilities (used during validation) do not make use of unvalidated code. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
