[openssl-users] new FIPS module
Jakob Bohm
jb-openssl at wisemo.com
Tue Sep 27 14:35:19 UTC 2016
On 27/09/2016 15:41, Steve Marquess wrote:
> As always, if you don't care about FIPS 140 then count yourself lucky
> and move on.
>
> Work on the new FIPS module has so far taken a backseat to higher
> priority topics like the 1.1 release and security vulnerabilities, but
> we should start to make some progress soon. I've put together a rough
> wiki page outlining some goals for the new FIPS module:
>
> https://wiki.openssl.org/index.php/FIPS_module_3.0
>
> Within the very tight constraints of schedule, resources, and what is
> permitted by FIPS 140, we want this FIPS module to be as widely useful
> as possible.
>
> If we've omitted anything of vital importance please speak up.
Here's one practical thing (as a suggestion):
- To ensure compatibility with platform ASLR, build the FIPS cannister
as completely position independent code with no relocations whenever
platforms allow. This probably requires that the FIPS cannister
makes all calls to outside libraries as callbacks to function pointers
supplied during module init, or at least via a function table that is
outside the hashed FIPS cannister.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list