Hello, Could you please comment on the following ? Any suggestion, insight, hint, is greatly appreciated. In FIPS mode, the OS, the device, must be aware of crypto errors, and adopt a certain behaviour when one occurs. Like shutting down all data output interfaces. This means that when using OpenSSL, a link must be made between OpenSSL (or the application using it) and the OS, if only to signal the OS of such errors. I would like to modify the FIPS OpenSSL library in such a way that a OS-specific action is taken when a FIPS error is detected. That action could be writing a file, writing a specific log msg, sending a signal to an application, etc. To continue in the same vein, are there major exit points in the library that could reduce the amount of modifications to be made ? Is error information inh FIPS mode traveling in the library in such a way that it could be examined and acted upon at a precise point, covering all error conditions ? Are these mainlines making sense, based on your experience with the OpenSSL library ? Another way would be to modify the applications that uses the OpenSSL library. I tend to think that it would be more efficient and easier on maintenance to modify the OpenSSL library. But then, the complexity of tapping on (every) exit point from the library could be overwhelming, when compared to the source code of several applications. Any comment, suggestions welcomed.
