Still now i was believing that to all the application should link to libcrypto library at the compilation so that it can check the fipscanister.o hash value in the library with the prevouisly stored fips .
As the user guide says 1. The HMAC-SHA-1 digest of the FIPS Object Module file must be calculated and verified against the installed digest to ensure the integrity of the FIPS Object Module. *for doing this , library libcrypto.a should be linked at the compile time. With out linking application with libcrypto.a will that make them fips capable application . Please correct me if i am wrong* 2. A HMAC-SHA1 digest of the FIPS Object Module code and read-only data must be generatedand embedded in the application executable object for use by the FIPS_mode_set() function at runtime initialization. In our application , we normally do not link with libcrypto.a at compile time . We do the dynamic loading . Whether is it possible to link dynamically and have fips capabability in the application .From my understanding , it is not possible ? Please correct me if i am wrong Thanks Rajan On Fri, May 29, 2009 at 3:50 PM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Thu, May 28, 2009, Bob Bell wrote: > > > > > I have a basic question relative to the FIPS openSSL lib and US export > > control law. As I understand it, in order for the openSSL lib to run as a > > FIPS certified module, it must be configured to be loaded as a > dynamically > > linked library. > > > > No that isn't correct. You can statically link an application but you need > to > modify the linking procedure to use fipsld or an equivalent. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
