> From: "Dr. Stephen Henson" <steve at openssl.org> > Date: 03/10/15 20:04 > I mean you could add a callback to FIPS_mode_set using > FIPS_post_set_callback: see the fips_test_suite.c application > for an example. The supplied callback is called during each > POST, continuous RNG and pairwise consistency checks. The "op" > value is set to FIPS_POST_FAIL if any test fails. This is basically what was also suggested by Henrik in a related thread recently, which I understood being implemented in an application.? The variation here would be that the callback is part of the library, located in FIPS_mode_set() in o_fips.c, with the callback itself being defined elsewhere in the same file. A potentially useful case for some applications that do not need to be further modified would be for the library to automatically know that it has to run in FIPS mode.? Eg. to automatically call FIPS_mode_set() at load time, based on a env. var. or some other external sign.
