3 The OpenSSL crypto backend can be a FIPS 140-2 capable library,
4 cf. the OpenSSL FIPS 140 documents SecurityPolicy and UserGuide.
8 Please read the OpenSSL FIPS 140 documents about to get
9 a FIPS Capable OpenSSL library.
13 Reread the OpenSSL FIPS 140 documents as they are hard to apply.
15 Note the following is for Unix/Linux.
17 Now I suppose you have a >= 1.0.1e capable static library (a
18 dynamic library is far easier but always possible and often
19 dubious from a security point of view... BTW if you have built
20 a FIPS Capable OpenSSL library you should not be afraid of
23 Do not forget to compile OpenSSL with position indepent code
24 (aka PIC) as the libsofthsm.so requires it. The FIPS module
25 canister is already compiled this way.
27 A usual issue is the C++ compiler not compiling .c files as C code.
28 A simple test can show this, put in foo.c file this code:
30 foo() { char *x = "ab"; }
32 and compile with the C and C++ compilers with all warnings:
33 the C++ compiler should raise an extra warning or error about
34 the no type for foo() and/or for the char* string constant.
36 When this raises some errors in the fispld script, you have to
37 insert '-x c' and '-x none' before and after each .c file
38 in the C++ commands, for instance using this wrapper:
40 -------------------------------- cut here --------------------------------
48 *.c) commands+=" -x c $elem -x none";;
49 *) commands+=" $elem";;
54 -------------------------------- end --------------------------------
56 In any cases you have to set CC and CXX to fipsld.