[openssl-users] FIPS: Common method executed in case of error

jonetsu jonetsu at teksavvy.com
Tue Mar 10 15:25:29 UTC 2015

> From: "Dr. Stephen Henson" <steve at openssl.org> 
> Date: 03/10/15 10:21 

> Although you cannot modify the FIPS module itself without voiding the
> validation you *can* change the FIPS capable OpenSSL.

> You might (for example) change FIPS_mode_set() to always add a callback
> which logs any errors.

I see.  So this would actually enable benefiting (saving
validation costs) from an intact recent OpenSSL 1.0.1k with all
security fixes.

FIPS_mode_set() is very straightforward to patch although it
would only catch startup errors.  Not the eventual errors from
tests that are executed before each crypto use.  And not the
continuous RNG tests.

Within the scope of OpenSSL itself, there is a
fips_cipher_abort() that is called for each algo.  That macro
could perhaps be a good place.  Although it would still not catch
continuous RNG test failures.


More information about the openssl-users mailing list