On 27/09/2016 15:41, Steve Marquess wrote: > As always, if you don't care about FIPS 140 then count yourself lucky > and move on. > > Work on the new FIPS module has so far taken a backseat to higher > priority topics like the 1.1 release and security vulnerabilities, but > we should start to make some progress soon. I've put together a rough > wiki page outlining some goals for the new FIPS module: > > https://wiki.openssl.org/index.php/FIPS_module_3.0 > > Within the very tight constraints of schedule, resources, and what is > permitted by FIPS 140, we want this FIPS module to be as widely useful > as possible. > > If we've omitted anything of vital importance please speak up. Here's one practical thing (as a suggestion): - To ensure compatibility with platform ASLR, build the FIPS cannister as completely position independent code with no relocations whenever platforms allow. This probably requires that the FIPS cannister makes all calls to outside libraries as callbacks to function pointers supplied during module init, or at least via a function table that is outside the hashed FIPS cannister. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded