On Fri, May 29, 2009, tensy joseph wrote: > Still now i was believing that to all the application should link to > libcrypto library at the compilation so that it can check the fipscanister.o > hash value in the library with the prevouisly stored fips . > > As the user guide says > > > 1. The HMAC-SHA-1 digest of the FIPS Object Module file must be calculated > and verified against the installed digest to ensure the integrity of the > FIPS Object Module. > > *for doing this , library libcrypto.a should be linked at the compile time. > With out linking application with libcrypto.a will that make them fips > capable application . Please correct me if i am wrong* > > 2. A HMAC-SHA1 digest of the FIPS Object Module code and read-only data must > be generatedand embedded in the application executable object for use by the > FIPS_mode_set() function at runtime initialization. > > In our application , we normally do not link with libcrypto.a at compile > time . We do the dynamic loading . Whether is it possible to link > dynamically and have fips capabability in the application .From my > understanding , it is not possible ? Please correct me if i am wrong >
That is true but the "application" can be the libcrypto shared library which has already checked the hash at link time. For the 1.1.2 module shared library builds weren't possibly on most platforms, with the 1.2 module they are with a few exceptions. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
