Carlo Milono wrote:
How curious that this topic would come up today as I had a discussion on
it just two days earlier.
The OpenSSL FIPS 140-2 Security Policy Version 1.1.2 states:
"The FIPS Object Module is not a static library. It may be incorporated
into shared library files or runtime executable application files, but
in any event can only be incorporated intact and in its entirety."
This was leading me to believe that we could use this in a shared
library mode; perhaps we need to understand the boundaries of what may
be included in a shared library?
How can we interpret the above quote?
The FIPS Object Module is just that, an object module (fipscanister.o).
For v1.1.x it may or may not consist of position independent code,
depending on the platform. If it does consist of position independent
code then you can incorporate it into a shared library just like any
other object module, subject of course to the "fipsld" linking to set
the in-core hash.
If it isn't position independent, then you're out of luck as the
Security Policy rules don't allow you to modify the build-time parameters.
For v1.2 the FIPS Object Module is always generated as position
independent code. The corresponding "FIPS capable" OpenSSL
distributions ("fips" option) will automatically include it in the
libcrypto shared library.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
