[openssl-users] Incompatibility between OpenSSL 1.0.2 and FIPS 2.0.10

Sebastian Stolzenberg sebastian.stolzenberg at secusmart.de
Wed Nov 4 11:34:22 UTC 2015


Hi,

I am seeing crashes in OpenSSL 1.0.2d when using it with the FIPS 2.0.10
object module.

Apparently the size of
  struct ec_group_st
(in crypto/ec/ec_lcl.h) differs between 1.0.1 and 1.0.2, since 
  BN_MONT_CTX *mont_data; /* data for ECDSA inverse */
has been added to it.

The FIPS module still uses the 1.0.1 version of struct ec_group. That leads
to crashes when ownership is transferred between the FIPS module and
OpenSSL. I.e. when an ec_group object is allocated by the FIPS version of
EC_GROUP_new and then destroyed by the OpenSSL variant of OPENSSL_free.

Am I using the FIPS object module wrongly or is not compatible to OpenSSL
1.0.2 when it comes to EC crytpography?

If 1.0.2 is not supported by FIPS 2.0.10, are there any plans to get
another, compatible version of the FIPS object module validated?

Thanks!
Sebastian



More information about the openssl-users mailing list