libcrypto.a and FIPs module in OpenSSL 3.0

Matt Caswell matt at openssl.org
Fri Mar 26 11:01:35 UTC 2021



On 26/03/2021 10:47, Bala Duvvuri via openssl-users wrote:
> Hi All,
> 
> We build the "crypto" code in OpenSSL to generate "libcrypto.a" for MIPs platform.
> 
> Our application links statically with "libcrypto.a" and uses the OpenSSL crypto API's accordingly.
> 
> With this compilation model, will it be feasible to integrate with the FIPs object module in OpenSSL 3.0?
> 
> How can we load the FIPS provider in our application?
> 
> (I have gone through the section about the FIPs module installation in https://wiki.openssl.org/index.php/OpenSSL_3.0#Platforms)
> 
> Any insight will be helpful to me.

It is still possible to use the 3.0 FIPS module even if you use static 
linking to link to libcrypto. However the FIPS module itself is always a 
dynamically loaded shared object (i.e. a .so file).

So, you statically link your application to libcrypto.a. When needed 
(either as a result of config, or an explicit call to 
OSSL_PROVIDER_load()), then the FIPS module fips.so file will be 
dynamically loaded at runtime by libcrypto. How libcrypto is linked to 
the application does not impact its ability to dynamically load the FIPS 
module at runtime.

Matt


More information about the openssl-users mailing list