[openssl-users] OpenSSL FIPS mode system integration
Dr. Stephen Henson
steve at openssl.org
Fri Feb 20 14:55:27 UTC 2015
On Fri, Feb 20, 2015, jonetsu wrote:
> On Feb 19, 2015 10:50am Henrik Grindal Bakken wrote:
>
> > I'm not sure it will be called on every conceivable error in
> > the FIPS module, but what I do in similar situations is
> > something like this:
>
> > static int post_cb(int op, int id, int subid, void *ex)
> > {
> > if (op == FIPS_POST_FAIL)
> > system("/bin/fipserror");
> > return 1;
> > }
>
> > And there somewhere:
>
> > FIPS_post_set_callback(post_cb)
>
> This is very interesting, thanks. Following this hint, in the same vein the
> FIPS code also has:
>
> FIPS_drbg_set_callbacks(<args>)
>
> Although this one looks more like an entropy callback than
> anythong that could be used to know about status.
>
> The FIPS User Guide mentions both, although the information on
> FIPS_post_set_callback() is not much at all. Is there another
> source than the User Guide 2.0, for detailed descriptions of
> these FIPS-related methods ? For isnatnce, the 'op' variable of
> FIPS_post_set_callback() is not described at all. Any manual or
> info pages ? Could be other potentially interesting methods in there.
>
The main prupose of FIPS_post_set_callback() was to show how the
self tests were progressing to the labs and how it behaves correctly
when failure is induced in each self test.
This is demonstrated by fips_test_suite which has an example of a POST
callback.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list