I've been doing some testing with the latest 2.0 FIPS Object Module I
downloaded and 1.0.1e OpenSSL and have a question.
I was wondering what the Software Integrity
self-test is designed to accomplish? It
seems like it's to ensure the source code or build hasn't been tampered
with. Out of curiosity, I added a
comment line in the file ...\fips\fips.c in the FIPS module. Also, because I
wasn't sure if the integrity
check also validated the OpenSSL library, I added a comment line to the file
...\crypto\evp\evp_enc.c. I then rebuilt the FIPS Object Module, and the FIPS
Capable OpenSSL according to the User
Guide directions. All of the steps
seemed to work. I then started my
application, calling FIPS_mode_set(), expecting a failure because of the
modifications to the source code files and resulting libraries I had rebuilt.
However, the call returned success.
Does this make sense to anyone? Am I misinterpreting what the Software
Integrity self-test is supposed to do?
Thanks in advance.
