FIPS 1.2 - Openssl

This is a discussion on FIPS 1.2 - Openssl ; On Wed, Jul 09, 2008, Jan F. Schnellbaecher wrote: > Hello Stephen, > > thanks for your very quick reply. > >>> 1) Can it be linked dynamically? >>> >> Yes it can. >>> 2) If I would like to ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: FIPS 1.2

  1. Re: FIPS 1.2

    On Wed, Jul 09, 2008, Jan F. Schnellbaecher wrote:

    > Hello Stephen,
    >
    > thanks for your very quick reply.
    >
    >>> 1) Can it be linked dynamically?
    >>>

    >> Yes it can.
    >>> 2) If I would like to link it dynamically when/where do I link the
    >>> fipscanister.o?
    >>>

    >> You build and install fipscanister.o from the FIPS 1.2 test source.
    >> Then obtain the 0.9.8-fips source with shared build options. This will
    >> create
    >> libcrypto with fipscanister.o included and linked in the correct manner.
    >> At an application level you just need to link against the OpenSSL shared
    >> libraries.

    >
    > Let's see if I understood it correctly:
    >
    > 1) If I want to link it dynamically the fipscanister.o is already linked
    > into the shared object and for static linking the fipscanister.o must be
    > linked additionally with the fipsld script, because it is not included into
    > the libcrypto.a.
    >
    > 2) If I would link it static there is no difference between linking to an
    > application, a *.so or a *.lib.
    >


    When an application links to fipscanister.o it must include an embedded
    signature in order to perform the mandatory integrity checks. The actual value
    of the signature depends on how the fipscanister.o object module is linked and
    so must be performed on a per-application basis. That, among other things is
    the purpose of the fipsld script.

    So for a static link you need to call fipsld to determine and embed the
    signature.

    In the case of a shared library the "application" is the shared library itself
    and the fipsld linking has been performed by the build process.

    Steve.
    --
    Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
    OpenSSL project core developer and freelance consultant.
    Homepage: http://www.drh-consultancy.demon.co.uk
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. FIPS 1.2

    Hello list,

    I am unsure how OpenSSL FIPS 1.2 can be deployed. I read that it can be linked
    static but also loaded dynamically, but I also read that it can only be linked
    static (as FIPS 1.1.2)

    1) Can it be linked dynamically?

    2) If I would like to link it dynamically when/where do I link the fipscanister.o?

    3) Can it only be linked to binaries or is it possible to link it
    (static/dynamic) to a static lib (*.a) or to an shared object (*.so)? How/Where
    to incorporate the fips_premain.c?

    4) DH-Key-Exchange: I read that it is not certified but not disabled. Is it
    compliant to use it or not? Why is it handled in this special way?

    5) I have the UserGuide1.2 from February 2008 but it is only a draft. Is there a
    newer one?

    Thanks
    Jan

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: FIPS 1.2

    Hello Stephen,

    thanks for your very quick reply.

    >
    >> 1) Can it be linked dynamically?
    >>

    >
    > Yes it can.
    >
    >> 2) If I would like to link it dynamically when/where do I link the
    >> fipscanister.o?
    >>

    >
    > You build and install fipscanister.o from the FIPS 1.2 test source.
    >
    > Then obtain the 0.9.8-fips source with shared build options. This will create
    > libcrypto with fipscanister.o included and linked in the correct manner.
    >
    > At an application level you just need to link against the OpenSSL shared
    > libraries.
    >


    Let's see if I understood it correctly:

    1) If I want to link it dynamically the fipscanister.o is already linked into
    the shared object and for static linking the fipscanister.o must be linked
    additionally with the fipsld script, because it is not included into the
    libcrypto.a.

    2) If I would link it static there is no difference between linking to an
    application, a *.so or a *.lib.

    Are my assumptions correct?

    Do you also know about the special handling of the DH-Key-Exchange algorithm?

    Bye
    Jan
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread