[openssl-users] FIPS: Common method executed in case of error

jonetsu jonetsu at teksavvy.com
Wed Mar 11 15:14:25 UTC 2015

> From: "Dr. Stephen Henson" <steve at openssl.org> 
> Date: 03/10/15 20:04 

> I mean you could add a callback to FIPS_mode_set using
> FIPS_post_set_callback: see the fips_test_suite.c application
> for an example. The supplied callback is called during each
> POST, continuous RNG and pairwise consistency checks. The "op"
> value is set to FIPS_POST_FAIL if any test fails.

This is basically what was also suggested by Henrik in a related
thread recently, which I understood being implemented in an
application.  The variation here would be that the callback is
part of the library, located in FIPS_mode_set() in o_fips.c, with
the callback itself being defined elsewhere in the same file.

A potentially useful case for some applications that do not need
to be further modified would be for the library to automatically
know that it has to run in FIPS mode.  Eg. to automatically call
FIPS_mode_set() at load time, based on a env. var. or some other
external sign.

More information about the openssl-users mailing list