On Tue, Mar 10, 2015, jonetsu wrote: > Hello, > > ? Is there a method that is always in the path of execution when a crypto > error occurs ?? The reason for asking is that I would like to very slightly > modify the OpenSSL FIPS version so that it will write a file in tmpfs when > an error occurs.? That place will be observed by another app using inotify.? > Granted, modifying OpenSSL FIPS will void its FIPS certification.? But then, > the whole unit will be validated.? Having a single place to modify would be > quite an extraordinary thing.? I have asked recently about a related topic > and got some replies regarding the modification of applications, although > modifying the library would provide a single package to modify.? Steve has > replied that indeed the validation will be lost - I wonder if that would > have any impact on the total validation costs for a whole unit, OS and apps > ?? Would a non-modified FIPS OpenSSL library reduce the validation costs ? > > Any comments and suggestions welcomed, regards. > Although you cannot modify the FIPS module itself without voiding the validation you *can* change the FIPS capable OpenSSL. You might (for example) change FIPS_mode_set() to always add a callback which logs any errors. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
