[openssl-users] FIPS: Common method executed in case of error

Dr. Stephen Henson steve at openssl.org
Tue Mar 10 23:58:13 UTC 2015

On Tue, Mar 10, 2015, jonetsu wrote:

> > From: "Dr. Stephen Henson" <steve at openssl.org> 
> > Date: 03/10/15 10:21 
> > Although you cannot modify the FIPS module itself without voiding the
> > validation you *can* change the FIPS capable OpenSSL.
> > You might (for example) change FIPS_mode_set() to always add a callback
> > which logs any errors.
> I see.  So this would actually enable benefiting (saving
> validation costs) from an intact recent OpenSSL 1.0.1k with all
> security fixes.

Only the FIPS module is validated: the FIPS capable OpenSSL uses it.

So you can modify (within reason) the FIPS capable OpenSSL without affecting
the validation . So you can use OpenSSL 1.0.1l or 1.0.2 with the FIPS module.

> FIPS_mode_set() is very straightforward to patch although it
> would only catch startup errors.  Not the eventual errors from
> tests that are executed before each crypto use.  And not the
> continuous RNG tests.

I mean you could add a callback to FIPS_mode_set using FIPS_post_set_callback:
see the fips_test_suite.c application for an example. The supplied callback is
called during each POST, continuous RNG and pairwise consistency checks. The
"op" value is set to FIPS_POST_FAIL if any test fails.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list