[openssl-users] new FIPS module

Jakob Bohm jb-openssl at wisemo.com
Tue Sep 27 14:35:19 UTC 2016

On 27/09/2016 15:41, Steve Marquess wrote:
> As always, if you don't care about FIPS 140 then count yourself lucky
> and move on.
> Work on the new FIPS module has so far taken a backseat to higher
> priority topics like the 1.1 release and security vulnerabilities, but
> we should start to make some progress soon. I've put together a rough
> wiki page outlining some goals for the new FIPS module:
>    https://wiki.openssl.org/index.php/FIPS_module_3.0
> Within the very tight constraints of schedule, resources, and what is
> permitted by FIPS 140, we want this FIPS module to be as widely useful
> as possible.
> If we've omitted anything of vital importance please speak up.
Here's one practical thing (as a suggestion):

- To ensure compatibility with platform ASLR, build the FIPS cannister
  as completely position independent code with no relocations whenever
  platforms allow.  This probably requires that the FIPS cannister
  makes all calls to outside libraries as callbacks to function pointers
  supplied during module init, or at least via a function table that is
  outside the hashed FIPS cannister.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list