Greetings,
We are currently investigating the usage of OpenSSL 3.0.0 on
our side, especially for FIPS usage, but it seems that for OpenSSL 3.0.0 the
providers, especially the FIPS provider, will be loaded dynamically, my main
worry is that this will easily permit some kind of attacks on the cryptographic
layer, for example:
1. Replacing the provider by a tampered provider by replacing the
shared/dynamic library. This can partially be protected by the caller verifying
the hash of the provider before calling it, will OpenSSL 3.0.0 do this, or will
need to be done at integrator level?
2. Having the provider entry points made public because they are dynamic will
easily permit MITM attack or modification such as through hooking, have you
thought of protection mechanisms to protect against this kind of attack?
With FIPS 2.0, from my understanding, it was statically linked, hence these
risks would be lessened. Of course it required more work as it required a
special linker script to add the hash value and with new NIST requirements, the
FIPS mode needed to be enabled by default at premain, but my feeling as that it
was more secure.
Thanks for your guidance!
Carl Eric Codere
