OpenSSL 3.0.0 security concerns using dynamic providers
carl-eric.codere at thalesgroup.com
Tue Sep 1 02:01:57 UTC 2020
We are currently investigating the usage of OpenSSL 3.0.0 on our side, especially for FIPS usage, but it seems that for OpenSSL 3.0.0 the providers, especially the FIPS provider, will be loaded dynamically, my main worry is that this will easily permit some kind of attacks on the cryptographic layer, for example:
1. Replacing the provider by a tampered provider by replacing the shared/dynamic library. This can partially be protected by the caller verifying the hash of the provider before calling it, will OpenSSL 3.0.0 do this, or will need to be done at integrator level?
2. Having the provider entry points made public because they are dynamic will easily permit MITM attack or modification such as through hooking, have you thought of protection mechanisms to protect against this kind of attack?
With FIPS 2.0, from my understanding, it was statically linked, hence these risks would be lessened. Of course it required more work as it required a special linker script to add the hash value and with new NIST requirements, the FIPS mode needed to be enabled by default at premain, but my feeling as that it was more secure.
Thanks for your guidance!
Carl Eric Codere
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users