[openssl-users] OpenSSL FIPS mode system integration

Marcus Meissner meissner at suse.de
Thu Feb 19 12:45:58 UTC 2015


On Thu, Feb 19, 2015 at 05:19:37AM -0500, jonetsu at teksavvy.com wrote:
> Hello,
> 
> Could you please comment on the following ?  Any suggestion, insight,
> hint, is greatly appreciated.
> 
> In FIPS mode, the OS, the device, must be aware of crypto errors, and
> adopt a certain behaviour when one occurs.  Like shutting down all
> data output interfaces.
> 
> This means that when using OpenSSL, a link must be made between
> OpenSSL (or the application using it) and the OS, if only to signal
> the OS of such errors.
> 
> I would like to modify the FIPS OpenSSL library in such a way that a
> OS-specific action is taken when a FIPS error is detected.  That
> action could be writing a file, writing a specific log msg, sending a
> signal to an application, etc.  To continue in the same vein, are
> there major exit points in the library that could reduce the amount of
> modifications to be made ?  Is error information inh FIPS mode
> traveling in the library in such a way that it could be examined and
> acted upon at a precise point, covering all error conditions ?
> 
> Are these mainlines making sense, based on your experience with the
> OpenSSL library ?
> 
> Another way would be to modify the applications that uses the OpenSSL
> library. I tend to think that it would be more efficient and easier on
> maintenance to modify the OpenSSL library.  But then, the complexity
> of tapping on (every) exit point from the library could be
> overwhelming, when compared to the source code of several
> applications.

Well, the writing is that the "crypto module" must stop operating
on error.

We solved this by calling abort(); in the openssl library on FIPS
related error conditions.

Ciao, Marcus


More information about the openssl-users mailing list