> From: "Dr. Stephen Henson" <steve at openssl.org> > Date: 03/10/15 10:21 > Although you cannot modify the FIPS module itself without voiding the > validation you *can* change the FIPS capable OpenSSL. > You might (for example) change FIPS_mode_set() to always add a callback > which logs any errors. I see.? So this would actually enable benefiting (saving validation costs) from an intact recent OpenSSL 1.0.1k with all security fixes. FIPS_mode_set() is very straightforward to patch although it would only catch startup errors.? Not the eventual errors from tests that are executed before each crypto use.? And not the continuous RNG tests. Within the scope of OpenSSL itself, there is a fips_cipher_abort() that is called for each algo.? That macro could perhaps be a good place.? Although it would still not catch continuous RNG test failures. Regards.
