1

I am using OpenSSL 1.0.2t with FIPS Object Module 2.0.16. I have taken the source code and complied both and I have libcrypto.a and libssl.a generated. In my use case I need libcrypto.a. I have a project which generates libapi.a and it will be given to the customers. libapi.a depends on some Boost libraries; what we do is, we get boost objects using ar x libboost_somelib.a and we add those objects into libapi.a.

  1. I need to link libcrypto.a also to libapi.a should I do the same thing? Use ar x libcrypto.a and add all the object files to libapi.a?
  2. Am I violating any FIPS compliance rules here?
Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Dinesh Gowda
  • 1,044
  • 3
  • 13
  • 29
  • The rules for FIPS compliance are extremely strict. Any change invalidates the FIPS compliance, officially. That would probably include repackaging the FIPS-compliant library in the way you propose (whether it makes sense or not technically). – Jonathan Leffler Sep 18 '19 at 17:46
  • So how can I link a static library of openssl Libcryto.a to my projects Libapi.a? – Dinesh Gowda Sep 18 '19 at 19:36
  • As I understand it, you’d provide two libraries and instruct your users to link with both. Other people may have different views. Have you checked the OpenSSL site to see whether it gives guidance? – Jonathan Leffler Sep 18 '19 at 20:07

0 Answers0