[openssl-dev] OpenSSL 1.1.0 and FIPS
John Foley
foleyj at cisco.com
Mon Feb 22 16:33:01 UTC 2016
One of the challenges with this will be symbol collision (in a Linux
environment). I would think that doing this as a static engine would
not be possible. The reason is your new engine that's using the 2.0.11
canister would contain symbols that exist in OpenSSL. But maybe the
fipssyms.h trickery could be used to get past this.
Doing this as a dynamic engine may be a challenge as well. Your dynamic
engine, implemented as a .so, would have symbol overlap as well. But
these would be resolved by the loader. Depending on whether
libcrypto.so or your .so was loaded first by the loader, the wrong
implementation for a symbol could be used.
On 02/22/2016 11:01 AM, Wall, Stephen wrote:
> I wonder if I could get the thoughts of some of you developers on how difficult it would be to build an engine for OpenSSL 1.1.0 that makes use of the current (2.0.11?) fipscanister.o. Also, opinions on if this would be a legitimate way to get FIPS in 1.1.0.
>
> Thanks,
> spw
>
More information about the openssl-dev
mailing list