[openssl-users] FIPS: using libcrypto.so ?

Thomas Francis, Jr. thomas.francis.jr at pobox.com
Wed Aug 3 15:32:13 UTC 2016

> On Aug 2, 2016, at 1:59 PM, jonetsu <jonetsu at teksavvy.com> wrote:
> The current FIPS User Guide mentions:
>  "3.3 Creation of Shared Libraries
>  The FIPS Object Module is not directly usable as a shared
>  library, but it can be linked into an application that is a
>  shared library. A “FIPS compatible” OpenSSL distribution will
>  automatically incorporate an available FIPS Object Module into
>  the libcrypto shared library when built using the fips
>  option (see §4.2.3)."
> Does the first sentence mean that there should be an intermediate, user
> created, .so that itself uses libcrypto.a ?

I think you’re confusing the FIPS Object Module with libcrypto.  You might also be confusing the libcrypto produced from your FIPS build, and the libcrypto produced by a FIPS capable OpenSSL.  The former is what you get when you compile the software found in, e.g., openssl-fips-2.0.11.tar.gz, while the latter is produced when you compile from a regular OpenSSL release (e.g. openssl-1.0.2g.tar.gz).  These are three different things.  The libcrypto from the FIPS build isn’t used in any of your link steps.

The FIPS Object Module may be (and on most systems is) compiled as a shared object (not a .so file, but a shared object).  Because it’s not a library, you can’t simply link it.  Some systems allow shared objects to be accessed via dlopen(), and the warning is to indicate that doing so is inappropriate, even when it’s possible.

Noting that you can link it into a shared executable or library indicates that if you have a shared library or executable that you want to link the FIPS Object Module into, that you may do so.  The usual way to do this is to link libcrypto.a (from a FIPS capable OpenSSL build) and use the fipsld script.  Even if you don’t do it the usual way (e.g. you want to link only the FIPS Object Module), then you may, but you still have to follow all the rules laid out in the security policy (e.g. do everything the fipsld script is doing).  This probably not what one wants to do.  It’s far more likely that one wants to use the FIPS capable OpenSSL shared library directly.  That’s what the second part is about...

> What does the second part mean ?  The FOM will be included in the shared
> library (assuming the libcrypto.so file) ?  If so, then why wouldn't it be
> available directly ?  A clarification in perhaps simpler terms over what
> seems to be an explanation in the User Guide would be much appreciated.

It means that when you create a FIPS capable OpenSSL, if you compiled libcrypto as a shared library, that libcrypto shared library will incorporate the FIPS Object Module, following the security policy.  This means that you can use that shared library as you would any other shared library, and still be able to enable FIPS mode.  This is what most people who want to use a shared library will want to do.

> In practical terms, is it possible for an application to link against a
> libcrypto.so that provides all needed FIPS symbols ?

In general, yes.  In practice, it depends.  Compiling a FIPS capable OpenSSL might not create a shared library on your system.  In that case, you must link libcrypto.a, and use the fipsld script (or equivalent) when you link it.  I think that the vast majority of systems will compile it as a shared library, though, without any intervention on your part.

> If it's not, can you
> give an example overview in which an application already using OpenSSL
> (libcrypto.so) but now supporting FIPS, can still use libcrypto.so with full
> FIPS support ?

Just link against the library produced by the FIPS capable OpenSSL build.  If, for some reason, that only produced libcrypto.a, then you need to investigate why — perhaps you passed “no-shared” when running the config script?

> Is the only answer to now have the application linked
> against libcrypto.a ?
> Thanks !
> --
> View this message in context: http://openssl.6102.n7.nabble.com/FIPS-using-libcrypto-so-tp67694.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list