[openssl-users] FIPS: Common method executed in case of error

jonetsu jonetsu at teksavvy.com
Tue Mar 10 13:10:06 UTC 2015



> Is there a method that is always in the path of execution when a crypto error occurs ?  

It looks like fips_set_selftest_fail() would be a likely candidate where to create an empty file on a tmpfs in order to let the OS know about the error.

Comments and suggestions welcomed.  Based on your experience with FIPS validation process, and many customers/sponsors, do you think that having a ever so slightly modified OpenSSL FIPS code would increase validation costs for a whole unit (OS and apps) ?  Recently Steve, I think, has mentioned that the cost for an initial OpenSSL FIPS validation was well into the 6 numbers.  Would this type of figure be added to a project if OpenSSL FIPS is modified ?  I think the labs could go with a diff and see how simple the modification is.

Regards.





More information about the openssl-users mailing list