[openssl-users] Questions regarding the openssl FIPS self-tests

[Steve Marquess]

On 01/20/2016 02:00 AM, cloud force wrote:
> Hi everyone,
> 
> From the openssl tips doc it said the power-on self-tests need to be run
> when the system comes up.
> 
> If I have multiple applications which uses the openssl crypto functions
> (under fips mode), does each of this application need to run the
> power-on self-tests?
> 
> Also if the openssl fips modules are installed on a Linux server, what
> is the best way to run the power-on self-tests (e.g. run within init.d
> script or upstart scripts or run by a daemon)?

The POST is run automagically when your application code calls
FIPS_mode_SET().

For most platforms including Linux the shared library has non-writable
code/data area(s) shared among all calling processes, and writable data
area(s) private to each such process. The library state information
resides in the private writable areas, of course, so each such process
will need to independently call FIPS_mode_set().

Keep in mind that the POST doesn't really do anything useful, it is an
ideological requirement from the dim mists of history. As such you
cannot enable FIPS mode without also invoking the POST.

Note this means that one set of shared libraries can be used for all
processes, both those that care about FIPS 140-2 and those that don't.
The OpenSSL + OpenSSL FIPS module combination (the "FIPS capable"
OpenSSL) was designed for such dual use so that the FIPS behavior
wouldn't be seen *unless* FIPS_mode_set() was called.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc