[openssl-users] OpenSSL FIPS mode system integration
Marcus Meissner
meissner at suse.de
Thu Feb 19 12:45:58 UTC 2015
On Thu, Feb 19, 2015 at 05:19:37AM -0500, jonetsu at teksavvy.com wrote:
> Hello,
>
> Could you please comment on the following ? Any suggestion, insight,
> hint, is greatly appreciated.
>
> In FIPS mode, the OS, the device, must be aware of crypto errors, and
> adopt a certain behaviour when one occurs. Like shutting down all
> data output interfaces.
>
> This means that when using OpenSSL, a link must be made between
> OpenSSL (or the application using it) and the OS, if only to signal
> the OS of such errors.
>
> I would like to modify the FIPS OpenSSL library in such a way that a
> OS-specific action is taken when a FIPS error is detected. That
> action could be writing a file, writing a specific log msg, sending a
> signal to an application, etc. To continue in the same vein, are
> there major exit points in the library that could reduce the amount of
> modifications to be made ? Is error information inh FIPS mode
> traveling in the library in such a way that it could be examined and
> acted upon at a precise point, covering all error conditions ?
>
> Are these mainlines making sense, based on your experience with the
> OpenSSL library ?
>
> Another way would be to modify the applications that uses the OpenSSL
> library. I tend to think that it would be more efficient and easier on
> maintenance to modify the OpenSSL library. But then, the complexity
> of tapping on (every) exit point from the library could be
> overwhelming, when compared to the source code of several
> applications.
Well, the writing is that the "crypto module" must stop operating
on error.
We solved this by calling abort(); in the openssl library on FIPS
related error conditions.
Ciao, Marcus
More information about the openssl-users
mailing list