Re: FIPS Capable and Linking Order of Artifacts

Fri, 04 Jan 2013 08:41:49 -0800 

On Fri, Jan 4, 2013 at 11:21 AM, Jeffrey Walton <[email protected]> wrote:
> On Fri, Jan 4, 2013 at 10:56 AM, Steve Marquess
> <[email protected]> wrote:
>> On 01/04/2013 03:45 AM, Jeffrey Walton wrote:
>>>
>>> ....
>>>
>> Either the libcrypto.a is from a "FIPS
>> capable" OpenSSL build, in which case it *contains* fipscanister.o, or
>> it isn't in which case you shouldn't be trying to reference
>> fipscanister.o at all.
> Oh, I was not aware of that. I will have to go back through the User
> Guide and see where I went wrong. Or is final application linking
> covered in the Security Policy?
OK. So here is the point of confusion for me. "2.5 Relationship to the
OpenSSL API", page 19 of the User Guide:

    "Applications linked with the FIPS Object Module
    and with the separate OpenSSL libraries can use
    both the FIPS validated cryptographic functions of
    the FIPS Object Module and the high level functions
    of OpenSSL."

The FIPS Object Module is embodied in fipscanister.o. After building
and installing the Canister, there is no libcrypto.a. Hence, to create
an application with validated cryptography (i.e., use the FIPS Object
Module), I must link against fipscanister.o.

I link to libcrypto.a afterwards out of habit, and to ensure I do not
have link errors due to missing symbols. I presumed the OpenSSL
library (capable or not) had situational awareness and would just do
the right thing.

The above made sense to me because the Capable library: (1) the
application can use validated crypto if FIPS_mode_set returned
success; or (2) the application can being operated in non-validated
mode (i.e.. fallback to vanilla libcrypto.a). From the outside, I
don't care how OpenSSL does it since its a black box.

For completeness, I never build FIPS Capable OpenSSL for Linux or
Windows. On Windows, I use CAPI or Crypto++ or Certicom. For Linux, I
have never had a need. Its always mobile, and its always a cross
environment. I don't recall thoroughly reading 5.3.1 or 5.3.2 since I
have no need and my linking always worked (building is much more
difficult).

Jeff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to