Document that FIPS provider cannot be used by multiple libcryptos

author Tomas Mraz <tomas@openssl.org>

Tue, 27 May 2025 09:36:31 +0000 (11:36 +0200)

committer Pauli <ppzgs1@gmail.com>

Thu, 29 May 2025 22:08:19 +0000 (08:08 +1000)
author Tomas Mraz <tomas@openssl.org>
Tue, 27 May 2025 09:36:31 +0000 (11:36 +0200)
committer Pauli <ppzgs1@gmail.com>
Thu, 29 May 2025 22:08:19 +0000 (08:08 +1000)
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod

index 20d35fada87f532d3e050a55e80e62e68a9d5205..571a1e99e0895fff880d16d6c45c319a9f3a4282 100644 (file)
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -573,6 +573,19 @@ want to operate in a FIPS approved manner.  The algorithms are:
  
  =back
  
+You can load the FIPS provider into multiple library contexts as any other
+provider. However the following restriction applies. The FIPS provider cannot
+be used by multiple copies of OpenSSL libcrypto in a single process.
+
+As the provider saves core callbacks to the libcrypto obtained in the
+OSSL_provider_init() call to global data it will fail if subsequent
+invocations of its OSSL_provider_init() function yield different addresses
+of these callbacks than in the initial call. This happens when different
+copies of libcrypto are present in the memory of the process and both try
+to load the same FIPS provider. A workaround is to have a different copy
+of the FIPS provider loaded for each of the libcrypto instances in the
+process.
+
  =head1 SEE ALSO
  
  L<openssl-fipsinstall(1)>,
author	Tomas Mraz <tomas@openssl.org>
	Tue, 27 May 2025 09:36:31 +0000 (11:36 +0200)
committer	Pauli <ppzgs1@gmail.com>
	Thu, 29 May 2025 22:08:19 +0000 (08:08 +1000)