[openssl-users] FIPS: Common method executed in case of error
Dr. Stephen Henson
steve at openssl.org
Tue Mar 10 23:58:13 UTC 2015
On Tue, Mar 10, 2015, jonetsu wrote:
> > From: "Dr. Stephen Henson" <steve at openssl.org>
> > Date: 03/10/15 10:21
> > Although you cannot modify the FIPS module itself without voiding the
> > validation you *can* change the FIPS capable OpenSSL.
> > You might (for example) change FIPS_mode_set() to always add a callback
> > which logs any errors.
> I see. So this would actually enable benefiting (saving
> validation costs) from an intact recent OpenSSL 1.0.1k with all
> security fixes.
Only the FIPS module is validated: the FIPS capable OpenSSL uses it.
So you can modify (within reason) the FIPS capable OpenSSL without affecting
the validation . So you can use OpenSSL 1.0.1l or 1.0.2 with the FIPS module.
> FIPS_mode_set() is very straightforward to patch although it
> would only catch startup errors. Not the eventual errors from
> tests that are executed before each crypto use. And not the
> continuous RNG tests.
I mean you could add a callback to FIPS_mode_set using FIPS_post_set_callback:
see the fips_test_suite.c application for an example. The supplied callback is
called during each POST, continuous RNG and pairwise consistency checks. The
"op" value is set to FIPS_POST_FAIL if any test fails.
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users