> On Aug 2, 2016, at 1:59 PM, jonetsu wrote:
>
> The current FIPS User Guide mentions:
>
> "3.3 Creation of Shared Libraries
>
> The FIPS Object Module is not directly usable as a shared
> library, but it can be linked into an application that is a
> shared library. A “FIPS compatible” OpenSSL distribution will
> automatically incorporate an available FIPS Object Module into
> the libcrypto shared library when built using the fips
> option (see §4.2.3)."
>
> Does the first sentence mean that there should be an intermediate, user
> created, .so that itself uses libcrypto.a ?
I think you’re confusing the FIPS Object Module with libcrypto. You might also
be confusing the libcrypto produced from your FIPS build, and the libcrypto
produced by a FIPS capable OpenSSL. The former is what you get when you
compile the software found in, e.g., openssl-fips-2.0.11.tar.gz, while the
latter is produced when you compile from a regular OpenSSL release (e.g.
openssl-1.0.2g.tar.gz). These are three different things. The libcrypto from
the FIPS build isn’t used in any of your link steps.
The FIPS Object Module may be (and on most systems is) compiled as a shared
object (not a .so file, but a shared object). Because it’s not a library, you
can’t simply link it. Some systems allow shared objects to be accessed via
dlopen(), and the warning is to indicate that doing so is inappropriate, even
when it’s possible.
Noting that you can link it into a shared executable or library indicates that
if you have a shared library or executable that you want to link the FIPS
Object Module into, that you may do so. The usual way to do this is to link
libcrypto.a (from a FIPS capable OpenSSL build) and use the fipsld script.
Even if you don’t do it the usual way (e.g. you want to link only the FIPS
Object Module), then you may, but you still have to follow all the rules laid
out in the security policy (e.g. do everything the fipsld script is doing).
This probably not what one wants to do. It’s far more likely that one wants to
use the FIPS capable OpenSSL shared library directly. That’s what the second
part is about...
> What does the second part mean ? The FOM will be included in the shared
> library (assuming the libcrypto.so file) ? If so, then why wouldn't it be
> available directly ? A clarification in perhaps simpler terms over what
> seems to be an explanation in the User Guide would be much appreciated.
It means that when you create a FIPS capable OpenSSL, if you compiled libcrypto
as a shared library, that libcrypto shared library will incorporate the FIPS
Object Module, following the security policy. This means that you can use that
shared library as you would any other shared library, and still be able to
enable FIPS mode. This is what most people who want to use a shared library
will want to do.
> In practical terms, is it possible for an application to link against a
> libcrypto.so that provides all needed FIPS symbols ?
In general, yes. In practice, it depends. Compiling a FIPS capable OpenSSL
might not create a shared library on your system. In that case, you must link
libcrypto.a, and use the fipsld script (or equivalent) when you link it. I
think that the vast majority of systems will compile it as a shared library,
though, without any intervention on your part.
> If it's not, can you
> give an example overview in which an application already using OpenSSL
> (libcrypto.so) but now supporting FIPS, can still use libcrypto.so with full
> FIPS support ?
Just link against the library produced by the FIPS capable OpenSSL build. If,
for some reason, that only produced libcrypto.a, then you need to investigate
why — perhaps you passed “no-shared” when running the config script?
> Is the only answer to now have the application linked
> against libcrypto.a ?
>
> Thanks !
>
>
>
>
> --
> View this message in context:
> http://openssl.6102.n7.nabble.com/FIPS-using-libcrypto-so-tp67694.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users