On 02/01/2013 03:19 AM, Santhosh Kokala wrote: > Linking the FIPS capable libraries to our code is proving to be a real pain > in the butt. ... > 2) Does fipsld have to be used or could I, within the spirit of the security > policy, make my own fipsld of sorts that compiles fipspre_main.c with gcc > and links with g++?
There is no absolute mandate to using the original fipsld script for linking the application executable (as opposed to the creation of fipscanister.o where no creativity is tolerated). Just be sure you maintain the "chain of trust" by verifying the intermediate digests as discussed in the Security Policy and User Guide (in essence that amounts to checking the *.sha1 digests for fipscanister.o and fips_premain.o). > 3) Am I better off compiling the FIPS capable libraries as shared and > re-working our code to work with those? In general, yes. You've already encountered the arguments for doing so. Note that most FIPS 140-2 validated software products don't support static linking, but here you're still better off in almost every circumstance doing that static link one time to a shared library (libcrypto) and then subsequently referencing that shared library from your applications. Omitting openssl-dev as you cross-posted. This was a user list question. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
