Is the use of OpenSSL an actual legal requirement of the certification of
the FIPS object module, or just the easiest way to use it?
Difference would be particularly significant in case someone created code
to use the validated FOM 2.0 module with the OpenSSL 1.1.x feature
enhancements (as the project itself has indicated no desire to do so).
On 04/07/2019 04:09, Kyle Hamilton wrote:
Also, on question b: No. You need to build a compatible version of openssl as specified in the User Guide, and link that version. FIPS_mode_set() tells the library to always and only use the implementations in the FIPS canister; the canister does not replace the library entirely.
-Kyle H
On Wed, Jul 3, 2019, 11:55 Dipak B <deepak.redmi2@xxxxxxxxx <mailto:deepak.redmi2@xxxxxxxxx>> wrote:
Dear Experts,
Can you please help me with the following question?
My win32 desktop application uses 'libcurl' to interact with web
service, in order to get my application FIPS 140-2 certified,
following is the plan which I arrived at after going through the
'User Guide' and 'Security Policy' pdfs.
Plan:
a. After verifying HMAC-SHA1 of openssl-fips-2.0.16.tar.gz, build
it to generate fipscanister.lib (FOM) as windows static library.
b. Build libcurl as windows static library using above
fipscanister.lib
c. Link my desktop application with above libcurl.lib after adding
FIPS_mode_set()
Questions:
a. On following points a, b,c, can I confirm that my application
is FIPS 140-2 certified?
b. fipscanister.lib is always static library and it can be
substituted for libssl.lib / ssleay.lib?
