From b2e1f8025ab5d3ad293f395958bbff9d8db2879b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 27 May 2025 11:36:31 +0200 Subject: [PATCH] Document that FIPS provider cannot be used by multiple libcryptos Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/27702) (cherry picked from commit 08b2042a20e76472416c8c7c48e479d893ba904f) --- doc/man7/OSSL_PROVIDER-FIPS.pod | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index c943289da17..ee2870d05c7 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -499,6 +499,19 @@ want to operate in a FIPS approved manner. The algorithms are: =back +You can load the FIPS provider into multiple library contexts as any other +provider. However the following restriction applies. The FIPS provider cannot +be used by multiple copies of OpenSSL libcrypto in a single process. + +As the provider saves core callbacks to the libcrypto obtained in the +OSSL_provider_init() call to global data it will fail if subsequent +invocations of its OSSL_provider_init() function yield different addresses +of these callbacks than in the initial call. This happens when different +copies of libcrypto are present in the memory of the process and both try +to load the same FIPS provider. A workaround is to have a different copy +of the FIPS provider loaded for each of the libcrypto instances in the +process. + =head1 SEE ALSO L, -- 2.47.2