On 27/09/2016 15:41, Steve Marquess wrote:
As always, if you don't care about FIPS 140 then count yourself lucky
and move on.
Work on the new FIPS module has so far taken a backseat to higher
priority topics like the 1.1 release and security vulnerabilities, but
we should start to make some progress soon. I've put together a rough
wiki page outlining some goals for the new FIPS module:
https://wiki.openssl.org/index.php/FIPS_module_3.0
Within the very tight constraints of schedule, resources, and what is
permitted by FIPS 140, we want this FIPS module to be as widely useful
as possible.
If we've omitted anything of vital importance please speak up.
Here's one practical thing (as a suggestion):
- To ensure compatibility with platform ASLR, build the FIPS cannister
as completely position independent code with no relocations whenever
platforms allow. This probably requires that the FIPS cannister
makes all calls to outside libraries as callbacks to function pointers
supplied during module init, or at least via a function table that is
outside the hashed FIPS cannister.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
