[openssl-users] FIPS: Common method executed in case of error
Dr. Stephen Henson
steve at openssl.org
Tue Mar 10 13:29:38 UTC 2015
On Tue, Mar 10, 2015, jonetsu wrote:
> Is there a method that is always in the path of execution when a crypto
> error occurs ? The reason for asking is that I would like to very slightly
> modify the OpenSSL FIPS version so that it will write a file in tmpfs when
> an error occurs. That place will be observed by another app using inotify.
> Granted, modifying OpenSSL FIPS will void its FIPS certification. But then,
> the whole unit will be validated. Having a single place to modify would be
> quite an extraordinary thing. I have asked recently about a related topic
> and got some replies regarding the modification of applications, although
> modifying the library would provide a single package to modify. Steve has
> replied that indeed the validation will be lost - I wonder if that would
> have any impact on the total validation costs for a whole unit, OS and apps
> ? Would a non-modified FIPS OpenSSL library reduce the validation costs ?
> Any comments and suggestions welcomed, regards.
Although you cannot modify the FIPS module itself without voiding the
validation you *can* change the FIPS capable OpenSSL.
You might (for example) change FIPS_mode_set() to always add a callback
which logs any errors.
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users