The platform is AIX. I have used the fipsld to link the application and
digest was properly embedded in the application executable.
I have wriitten a small pbm to test this.
main()
{
int (*dlsym_fips_mode_set)(int);
void *handle=dlopen("/usr/lib/libcrypto.a(libcrypto.so.0.9.8,"RT_LAZY");
dlsym_fips_mode_set=dlsym(handle,"FIPS_set_mode");
if(dlsym_fips_mode_set(1))
{
printf("in fips mode\n");
}
}
I have generate the above program object file using cc and then i used the
fipsld to geneate the executable .
it was sucessfully entering into the fips mode .
I have generate a shared library of fips capable of openssl 9.8k and
fipscanister object module was embeeded in the shared library
of openssl 9.8k shared library. So i think fipsld is mainly used to embedded
the digest into execuatble by calculating the sha value of the
fipscanister.o (which is stored in the user machine) which is compared with
the fipscanister.o.sha1 (which is stored in the user machine).
I have another doudt , if the application is in the fips mode , will the
cryptography operation are done by the fipscanister.o stored in the
libcrypto.a ?
Thanks in advance
Rajan
.
On "Fri, May 29, 2009 at 7:10 PM, Dr. Stephen Henson <st...@openssl.org>wrote:
> On Fri, May 29, 2009, tensy joseph wrote:
>
> > I have gone through the user guide again , i am little confused now .
> This
> > statement makes me confuse
> >
> > A HMAC-SHA1 digest of the FIPS Object Module code and read-only data must
> be
> > generated and embedded in the application executable object for use by
> > the FIPS_mode_set()
> > function at runtime initialization.
> >
> > So if i do dlopen of libcrypto libary and load the FIPS_mode_set
> > dynamically.In this case , it will not embedd the sha digest
> > in the application executable. In this scenario, i cannot load this
> symbol
> > FIPS_mode_set dynamically and it need to be availbable at the compilation
> > time, will need to link to libcrypto.a at compile time.
> >
>
> What platform is that? libcrypto.a is normally a static library,
> libcrypto.so
> (or various other diverse extensions) is normally the shared library.
>
> When you build a FIPS capable version of OpenSSL using a shared library
> build
> the "application" is the shared library itself and the digest has already
> been
> embedded by the build procedure. So you just have to link (dynamically if
> you
> wish) against the shared library in the usual way. If the digest wasn't
> embedded properly FIPS_mode_set(1) would fail.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
