[openssl-users] OpenSSL FIPS mode system integration

jonetsu at teksavvy.com jonetsu at teksavvy.com
Thu Feb 19 10:19:37 UTC 2015


Could you please comment on the following ?  Any suggestion, insight,
hint, is greatly appreciated.

In FIPS mode, the OS, the device, must be aware of crypto errors, and
adopt a certain behaviour when one occurs.  Like shutting down all
data output interfaces.

This means that when using OpenSSL, a link must be made between
OpenSSL (or the application using it) and the OS, if only to signal
the OS of such errors.

I would like to modify the FIPS OpenSSL library in such a way that a
OS-specific action is taken when a FIPS error is detected.  That
action could be writing a file, writing a specific log msg, sending a
signal to an application, etc.  To continue in the same vein, are
there major exit points in the library that could reduce the amount of
modifications to be made ?  Is error information inh FIPS mode
traveling in the library in such a way that it could be examined and
acted upon at a precise point, covering all error conditions ?

Are these mainlines making sense, based on your experience with the
OpenSSL library ?

Another way would be to modify the applications that uses the OpenSSL
library. I tend to think that it would be more efficient and easier on
maintenance to modify the OpenSSL library.  But then, the complexity
of tapping on (every) exit point from the library could be
overwhelming, when compared to the source code of several

Any comment, suggestions welcomed.

More information about the openssl-users mailing list