On 08/18/2011 01:18 AM, hao....@emc.com wrote: > I just build the shared libraries of FIPS capable OpenSSL in Suse > Linux 32bit with FIPS Object Module v1.2.3. The OpenSSL version is > 0.9.8n, and the shared libraries generated are libssl.so.0.9.8 and > libcrypto.so.0.9.8. > > I want to link the shared libraries with different module in one > application, but not all of the modules are FIPS capable. Is it OK to > make some of them be FIPS compliant and others not, with the same > shared libraries?
Assuming each application is a separate process, yes. One such process can chose to enable the FIPS mode of operation (FIPS_mode_set()), and another not, and both can share the same "FIPS capable" shared OpenSSL libraries. Each process maps the shared library writable memory into the per-process private address space. It was a design goal from the beginning to have a single set of "FIPS capable" OpenSSL libraries suffice for a Linux distribution, with individual applications able to enable FIPS mode or not. There is also a global mechanism, OpenSSL_config()/openssl.cnf, that would permit specification of a default FIPS mode for all applications. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com
