On Wed, Jul 09, 2008, Jan F. Schnellbaecher wrote: > Hello Stephen, > > thanks for your very quick reply. > >>> 1) Can it be linked dynamically? >>> >> Yes it can. >>> 2) If I would like to link it dynamically when/where do I link the >>> fipscanister.o? >>> >> You build and install fipscanister.o from the FIPS 1.2 test source. >> Then obtain the 0.9.8-fips source with shared build options. This will >> create >> libcrypto with fipscanister.o included and linked in the correct manner. >> At an application level you just need to link against the OpenSSL shared >> libraries. > > Let's see if I understood it correctly: > > 1) If I want to link it dynamically the fipscanister.o is already linked > into the shared object and for static linking the fipscanister.o must be > linked additionally with the fipsld script, because it is not included into > the libcrypto.a. > > 2) If I would link it static there is no difference between linking to an > application, a *.so or a *.lib. >
When an application links to fipscanister.o it must include an embedded signature in order to perform the mandatory integrity checks. The actual value of the signature depends on how the fipscanister.o object module is linked and so must be performed on a per-application basis. That, among other things is the purpose of the fipsld script. So for a static link you need to call fipsld to determine and embed the signature. In the case of a shared library the "application" is the shared library itself and the fipsld linking has been performed by the build process. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
