From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 27 May 2025 09:36:31 +0000 (+0200)
Subject: Document that FIPS provider cannot be used by multiple libcryptos
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08b2042a20e76472416c8c7c48e479d893ba904f;p=thirdparty%2Fopenssl.git

Document that FIPS provider cannot be used by multiple libcryptos

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27702)
---

diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
index 20d35fada87..571a1e99e08 100644
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -573,6 +573,19 @@ want to operate in a FIPS approved manner.  The algorithms are:
 
 =back
 
+You can load the FIPS provider into multiple library contexts as any other
+provider. However the following restriction applies. The FIPS provider cannot
+be used by multiple copies of OpenSSL libcrypto in a single process.
+
+As the provider saves core callbacks to the libcrypto obtained in the
+OSSL_provider_init() call to global data it will fail if subsequent
+invocations of its OSSL_provider_init() function yield different addresses
+of these callbacks than in the initial call. This happens when different
+copies of libcrypto are present in the memory of the process and both try
+to load the same FIPS provider. A workaround is to have a different copy
+of the FIPS provider loaded for each of the libcrypto instances in the
+process.
+
 =head1 SEE ALSO
 
 L<openssl-fipsinstall(1)>,