On 01/04/2013 11:36 AM, Jeffrey Walton wrote: > ... > OK. So here is the point of confusion for me. "2.5 Relationship to the > OpenSSL API", page 19 of the User Guide: > > "Applications linked with the FIPS Object Module > and with the separate OpenSSL libraries can use > both the FIPS validated cryptographic functions of > the FIPS Object Module and the high level functions > of OpenSSL." > > The FIPS Object Module is embodied in fipscanister.o. After building > and installing the Canister, there is no libcrypto.a.
Libcrypto comes from OpenSSL which is a separate software product. OpenSSL FIPS Object Module != OpenSSL The FIPS module is distributed as openssl-fips-2.0.N.tar.gz. OpenSSL is distributed as openssl-1.0.Nx.tar.gz. Separate source distributions, separate products. When you build OpenSSL with the "fips" build time option you end up with what we call a "FIPS capable" OpenSSL, meaning libraries that behave as always by default but which contain embedded within them the FIPS module. FIPS mode can be optionally enabled at runtime. Note the FIPS module itself, as is true in general for Level 1 software validations, is not a full featured application library. It contains only the cryptographic implementations relevant to FIPS 140-2. With very rare exceptions the application developer will not use the FIPS module directly, and will instead utilize the "FIPS capable" OpenSSL. Note that if you have a well behaved application that currently uses OpenSSL, you can replace that OpenSSL instance with a "FIPS capable" one and the application will continue to work as before. Add a "FIPS_mode_set()" call to that application, or use OPENSSL_config() with appropriate openssl.cnf parameters, and that application is now running in FIPS mode, with no or minimal source code changes. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org