[openssl-users] OpenSSL FIPS mode system integration
Henrik Grindal Bakken
hgb at ifi.uio.no
Thu Feb 19 15:50:33 UTC 2015
"jonetsu at teksavvy.com"
<jonetsu at teksavvy.com> writes:
> Hello,
>
> Could you please comment on the following ? Any suggestion, insight,
> hint, is greatly appreciated.
>
> In FIPS mode, the OS, the device, must be aware of crypto errors, and
> adopt a certain behaviour when one occurs. Like shutting down all
> data output interfaces.
>
> This means that when using OpenSSL, a link must be made between
> OpenSSL (or the application using it) and the OS, if only to signal
> the OS of such errors.
I'm not sure it will be called on every conceivable error in the FIPS
module, but what I do in similar situations is something like this:
static int post_cb(int op, int id, int subid, void *ex)
{
if (op == FIPS_POST_FAIL)
system("/bin/fipserror");
return 1;
}
And there somewhere:
FIPS_post_set_callback(post_cb);
--
Henrik Grindal Bakken <hgb at ifi.uio.no>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52
More information about the openssl-users
mailing list