[openssl-users] FIPS: Common method executed in case of error

Dr. Stephen Henson steve at openssl.org
Tue Mar 10 13:29:38 UTC 2015

On Tue, Mar 10, 2015, jonetsu wrote:

> Hello,
>   Is there a method that is always in the path of execution when a crypto
> error occurs ?  The reason for asking is that I would like to very slightly
> modify the OpenSSL FIPS version so that it will write a file in tmpfs when
> an error occurs.  That place will be observed by another app using inotify. 
> Granted, modifying OpenSSL FIPS will void its FIPS certification.  But then,
> the whole unit will be validated.  Having a single place to modify would be
> quite an extraordinary thing.  I have asked recently about a related topic
> and got some replies regarding the modification of applications, although
> modifying the library would provide a single package to modify.  Steve has
> replied that indeed the validation will be lost - I wonder if that would
> have any impact on the total validation costs for a whole unit, OS and apps
> ?  Would a non-modified FIPS OpenSSL library reduce the validation costs ?
> Any comments and suggestions welcomed, regards.

Although you cannot modify the FIPS module itself without voiding the
validation you *can* change the FIPS capable OpenSSL.

You might (for example) change FIPS_mode_set() to always add a callback
which logs any errors.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list