On Fri, Jan 4, 2013 at 10:56 AM, Steve Marquess <marqu...@opensslfoundation.com> wrote: > On 01/04/2013 03:45 AM, Jeffrey Walton wrote: >> Hi All, >> >> I'm wondering how the single pass linker affects symbol resolution. If >> I specify: >> >> fipscanister.o libcrpyto.a >> >> the linker will resolve symbols preferring the cryptography from >> fipscanister.o, then from libcrpyto.a. After encountering >> fipscanister.o, there should be no unresolved cryptography functions >> since fipscanister.o provides the validated cryptography. >> >> However, what happens if the linker encounters libcrypto.a first: >> >> libcrpyto.a fipscanister.o >> >> In this case, shouldn't the linker resolve cryptography symbols with >> libcrypto.a, which means non-validated cryptography will be linked >> into the final application? > > Well, first off you would never link against both fipscanister.o and > libcrypto.a at the same time. OK, so I'm clear here.....
I've built and installed the Canister. I have also built and installed the Capable. In my final application, I always link against libcrypto.a. Period. I never link against fipscanister.o. Period. > Either the libcrypto.a is from a "FIPS > capable" OpenSSL build, in which case it *contains* fipscanister.o, or > it isn't in which case you shouldn't be trying to reference > fipscanister.o at all. Oh, I was not aware of that. I will have to go back through the User Guide and see where I went wrong. Or is final application linking covered in the Security Policy? > However, there are no symbol conflicts, as can be seen from: > > nm -g fipscanister.o > nm -g libcrypto.a > Ah right. I should have probably done that last night. > Well, first off you would never link against both fipscanister.o and > libcrypto.a at the same time. Let's revisit this now. fipscanister.o is an artifact from The FIPS Object Module process. It is installed in /usr/local/ssl/<platform>/lib (by default). If its not intended to be used, why is it present? > Remember that the FIPS module and OpenSSL (whether "FIPS capable" or > not) are separate software products. Yes, I am clear on that. Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
