Let me first say I have read the User Guide and Security Policy repeatedly, as well as the Incore Tutorial, looked through this users group, and read anything else I could find - so I'm not being lazy, although my questions may be pedestrian... Please correct any misunderstandings along the way.
I understand that when fipscanister.o is built, its SHA1 digest is calculated and saved. Then when an application links to fipscanister.o, fipsld is used, which checks that the SHA1 is correct, and then calculates the digest for the application and rebuilds it with that digest embedded. Then, when the application is run and calls FIPS_mode_set(), the digest is calculated and checked against the embedded value. I think that openssl itself is an example of an application built with the fipscanister.o, is that correct? When OpenSSL is built, it produces, among other things, the libcrypto.a static library, which contains what was sequestered in fipscanister.o.Is that correct? Now I have a big application to build, and it will have the FIPS-capable OpenSSL in it. When I do the build, I think the instructions say that the SHA1 digest has to be re-calculated on this application, and that value embedded where the previous standalone value was. Is that correct? Is my application pulling in the FIPS stuff by linking in the libcrypto.a? If my application is just too large and complex, do I pretty much need to go with the shared library, and avoid the part where the digest is recalculated/re-embedded in the application itself? Thanks Kevin ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
