0
  • I have build a FIPS capable openssl library.
  • Openssl Version 1.0.2t and FIPS object module 2.0.16.
  • I was reading the user guide for FIPS object module which told that the last step in building a program with FIPS capable openssl was to use fipsld to link my program with openssl rather than gcc/ld as it computes sha1sum of fipscansiter.o using fipsprelim.c.
  • After this I need to call FIPS_mode_set(1) which enables fips mode.
  • This works if I am generating a executable. But in my project we provide a static library to our customers and we resolve all dependencies at our end, so we unpack libcrypto.a using ar x libcrypto.a and add all the openssl object files to our static library libapi.a.
  • There is one class(API_DigitalSignature.cpp) which is build as a wrapper around openssl api for digital signature.

Now the problem is I am confused on how should I use fipsld in my project because I am not generating a program but rather just an archive?

Also I clarified with some security persons that unpacking libcrypto.a doesn't affect FIPS validation unless we are changing any ciphers.

Dinesh Gowda
  • 1,044
  • 3
  • 13
  • 29
  • Yes but that static lib is to be linked in an *ELF* (otherwise it would simply be pointless), and there *fipsld* comes into play. Same as in *openssl* (the executable) case. – CristiFati Jan 02 '20 at 01:25

1 Answers1

0

The following worked for me: MacOS

FIPSLD_CC=gcc /usr/local/ssl/fips-2.0/bin/fipsld -o fips_hmac fips_hmac.c /usr/local/lib/libcrypto.a

Linux (Ubuntu)

FIPSLD_CC=gcc /usr/local/ssl/fips-2.0/bin/fipsld -o fips_hmac fips_hmac.c /usr/local/ssl/lib/libcrypto.a -I/usr/local/ssl/include -ldl

Here, fips_hmac.c is a simple C program I wrote to test FIPS. You should specify paths for fipsld and libcrypto.a that are relevant for your system.

Please, note flag -ldl in Linux solution

dimm
  • 1
  • 1
  • 4