On Tue, Sep 01, 2015, Alberto Roman Linacero wrote: > So, it is possible in runtime to know if the FIPS module code has been > changed after compiling? I mean, after the openssl has been compiled > with the FIPS Object Module (./config fips & make & make install), the > 4 files in the FIPS Object Module (fipscanister* and so on) doesn't > need to be in the final system to let work the application (openssl > for instance). > > Is there any way to know, at runtime, that the FIPS Object Module code > has not been changed? > Yes the integrity test will fail. Just to clarify. When you link the FIPS module part of the code will correspond to the application (which may be OpenSSL itself or the OpenSSL shared library) and part of it will be the FIPS module code from fipscanister.o. If you change the part of the binary corresponding to fipscanister.o the integrity test will fail, if you change the part of the binary outside fipscanister.o it wont. For example there is a version string which says something like "FIPS 2.0.10 validated module 14 May 2015", try changing that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org