[openssl-users] OpenSSL FIPS mode system integration

Henrik Grindal Bakken hgb at ifi.uio.no
Thu Feb 19 15:50:33 UTC 2015

"jonetsu at teksavvy.com"
<jonetsu at teksavvy.com> writes:

> Hello,
> Could you please comment on the following ?  Any suggestion, insight,
> hint, is greatly appreciated.
> In FIPS mode, the OS, the device, must be aware of crypto errors, and
> adopt a certain behaviour when one occurs.  Like shutting down all
> data output interfaces.
> This means that when using OpenSSL, a link must be made between
> OpenSSL (or the application using it) and the OS, if only to signal
> the OS of such errors.

I'm not sure it will be called on every conceivable error in the FIPS
module, but what I do in similar situations is something like this:

static int post_cb(int op, int id, int subid, void *ex)
    if (op == FIPS_POST_FAIL)
    return 1;

And there somewhere:


Henrik Grindal Bakken <hgb at ifi.uio.no>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963  02AF 9236 D25A 8D43 6E52

More information about the openssl-users mailing list