On 02/19/2015 05:19 AM, jonetsu at teksavvy.com wrote: > ...This means that when using OpenSSL, a link must be made between > OpenSSL (or the application using it) and the OS, if only to signal > the OS of such errors. Ummm, no. The FIPS module stops functioning (i.e. doesn't perform any useful crypto operations) in the (highly unlikely) event of POST, KAT, or continuous test errors. Your application might as well curl up and die at that point (hint: look at the error codes from the API calls, in particular FIPS_mode_set()), but the module itself will fail without any intervention. > ... > I would like to modify the FIPS OpenSSL library ... That's a non-starter right there: the instant you modify the FIPS module, at all or for any reason, it instantly becomes "non validated". Without the all-important "validated" status that code is worthless and there is no reason to use it (unless you want to pay and wait for your own custom validation of the modified code). -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
