On Tue, Mar 10, 2015, jonetsu wrote: > > > > From: "Dr. Stephen Henson" <steve at openssl.org> > > Date: 03/10/15 10:21 > > > Although you cannot modify the FIPS module itself without voiding the > > validation you *can* change the FIPS capable OpenSSL. > > > You might (for example) change FIPS_mode_set() to always add a callback > > which logs any errors. > > I see.? So this would actually enable benefiting (saving > validation costs) from an intact recent OpenSSL 1.0.1k with all > security fixes. > Only the FIPS module is validated: the FIPS capable OpenSSL uses it. So you can modify (within reason) the FIPS capable OpenSSL without affecting the validation . So you can use OpenSSL 1.0.1l or 1.0.2 with the FIPS module. > FIPS_mode_set() is very straightforward to patch although it > would only catch startup errors.? Not the eventual errors from > tests that are executed before each crypto use.? And not the > continuous RNG tests. > I mean you could add a callback to FIPS_mode_set using FIPS_post_set_callback: see the fips_test_suite.c application for an example. The supplied callback is called during each POST, continuous RNG and pairwise consistency checks. The "op" value is set to FIPS_POST_FAIL if any test fails. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
