> I'm currently porting the openssl-0.9.8 fips code to a proprietary > platform. There seems to quite a lot of time and effort put into all the > macros for different OSs and CPUs in FIPS_ref_point() and > instruction_pointer(). But I fail to see what problem the code in > fips_canister.c is trying solve?
fips_canister.c is placed in the beginning *and* the end of sequestered code and is responsible for providing addresses of machine instructions in its vicinity, which are then used for fingerprinting and run-time integrity verification purposes of actual machine code. > Why is it not sufficient to return a > pointer to instruction_pointer() in all circumstances? Because on some platforms pointer to intrustion_pointer() would not point at actual machine instruction, but at a structure, which in turn contains pointer to actual machine instruction (see os-specific #ifdef in FIPS_ref_point for examples). Addresses of these structures can't be used for above mentioned fingerprinting of actual machine code. A. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
