[openssl-users] Forcing the FIPS module to fail (no way)

Dr. Stephen Henson steve at openssl.org
Wed Sep 2 18:16:29 UTC 2015

On Tue, Sep 01, 2015, Alberto Roman Linacero wrote:

> So, it is possible in runtime to know if the FIPS module code has been
> changed after compiling? I mean, after the openssl has been compiled
> with the FIPS Object Module (./config fips & make & make install), the
> 4 files in the FIPS Object Module (fipscanister* and so on) doesn't
> need to be in the final system to let work the application (openssl
> for instance).
> Is there any way to know, at runtime, that the FIPS Object Module code
> has not been changed?

Yes the integrity test will fail.

Just to clarify. When you link the FIPS module part of the code will
correspond to the application (which may be OpenSSL itself or the
OpenSSL shared library) and part of it will be the FIPS module code from
fipscanister.o. If you change the part of the binary corresponding to
fipscanister.o the integrity test will fail, if you change the part of the
binary outside fipscanister.o it wont.

For example there is a version string which says something like "FIPS 2.0.10
validated module 14 May 2015", try changing that.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list