blob: 1827a3beec038ab26d9e54f09325bf72b349d6cb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
# FIPS 140-2
The OpenSSL crypto backend can be a FIPS 140-2 capable library,
cf. the OpenSSL FIPS 140 documents SecurityPolicy and UserGuide.
## Introduction
Please read the OpenSSL FIPS 140 documents about to get
a FIPS Capable OpenSSL library.
## Hard points
Reread the OpenSSL FIPS 140 documents as they are hard to apply.
Note the following is for Unix/Linux.
Now I suppose you have a >= 1.0.1e capable static library (a
dynamic library is far easier but always possible and often
dubious from a security point of view... BTW if you have built
a FIPS Capable OpenSSL library you should not be afraid of
extra complexity :-).
Do not forget to compile OpenSSL with position indepent code
(aka PIC) as the libsofthsm.so requires it. The FIPS module
canister is already compiled this way.
A usual issue is the C++ compiler not compiling .c files as C code.
A simple test can show this, put in foo.c file this code:
foo() { char *x = "ab"; }
and compile with the C and C++ compilers with all warnings:
the C++ compiler should raise an extra warning or error about
the no type for foo() and/or for the char* string constant.
When this raises some errors in the fispld script, you have to
insert '-x c' and '-x none' before and after each .c file
in the C++ commands, for instance using this wrapper:
-------------------------------- cut here --------------------------------
#!/bin/sh
commands="g++"
for elem in $@
do
case $elem in
*.c) commands+=" -x c $elem -x none";;
*) commands+=" $elem";;
esac
done
exec $commands
-------------------------------- end --------------------------------
In any cases you have to set CC and CXX to fipsld.
|
