FIPS 1.2

Printable View

07-09-2008, 11:01 AM
unix

Re: FIPS 1.2

On Wed, Jul 09, 2008, Jan F. Schnellbaecher wrote:
[color=blue]
> Hello Stephen,
>
> thanks for your very quick reply.
>[color=green][color=darkred]
>>> 1) Can it be linked dynamically?
>>>[/color]
>> Yes it can.[color=darkred]
>>> 2) If I would like to link it dynamically when/where do I link the
>>> fipscanister.o?
>>>[/color]
>> You build and install fipscanister.o from the FIPS 1.2 test source.
>> Then obtain the 0.9.8-fips source with shared build options. This will
>> create
>> libcrypto with fipscanister.o included and linked in the correct manner.
>> At an application level you just need to link against the OpenSSL shared
>> libraries.[/color]
>
> Let's see if I understood it correctly:
>
> 1) If I want to link it dynamically the fipscanister.o is already linked
> into the shared object and for static linking the fipscanister.o must be
> linked additionally with the fipsld script, because it is not included into
> the libcrypto.a.
>
> 2) If I would link it static there is no difference between linking to an
> application, a *.so or a *.lib.
>[/color]

When an application links to fipscanister.o it must include an embedded
signature in order to perform the mandatory integrity checks. The actual value
of the signature depends on how the fipscanister.o object module is linked and
so must be performed on a per-application basis. That, among other things is
the purpose of the fipsld script.

So for a static link you need to call fipsld to determine and embed the
signature.

In the case of a shared library the "application" is the shared library itself
and the fipsld linking has been performed by the build process.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: [url]http://www.drh-consultancy.demon.co.uk[/url]
______________________________________________________________________
OpenSSL Project [url]http://www.openssl.org[/url]
User Support Mailing List [email]openssl-users@openssl.org[/email]
Automated List Manager [email]majordomo@openssl.org[/email]
07-09-2008, 11:10 AM
unix

FIPS 1.2

Hello list,

I am unsure how OpenSSL FIPS 1.2 can be deployed. I read that it can be linked
static but also loaded dynamically, but I also read that it can only be linked
static (as FIPS 1.1.2)

1) Can it be linked dynamically?

2) If I would like to link it dynamically when/where do I link the fipscanister.o?

3) Can it only be linked to binaries or is it possible to link it
(static/dynamic) to a static lib (*.a) or to an shared object (*.so)? How/Where
to incorporate the fips_premain.c?

4) DH-Key-Exchange: I read that it is not certified but not disabled. Is it
compliant to use it or not? Why is it handled in this special way?

5) I have the UserGuide1.2 from February 2008 but it is only a draft. Is there a
newer one?

Thanks
Jan

______________________________________________________________________
OpenSSL Project [url]http://www.openssl.org[/url]
User Support Mailing List [email]openssl-users@openssl.org[/email]
Automated List Manager [email]majordomo@openssl.org[/email]
07-09-2008, 11:37 AM
unix

Re: FIPS 1.2

Hello Stephen,

thanks for your very quick reply.
[color=blue]
>[color=green]
>> 1) Can it be linked dynamically?
>>[/color]
>
> Yes it can.
>[color=green]
>> 2) If I would like to link it dynamically when/where do I link the
>> fipscanister.o?
>>[/color]
>
> You build and install fipscanister.o from the FIPS 1.2 test source.
>
> Then obtain the 0.9.8-fips source with shared build options. This will create
> libcrypto with fipscanister.o included and linked in the correct manner.
>
> At an application level you just need to link against the OpenSSL shared
> libraries.
>[/color]

Let's see if I understood it correctly:

1) If I want to link it dynamically the fipscanister.o is already linked into
the shared object and for static linking the fipscanister.o must be linked
additionally with the fipsld script, because it is not included into the
libcrypto.a.

2) If I would link it static there is no difference between linking to an
application, a *.so or a *.lib.

Are my assumptions correct?

Do you also know about the special handling of the DH-Key-Exchange algorithm?

Bye
Jan
______________________________________________________________________
OpenSSL Project [url]http://www.openssl.org[/url]
User Support Mailing List [email]openssl-users@openssl.org[/email]
Automated List Manager [email]majordomo@openssl.org[/email]