Re: FIPS Capable and Linking Order of Artifacts

Fri, 04 Jan 2013 09:16:28 -0800 

On 01/04/2013 11:36 AM, Jeffrey Walton wrote:
> ...
> OK. So here is the point of confusion for me. "2.5 Relationship to the
> OpenSSL API", page 19 of the User Guide:
> 
>     "Applications linked with the FIPS Object Module
>     and with the separate OpenSSL libraries can use
>     both the FIPS validated cryptographic functions of
>     the FIPS Object Module and the high level functions
>     of OpenSSL."
> 
> The FIPS Object Module is embodied in fipscanister.o. After building
> and installing the Canister, there is no libcrypto.a.

Libcrypto comes from OpenSSL which is a separate software product.

        OpenSSL FIPS Object Module != OpenSSL

The FIPS module is distributed as openssl-fips-2.0.N.tar.gz. OpenSSL is
distributed as openssl-1.0.Nx.tar.gz. Separate source distributions,
separate products.

When you build OpenSSL with the "fips" build time option you end up with
what we call a "FIPS capable" OpenSSL, meaning libraries that behave as
always by default but which contain embedded within them the FIPS
module. FIPS mode can be optionally enabled at runtime.

Note the FIPS module itself, as is true in general for Level 1 software
validations, is not a full featured application library. It contains
only the cryptographic implementations relevant to FIPS 140-2. With very
rare exceptions the application developer will not use the FIPS module
directly, and will instead utilize the "FIPS capable" OpenSSL.

Note that if you have a well behaved application that currently uses
OpenSSL, you can replace that OpenSSL instance with a "FIPS capable" one
and the application will continue to work as before. Add a
"FIPS_mode_set()" call to that application, or use OPENSSL_config() with
appropriate openssl.cnf parameters, and that application is now running
in FIPS mode, with no or minimal source code changes.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to