I have gone through the user guide again , i am little confused now . This statement makes me confuse
A HMAC-SHA1 digest of the FIPS Object Module code and read-only data must be generated and embedded in the application executable object for use by the FIPS_mode_set() function at runtime initialization. So if i do dlopen of libcrypto libary and load the FIPS_mode_set dynamically.In this case , it will not embedd the sha digest in the application executable. In this scenario, i cannot load this symbol FIPS_mode_set dynamically and it need to be availbable at the compilation time, will need to link to libcrypto.a at compile time. Please advice Thanks Rajan On Fri, May 29, 2009 at 5:50 PM, tensy joseph <rajanchit...@gmail.com>wrote: > My libcrypto.a is a shared library and also fipscansiter.o has been > incorporated in a shared library libcrypto.a .So to get the fipscanister.o > at compile time , it need to link with libcrypto.a at the compile time in > order to check hmac-sha1 integrity test of fipscanister.o embedded in the > libcrypto.a with the previously stored fipscansiter.sha value . Please > correct me if i am wrong > > Thanks > > Rajan > > On Fri, May 29, 2009 at 4:46 PM, Dr. Stephen Henson > <st...@openssl.org>wrote: > >> On Fri, May 29, 2009, tensy joseph wrote: >> >> > Still now i was believing that to all the application should link to >> > libcrypto library at the compilation so that it can check the >> fipscanister.o >> > hash value in the library with the prevouisly stored fips . >> > >> > As the user guide says >> > >> > >> > 1. The HMAC-SHA-1 digest of the FIPS Object Module file must be >> calculated >> > and verified against the installed digest to ensure the integrity of the >> > FIPS Object Module. >> > >> > *for doing this , library libcrypto.a should be linked at the compile >> time. >> > With out linking application with libcrypto.a will that make them fips >> > capable application . Please correct me if i am wrong* >> > >> > 2. A HMAC-SHA1 digest of the FIPS Object Module code and read-only data >> must >> > be generatedand embedded in the application executable object for use by >> the >> > FIPS_mode_set() function at runtime initialization. >> > >> > In our application , we normally do not link with libcrypto.a at compile >> > time . We do the dynamic loading . Whether is it possible to link >> > dynamically and have fips capabability in the application .From my >> > understanding , it is not possible ? Please correct me if i am wrong >> > >> >> That is true but the "application" can be the libcrypto shared library >> which >> has already checked the hash at link time. >> >> For the 1.1.2 module shared library builds weren't possibly on most >> platforms, >> with the 1.2 module they are with a few exceptions. >> >> Steve. >> -- >> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage >> OpenSSL project core developer and freelance consultant. >> Homepage: http://www.drh-consultancy.demon.co.uk >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > >
