[openssl-users] OpenSSL FIPS mode system integration

Steve Marquess marquess at openssl.com
Thu Feb 19 14:32:34 UTC 2015

On 02/19/2015 05:19 AM, jonetsu at teksavvy.com wrote:
> ...This means that when using OpenSSL, a link must be made between
> OpenSSL (or the application using it) and the OS, if only to signal
> the OS of such errors.

Ummm, no. The FIPS module stops functioning (i.e. doesn't perform any
useful crypto operations) in the (highly unlikely) event of POST, KAT,
or continuous test errors.

Your application might as well curl up and die at that point (hint: look
at the error codes from the API calls, in particular FIPS_mode_set()),
but the module itself will fail without any intervention.

> ...
> I would like to modify the FIPS OpenSSL library ...

That's a non-starter right there: the instant you modify the FIPS
module, at all or for any reason, it instantly becomes "non validated".
Without the all-important "validated" status that code is worthless and
there is no reason to use it (unless you want to pay and wait for your
own custom validation of the modified code).

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list