Commit 08b2042a20 for openssl.org

commit 08b2042a20e76472416c8c7c48e479d893ba904f
Author: Tomas Mraz <tomas@openssl.org>
Date:   Tue May 27 11:36:31 2025 +0200

    Document that FIPS provider cannot be used by multiple libcryptos

    Reviewed-by: Matt Caswell <matt@openssl.org>
    Reviewed-by: Paul Dale <ppzgs1@gmail.com>
    (Merged from https://github.com/openssl/openssl/pull/27702)

diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
index 20d35fada8..571a1e99e0 100644
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -573,6 +573,19 @@ want to operate in a FIPS approved manner.  The algorithms are:

 =back

+You can load the FIPS provider into multiple library contexts as any other
+provider. However the following restriction applies. The FIPS provider cannot
+be used by multiple copies of OpenSSL libcrypto in a single process.
+
+As the provider saves core callbacks to the libcrypto obtained in the
+OSSL_provider_init() call to global data it will fail if subsequent
+invocations of its OSSL_provider_init() function yield different addresses
+of these callbacks than in the initial call. This happens when different
+copies of libcrypto are present in the memory of the process and both try
+to load the same FIPS provider. A workaround is to have a different copy
+of the FIPS provider loaded for each of the libcrypto instances in the
+process.
+
 =head1 SEE ALSO

 L<openssl-fipsinstall(1)>,