diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
index 20d2fb175a..28d1277d70 100644
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt
@@ -770,6 +770,7 @@ if(BUILD_TESTING)
     evp_extra/evp_test.cc
     evp_extra/p_pqdsa_test.cc
     evp_extra/scrypt_test.cc
+    fips_callback_test.cc
     fipsmodule/aes/aes_test.cc
     fipsmodule/bn/bn_test.cc
     fipsmodule/bn/bn_assert_test.cc
diff --git a/crypto/fips_callback_test.cc b/crypto/fips_callback_test.cc
new file mode 100644
index 0000000000..5917c38a91
--- /dev/null
+++ b/crypto/fips_callback_test.cc
@@ -0,0 +1,168 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0 OR ISC
+
+#if defined(__ELF__) && defined(__GNUC__)
+
+#include <gtest/gtest.h>
+#include <openssl/crypto.h>
+#include <openssl/curve25519.h>
+#include <openssl/dh.h>
+#include <openssl/ec_key.h>
+#include <openssl/evp.h>
+#include <openssl/nid.h>
+#include <openssl/rsa.h>
+
+#include "internal.h"
+
+extern "C" {
+  OPENSSL_EXPORT void AWS_LC_fips_failure_callback(const char* message);
+}
+
+int callback_call_count = 0;
+
+void AWS_LC_fips_failure_callback(const char* message) {
+  SCOPED_TRACE(callback_call_count);
+  SCOPED_TRACE(message);
+  const std::map<std::string, std::vector<std::string>> kat_failure_messages = {
+    {"RSA_PWCT", {"RSA keygen checks failed"}},
+    {"ECDSA_PWCT", {"EC keygen checks failed"}},
+    {"EDDSA_PWCT", {"Ed25519 keygen PCT failed"}},
+    {"MLKEM_PWCT", {"ML-KEM keygen PCT failed", "ML-KEM self tests failed", "ML-KEM keygen PCT failed"}},
+    {"MLDSA_PWCT", {"ML-DSA keygen PCT failed", "ML-DSA self tests failed", "ML-DSA keygen PCT failed"}},
+    {"HMAC-SHA-256", {"HMAC-SHA-256 KAT failed.\nExpected:   365f5bd5f5ebfdc76e53a5736d732013aad3bc864bb884941646889c48eea90e\nCalculated: 853c7403937d8b6239569b184eb7993fc5f751aefcea28f2c863858e2d29c50b\n", "Integrity test failed"}},
+    {"AES-CBC-encrypt", {"AES-CBC-encrypt KAT failed.\nExpected:   5646c141f413d6ff6292417a26c686bd305fb657a7d2503ac55e8e9340f210d8\nCalculated: a2be9b9cf41b6e1ddb4d65278d5dd28c02e449fca4bdff92f1a9a9cec178954c\n", "Power on self test failed"}},
+    {"AES-CBC-decrypt", {"AES-CBC-decrypt KAT failed.\nExpected:   51a7a01f6b796ccd4803a141dc56a6c216b5d1d3b706b2256fa6d0d20e6f19b5\nCalculated: 85d7b98cd1599f7340ec7a00db67519185d7b98cd1599f7340ec7a00db675191\n", "Power on self test failed"}},
+    {"AES-GCM-encrypt", {"AES-GCM-encrypt KAT failed.\nExpected:   877bd58d963e4be66494402f619b7e56527da45af9a6e2db1c632e97930ffbedb59e1c20b2b058da48072dbd960d34c6\nCalculated: 08b7951416b03e2ccb61c2a6e9d3d6dbd2f6f1f1b73592a261f7257f5f128369f9ecdc5bad903c25ee946273656b472f\n", "Power on self test failed"}},
+    {"AES-GCM-decrypt", {"AES-GCM-decrypt KAT failed because EVP_AEAD_CTX_open failed", "Power on self test failed"}},
+    {"DRBG", {"DRBG Generate KAT failed.\nExpected:   191f2b497685fd51b656bc1c7dd5dd4476a35e179b8eb8986512ca356ca06fa022e4f6d843ed4e2d9739433b57fc233f710ae0edfed5b8677a0039b26ea92597\nCalculated: 4af020970d7d770f44491cd477258a5a8f93a6496a5b98f342d1dcf5ebc374d9d21264e4627aa36678405a542bcf318c4d931da7a9012da5759a8ec58064144b\n", "CTR-DRBG failed", "Power on self test failed"}},
+    {"DRBG-reseed", {"DRBG-reseed KAT failed.\nExpected:   00f205aafd116c77bc818699ca51cf80159f029e0bcd26c84b878a151addf2f3eb940b08c8c957a40b4b0f13de7c0c6aac344a9af2d083020517c9818f2a8192\nCalculated: 533a0ea1f2577e4d2b4ddcf8d2d9a73132ea6e5a4595c1b923d610798707afde1efd7e0cfed5147fe0d4ce418b61c794dfbd125dd38d3c81684114655d927cd0\n", "CTR-DRBG failed", "Power on self test failed"}},
+    {"SHA-1", {"SHA-1 KAT failed.\nExpected:   941955930a582938ebf509116d1afd0f1e11e3cb\nCalculated: e129f27c5103bc5cc44bcdf0a15e160d445066ff\n", "Power on self test failed"}},
+    {"SHA-256", {"SHA-256 KAT failed.\nExpected:   7fe4d5f1a1e38287d958f511c71d5e275eccd266cfb9c8c660d8921e57fd4675\nCalculated: 374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb\n", "Integrity test failed"}},
+    {"SHA-512", {"SHA-512 KAT failed.\nExpected:   293c94354e9883e5c278367ae51890bf35410164198d26ebe1f82f048efa8b2bc6b29d5d46765ac8b525a3ea5284476d6df4c971f33d894c3b208c5b75e8f87c\nCalculated: 0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27\n", "Power on self test failed"}},
+    {"SHA3-256", {"SHA3-256 KAT failed.\nExpected:   b87d9e4722edd3918729ded9a6d03af8256998ee088a1ae662ef4bcaff142a96\nCalculated: 61664696888a110278ff672620c85217e69aa662a83304052f1014d395f545bf\n", "Power on self test failed"}},
+    {"TLS-KDF", {"TLS-KDF KAT failed.\nExpected:   e21dd6c268c757032c2cebbbb8a97de9eee6c947830abd11605dd52c47b60588\nCalculated: f6bf8fed0639cca6712ccba58f955c225fcc666ae8f55b968fd022bddd77db63\n", "Power on self test failed"}},
+    {"RSA-sign", {"RSA-sign KAT failed.\nExpected:   b7ee251166d4fd87108f7c859a1d35422b0230aa8a81f750b264c015e6bd5de1038bf4d35b4a8cf17f3fcd1fe090783adeefd269e7e559bac9de537484aa33062947d60f00cae2deab6c869db2c64fb68edebe1c26462fbb05c12b79b0824ec903b31a27d0c8522e220470501dcfd66d7aa088903a496465728851e6db8e8cbe1c50c71ac08b443d8446b0a27b37c803f0012e76c10b7b0a5e62d9934b86afa844203fcae76b8d2756f603c1d55eaa6434a4f6f20b86c1d4a4a96e588c0a09caad4bd66b3bfefefb093c76db332d622844c4d543e4862ea8a026a88ce9407cf8598407bd90e0c7cb768b410fbaedc9bf1477c5db16d1db33bc20d0ec04bff8e3\nCalculated: 24e2b547c5ce89bd2943f6cf0ae6956ac6e639ceea104b5aff8940e89b57c7f5fef175cb6db081898ee6be7e4588fd1a44af573467743617d8c64c9edb9ca1b6925bc0423535d40bd9f60d5978ef1814d9344a5e5eaf5351c1b4d88cf0ec452b7f30ee14f49b61986434249d0e8ae7d0f3d96f3f0c3103cd419966bdde766c8ff0ae674ea6f0d5e2b57dd08f42f0b735c37ec85583e46ac7fa1b9ef530aa4fd34d9122004b069b2dab228f4ee1fc7e722f552994f8922eab4ee5522638a506e2fefd7fe568dc058eb2b59937c8e40b2719a7291e3bb574d5ee1580662657331e0bc4e02371a362172d642ff5b0a641a386be74870dd98833f4c5ba489b6faef8\n", "RSA self tests failed"}},
+    {"RSA-verify", {"RSA-verify KAT failed", "RSA self tests failed"}},
+    {"ECDSA-sign", {"ECDSA-sign signature failed.\nExpected:   6780c5fc70275e2c7061a0e7877bb174deadeb9887027f3fa83654158ba7f50c3a82d965b2a72ac5a607bc56ab3722c842d921c04936e9e25fd7b600e7d8dc80\nCalculated: 6780c5fc70275e2c7061a0e7877bb174deadeb9887027f3fa83654158ba7f50c14672fa0338e4b0376d7255bf240b99a3c40f37dc1747346de9a6aaaedb3175b\n", "ECDSA-sign KAT failed", "ECC self tests failed"}},
+    {"ECDSA-verify", {"ECDSA-verify KAT failed", "ECC self tests failed"}},
+    {"Z-computation", {"Z-computation failed.\nExpected:   04f1630088c5d5e90552acb6ec6876b8737f0f7234e6bb30322237b62a80e89e6e6f3602e721d231db9463b7d8190ec2c0a72f15491aa27c418faf9c40af2e4a0c\nCalculated: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n", "ECC self tests failed"}},
+    {"FFDH", {"FFDH self tests failed", "Power on self test failed"}},
+    {"ED25519-sign", {"ED25519-sign failed.\nExpected:   a881e8d95ddbd5d14760af4ecfce4596f72e04d7eeccb9c6a193e24dd735b13c18a534c7793145469dd16f0c5e0371a3fb85063597c0924597cb427560db2a0b\nCalculated: 8608f1c9cf5070fae1f6833c868886a1e997bd3d02d200c942286d831ed78e16ce580009d05bea51d78dd4f65fb0179373d3449c7088133fd0774854cf03bb00\n", "ED25519-sign failed", "EdDSA self tests failed"}},
+    {"ED25519-verify", {"ED25519-verify failed", "EdDSA self tests failed"}},
+    {"ED25519ph-sign", {"ED25519ph-sign failed.\nExpected:   0b933d3f5900e3a1e53947ce9732c7014037e9c94b71cd3afb6046aa29fea9bbd81c50541064c659d0075fb38c8b420f8148682dc9f8384355105c3970d20609\nCalculated: 55cf180696924ba9ac1275ea19da4d1584f69250c479145cdbd7068ffbfadf8d5aafb666893b365dcaf66ae20bc9e813df3b3f9d3197ead79d644fc5a17dff0d\n", "EdDSA-ph self tests failed"}},
+    {"ED25519ph-verify", {"ED25519ph-verify failed", "EdDSA-ph self tests failed"}},
+    {"ML-KEM-keyGen-decaps", {"ML-KEM-keyGen-decaps failed.\nExpected:   000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nCalculated: 88c12ceaa6cb91f589acb86d913c7a60f7cdabe3b7b590091d0084e29a049b436841f2473b03165ae9c6a9826d6c650d04b388eff594505b7e54709530546825a070a625b0e5fa866e6aaf40c2414246240973c7598aae7c363e4303abb7a11131b464a943996de7592ca04922ea8a4d73b443ea048c06acc4e55a8f254bf6d271fd827119ec5b5580498bfcc09eb0266f8c2b45988ae98c1e5402b7003463f20359470159c0509fa971153443ce2580c0b2443f8ac2b0810401e73052d626bf58c674ee48880c408d1f313a94b1667f897628c55a83e28634a20710d25da88b2ac90c0f5d6b0ed6e080fd2c24bb11816b5c607957781db2287966717ffa500a03025839164115ba5ea7b717344588169e8a85a9e83c516cab5ee6e63b7c736ce90628ddeca99a6bc547588681bc2223f39fbc4464b41c63d924afeba1098960bd43c12fd0080f490c8c50f4843222303c6821ad7b663d8844a1368a19549e5cfc83d14a8491205c44f5492bf609b69c526c95aa5e508ecf714b7955b61f6cab340b06200432ce3b1ecd0a075a8332046865959a25698a081df3532691348a2581d606a0e0b2cf2e8b3c9afc594e926eb0d7c702c0c3e5b54ee2c86ca20cc476aaaca3208f32a20190562c27338202071e11665f134273bdaacbc952b994ba9462671226514b446113e7ab7edb9c54c311c4da94104d262a80280e39201e755191763983c439a95aeaafa767c2cb594829e6313e386982d6621acc4bb0991a60790a2b0c5f3139aadd7045f7d849aa209bf60bc15ed82667414b70b71a7e184e164280af00bf95a9ad3de41dcf19623610cfb30687a5a082a2458870eb33d649b3fce3317e0362ee6175fb811c7fe3647ca21020673aedd23bf0470cd8735ce53a78082668e49a5132d1336a084360187fcff9227cdc0d7f205b2af2c88dc6bc9a04b41f429fa9a386f58b8f216cbf6714a619597caa5a9bf668048d7135105a9425cb46fe807a406459b067b716f5a47730974b207826716fe3f747fd74cd8c025720b1003f27b2dea695f221971cd5af81a1a795001f125c285c150ddc9959e9e0220a694556bc0a4b5aade032b2aa877c0da816ef32a84d77bbff4656e680854e6961a417082bd46f5023c47cea09bba2145d415188e13803bb5e7fc19d39819e59ca7fdc38051d969401d4c411dac00a47ab57527daa897a37759351b4b1185b1496d79aa33229bea3c0e8dbcf1d7a64730928775c74c946181bb88e0a38a165ebbdc7860b014c59894c7211bc23d39077e62944d3c48c434b737b1a64b5f9a1646a18a5195a54603ffc280bf5ea1bf3d8cb4112aa82fab89e2633665597bed30de6c8897a9613ea8c11736524a7086266523fbab887465494ebfc96fbe4466775bc0d707e624bb3de700eaac9b37c2bc12b52aa2dfb73b7006bd956c0b9324c47295e4e4c4cc47ba9b5a899694b38a64a29120684bf64c648211b18d017ce34849c4a092b24bcb8960d870422ebd954bc7264ba95a727a31926f31c12381d0d051e1e04190b949322442845f3aa6fb17940442a9c1a183b2397dcc0770cb2b4a07aaf0af52636778ac9949d2db42f3d036bc842b2f3b0b11d278ea025cc16ac8b6986a9b18b3356790dbc821d0ac7b5eae965fcf14b0e202b00ec5d707c45af52be2d9771bcc53b31f2525ab53f95a3b00242c11c494e2554438b0a4f68194019181bbdb194910307bc19afae553dd666564332c078604fbd8bc4fdc92f9201809ab495c1b535530bad2eb35753f91956b58bfbf62d1e33c861f73846334c4a2ac5576984ef1163a50454a3e4ce838898f225868189bdae5a03efd8001d2a9f557cb6cd93a46fbb1379d81645b853cb98b47ba87a66fcbc0ada76506b8dcd659042640ef616820ff20b26433399371dc4c50287349ca2763e3073865c5bc9aaa1437b86b20b25b6f088bd6a4c9483842d7c65257cc42ad7c7b26f58c8ed199b848b8c6f408d487637751888a95a449cab47b7a2ace6a82c7d46910526414ab149b11343b0ea32d969a508a81cf896b081087f4d52a2a9e077878a43e5971d74863a7bf20037b2974703140ea8160a5ba72227c15bec5df171140198896d31732a241f5b938ff233cba2dc82de91c6b493782b6163bc1282df855ee6a6a65975b33cb6a27d258bd317d04cef8eb557ba02d49471923cd60e9917966be90f56d2d53fa3bc2629740abbd16720a9a7069a64de7a26328817d74a7c2f55a2461b074bff8044445e11660b1b6b26df242b8fc02b9e8df538db17a639d7c46132\n", "ML-KEM self tests failed"}},
+    {"ML-KEM-keyGen-encaps", {"ML-KEM-keyGen-encaps failed.\nExpected:   0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nCalculated: a7cc68f8d02110ca5720223b9e2a8987c8a24835a20dabcbefa430e74a85af80b9b74b74574c5e5f585459ca3610940f0b57b33344ceacccc135557b82f4968688a0168c1aa2940e5604482bf8b900a4343096446330cfee10917c0338181b7fe8d30f4816087d6299f225417f533ee40473894847bd45291367be6b1a7dee55bb21d60e3828552f4c8a6f3c54fc74cf67a614eeab002a076851879cef2218fdb3766123c2de32a269b6aa4661b69370314c004446f7258c40b2ea789f40ca023bbb1217c2c44b380c6e3194edd129d039218d9b75194a386d944acce7a9720ab026362004e95bf9229290b53613416082e82ba8a42a5ff14759f57712395706b307f7635ecee42317a48eb3b90683f3ab53d17c50f53c6cfb1c0cf59d6f2a981021428a7ac5edf13b26844d83c31d3608710e623aabb24b6c5b48baebc1b3078972589201b7a30bc09315612b067655bec403a69c89eb137c31157971098cb693ba4ae9ae40a8031cec92580bcc1b5ab3ecd1aa5f79aa2cd69249d138c8965a81c87a07eb59a4612e60658f4df028cef8af1b837e0ab0bfedb726904290d0bc41df6a67f7a4166609952439631960648e229a21f2a4d82abad3ec8135dc9bb43c703d3b33e437c9ef7bca91c3465676740125a15ad1707088b101b4273d3c4bf30181b4b2575de75ccfc13312a2a6bcebc477a9668e751629b569bfa20beca09800992c63f04b6b4a7df977a00131c2f8722e5138775235b517a709852167c1d415fdc7ad32f2aaca437e9cc6b248d9ca7c65b405e68d24e81b8688caa22b3cf5c9b147f0cc27e667a80b83ccbb4f4161a5ffd0194b1b5720e68ea0f59997f26740972d2c8124d7a6ad8327c2075a3f76b968d2aaad19c00697599e0be49fa6d65b4088b0be692dcda028095852a0d7205e4417409c0317780305a878fb582963b6953f6b8f0880b050178301d659be3a4db7e0bf2587129164178f32707d40392d85713dea82913999aa6c35aa94b3547abe40e2b0ba82b5b78319182a5a47d173176ba6fa3a4d70a8130b310743fa8aaae314381c9b7f49991f19a4ff8369638de380b5d828b7b5fcfdd91fe68efe16d4cd9eed66d65c1d2d8caf5af4a692\n", "ML-KEM self tests failed"}},
+    {"ML-KEM-encapsulate-ciphertext", {"ML-KEM-encapsulate-ciphertext failed.\nExpected:   000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nCalculated: 431a4f1b2d2c6c00f1690bbe482541ef3d563774daff83207f96de7e5e4a59d5d936d9443ad422e645793e7a60a9b0a76cd672d20c69b82a5563df52d96f9a6cdfc56fbd4fd8d5a8afeb2a09d92ec854094794b4ed2db381f04c68439608aa9902a4d1689e2eb1e5f07a4a1c709262d7c2ff2f81f6eeaab2a86a41ba210eb1bf8e75febccd1a15b4d7a7b60257c89d00bd81d39fcb8d1ce3278102595dd652f7fb7d5584874f3327b174043b350ebd4d41fe08bd0e854d41cbb027c481da64dc6151b88dececcf022ddac2e22736c147e0773294231c0589967154c526b0b7cdd59568eeff5749a40cb100c60c6480897655d96e9f64d61684c0b3150646732c19409fe565540a31894703cf0179cae85bc8c1a5732649836e48e676405b9591b65ba25f9b489b9e5772aa1ed5a00143cb9f5449fd013457a3c13874cb58c75b52c9b6a9ae495ccb504a89cb5f145695b921632fb85b0316b30d4ad17fef0862d6b1e6ca6a611c8a6a7234b4362c5ca0ad9f7697687798cf624dc9f35fbb376e09953156532a9033709df755b46cc6d83de3a111e19a76b361e0ef14c91db8d91c6c6d9e3e46f42291fd6cbf5cfd122716fb0675698e602ab39ee98e0d8145eebaaa9374f5b3bb0df4d0fd83a40e0d25038c39e9bee01cf79c86f3086158d031d5c5e86bc7e7eb16e622505f2888213884c0b5252289b11fce5bfeebfbef0a32ceaf9c14c6250090028463db6f8d19684f541108fe934d88e7ef5cce9daebb32700b9397691a684298c9bf1b7c22d1bcec3fcacfbb17f2ed2b98b85e6a8fe2482996b5e099e9d0211cb9412614de87dc18d23613ed7f6c29cc37b727116dd901c2817938c29fcd026089336addc09eca90de9a25a6374fee86bcdd06ae3daaf0b1bc5b3b2790d4d9f759bef8ac743612a2bbf6e45de8b22efa61226625d4c39f346b844c5ebec5355866c00b726cc1640cb237c34a20a7c603d251f46e6b3b0fa71b3276835e3e9da5b9485e789614af49f1e9504db2528631fbe1cd7dbee85164e4c099a27a4583e9247d078f8830b46874c1b010bf3cd90eb0774961f239ba\n", "ML-KEM self tests failed"}},
+    {"ML-KEM-encapsulate-shared-secret", {"ML-KEM-encapsulate-shared-secret failed.\nExpected:   0000000000000000000000000000000000000000000000000000000000000000\nCalculated: a772df2de250ac7d896bbb820b57f2ae05f9a412ab55baa421d4af6dac62662a\n", "ML-KEM self tests failed"}},
+    {"HKDF-SHA-256", {"HKDF-SHA-256 KAT failed.\nExpected:   000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nCalculated: ca5e6410e7a52332fe0ab3601212a7d3dbdf55a162af42a5daf38b94f24523477e880dd711508684cc21\n", "Power on self test failed"}},
+    {"KBKDF", {"KBKDF-CTR-HMAC-SHA-256 KAT failed.\nExpected:   10621342bfb0fd40046c0e29f2cfdbf0\nCalculated: 606060902f7c6632bcde3a67f5818c48\n", "Power on self test failed"}},
+    {"PBKDF2", {"PBKDF2 KAT failed.\nExpected:   c6ac0779e4a117c922287f5e10e7ee6ba74d8b19519b4cc738\nCalculated: e442f1807d5fc9b466badcdfd3806fed7fa50da9a6f5729117\n", "Power on self test failed"}},
+    {"SSKDF", {"SSKDF_digest KAT failed.\nExpected:   5a2e26644d16222cd636a1fdb57bfaa17f94449127612bcd7be1bb39cc18f32893d3c648c16372fb6e9c63de5433b1ccdeb51bb5f15368c8a849a1e5a4efc666fd33eeb9f6728b0479f76668cfafc13a91367074def2b50e9d9a918a120210824165d596ad4f94a3236ef7cf5843282a0a57a483819f63e0cfb2081daf9ccf35c66a03e7a02d3891f45022e1c89d888aa8087e08f45babbc52062b18e6fb70c12dcb29a194d23abc351cfb3cf4f161cc775a3e711bb1502d6901f6931407a9ae868476f998d1ca4cca296a9f14752d14f47427e666289f80892a3d14a84fe343fd78d0dadbde1819aca915f7c0c024376b40cb34bae2d26e9f4552b6b1a26fa5\nCalculated: 63d19beaa2b5a2685510e4a3bd3692cec7d370f7d8eea41239a2d89439dc9643767c37c3fd892434c4f567d3c6854b57e63222bc99df63d7d02e6527b90fe57baaecf7fcb4ba278be3b2ff6f22d8435ccbc1c4d92fd89b88915d0711ad5ca81151d7c62a3d12a8315c2b3cf6f1d7b8b367687eadcb87d7c7b4e79f629df1aa35e05a8450291fdcdb744c1013bc25883fb913942ab0b77ac3a9dcd068e46af564e7deb1d2abc60d45d7f16ff985c652bc7559b8277026d238460f6133dfe6ab5641dbbcb749481c94c6e910161e54bef623cbaec3f4e096ec66bb6f3702c86dad3bd57b25d5115a972aafe8ab15fd60a30d401a6fbd421bab89095f7be374a439\n", "Power on self test failed"}}
+  };
+
+  char* broken_kat = getenv("FIPS_CALLBACK_TEST_EXPECTED_FAILURE");
+  SCOPED_TRACE(broken_kat);
+  if (broken_kat != nullptr) {
+      auto test_config = kat_failure_messages.find(broken_kat);
+      if (test_config != kat_failure_messages.end()) {
+        ASSERT_LT(callback_call_count, (int)test_config->second.size());
+        std::string expected_string = test_config->second[callback_call_count];
+        EXPECT_STREQ(expected_string.c_str(), message);
+      } else {
+        FAIL() << "Failed to find expected message for FIPS_CALLBACK_TEST_POWER_ON_TEST_FAILURE=" << broken_kat;
+      }
+  } else {
+    FAIL() << "AWS_LC_fips_failure_callback called when no KAT was expected to be broken";
+  }
+  callback_call_count++;
+
+}
+
+TEST(FIPSCallback, PowerOnSelfTests) {
+  char* broken_kat = getenv("FIPS_CALLBACK_TEST_EXPECTED_FAILURE");
+  SCOPED_TRACE(broken_kat);
+
+  // Some KATs are lazy and run on first use
+  bssl::UniquePtr<RSA> rsa(RSA_new());
+  EXPECT_TRUE(RSA_generate_key_fips(rsa.get(), 2048, nullptr));
+  bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+  EXPECT_TRUE(EC_KEY_generate_key_fips(key.get()));
+
+  bssl::UniquePtr<DH> dh(DH_new());
+  EXPECT_TRUE(DH_generate_parameters_ex(dh.get(), 64, DH_GENERATOR_5, nullptr));
+  EXPECT_TRUE(DH_generate_key(dh.get()));
+
+  bssl::UniquePtr<EVP_PKEY_CTX> ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_KEM, nullptr));
+  EXPECT_TRUE(ctx);
+  EXPECT_TRUE(EVP_PKEY_CTX_kem_set_params(ctx.get(), NID_MLKEM512));
+  EXPECT_TRUE(EVP_PKEY_keygen_init(ctx.get()));
+  EVP_PKEY *raw = nullptr;
+  EXPECT_TRUE(EVP_PKEY_keygen(ctx.get(), &raw));
+  EVP_PKEY_free(raw);
+
+  uint8_t public_key[ED25519_PUBLIC_KEY_LEN];
+  uint8_t private_key[ED25519_PRIVATE_KEY_LEN];
+  ED25519_keypair(public_key, private_key);
+
+  uint8_t message[2];
+  uint8_t context[2];
+  uint8_t signature[ED25519_SIGNATURE_LEN];
+  ED25519ph_sign(signature, message, sizeof(message), private_key, context, sizeof(context));
+
+  if (broken_kat == nullptr) {
+    EXPECT_EQ(0, callback_call_count);
+  } else {
+    EXPECT_NE(0, callback_call_count);
+
+  }
+}
+
+TEST(FIPSCallback, PWCT) {
+  char*broken_runtime_test = getenv("FIPS_CALLBACK_TEST_EXPECTED_FAILURE");
+  bssl::UniquePtr<RSA> rsa(RSA_new());
+  SCOPED_TRACE(broken_runtime_test);
+  if (broken_runtime_test != nullptr && strcmp(broken_runtime_test, "RSA_PWCT" ) == 0) {
+    EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2048, nullptr));
+  } else {
+    EXPECT_TRUE(RSA_generate_key_fips(rsa.get(), 2048, nullptr));
+  }
+
+  bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+  if (broken_runtime_test != nullptr && strcmp(broken_runtime_test, "ECDSA_PWCT" ) == 0) {
+    EXPECT_FALSE(EC_KEY_generate_key_fips(key.get()));
+  } else {
+    EXPECT_TRUE(EC_KEY_generate_key_fips(key.get()));
+  }
+
+  uint8_t public_key[ED25519_PUBLIC_KEY_LEN];
+  uint8_t private_key[ED25519_PRIVATE_KEY_LEN];
+  ED25519_keypair(public_key, private_key);
+
+  bssl::UniquePtr<EVP_PKEY_CTX> ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_KEM, nullptr));
+  EXPECT_TRUE(ctx);
+  EXPECT_TRUE(EVP_PKEY_CTX_kem_set_params(ctx.get(), NID_MLKEM512));
+  EXPECT_TRUE(EVP_PKEY_keygen_init(ctx.get()));
+  EVP_PKEY *raw = nullptr;
+  if (broken_runtime_test != nullptr && strcmp(broken_runtime_test, "MLKEM_PWCT" ) == 0) {
+    EXPECT_FALSE(EVP_PKEY_keygen(ctx.get(), &raw));
+  } else {
+    EXPECT_TRUE(EVP_PKEY_keygen(ctx.get(), &raw));
+  }
+  EVP_PKEY_free(raw);
+
+  EVP_PKEY *dsa_raw = NULL;
+  bssl::UniquePtr<EVP_PKEY_CTX> dsa_ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_PQDSA, nullptr));
+
+  ASSERT_TRUE(dsa_ctx);
+  ASSERT_TRUE(EVP_PKEY_CTX_pqdsa_set_params(dsa_ctx.get(), NID_MLDSA44));
+  ASSERT_TRUE(EVP_PKEY_keygen_init(dsa_ctx.get()));
+  if (broken_runtime_test != nullptr && strcmp(broken_runtime_test, "MLDSA_PWCT" ) == 0) {
+    EXPECT_FALSE(EVP_PKEY_keygen(dsa_ctx.get(), &dsa_raw));
+  } else {
+    EXPECT_TRUE(EVP_PKEY_keygen(dsa_ctx.get(), &dsa_raw));
+  }
+  EVP_PKEY_free(dsa_raw);
+}
+
+#endif
diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c
index 654d0bde2e..119e2cad6d 100644
--- a/crypto/fipsmodule/bcm.c
+++ b/crypto/fipsmodule/bcm.c
@@ -252,6 +252,14 @@ static void BORINGSSL_maybe_set_module_text_permissions(int _permission) {}
 
 #endif  // !ASAN
 
+#if defined(AWSLC_FIPS_FAILURE_CALLBACK)
+#if defined(__ELF__) && defined(__GNUC__)
+WEAK_SYMBOL_FUNC(void, AWS_LC_fips_failure_callback, (const char* message))
+#else
+#error AWSLC_FIPS_FAILURE_CALLBACK not supported on this platform
+#endif
+#endif
+
 #if defined(_MSC_VER)
 #pragma section(".CRT$XCU", read)
 static void BORINGSSL_bcm_power_on_self_test(void);
@@ -262,6 +270,13 @@ static void BORINGSSL_bcm_power_on_self_test(void) __attribute__ ((constructor))
 #endif
 
 static void BORINGSSL_bcm_power_on_self_test(void) {
+#if defined(AWSLC_FIPS_FAILURE_CALLBACK)
+  if (AWS_LC_fips_failure_callback == NULL) {
+    fprintf(stderr, "AWS_LC_fips_failure_callback not defined but AWS-LC built with AWSLC_FIPS_FAILURE_CALLBACK\n");
+    fflush(stderr);
+    abort();
+  }
+#endif
 // TODO: remove !defined(OPENSSL_PPC64BE) from the check below when starting to support
 // PPC64BE that has VCRYPTO capability. In that case, add `|| defined(OPENSSL_PPC64BE)`
 // to `#if defined(OPENSSL_PPC64LE)` wherever it occurs.
@@ -392,14 +407,23 @@ int BORINGSSL_integrity_test(void) {
 #endif  // OPENSSL_ASAN
 
 void AWS_LC_FIPS_failure(const char* message) {
+#if defined(AWSLC_FIPS_FAILURE_CALLBACK)
+  if (AWS_LC_fips_failure_callback == NULL) {
+    fprintf(stderr, "AWS_LC_fips_failure_callback not defined but AWS-LC built with AWSLC_FIPS_FAILURE_CALLBACK. FIPS failure:\n%s", message);
+    fflush(stderr);
+    abort();
+  } else {
+    AWS_LC_fips_failure_callback(message);
+  }
+#else
   fprintf(stderr, "AWS-LC FIPS failure caused by:\n%s\n", message);
   fflush(stderr);
   for (;;) {
     abort();
     exit(1);
   }
+#endif
 }
-
 #else  // BORINGSSL_FIPS
 void AWS_LC_FIPS_failure(const char* message) {
   fprintf(stderr, "AWS-LC FIPS failure caused by:\n%s\n", message);
diff --git a/crypto/fipsmodule/self_check/self_check.c b/crypto/fipsmodule/self_check/self_check.c
index b6978fd48f..ef35b7cbfe 100644
--- a/crypto/fipsmodule/self_check/self_check.c
+++ b/crypto/fipsmodule/self_check/self_check.c
@@ -636,7 +636,7 @@ static int boringssl_self_test_ecc(void) {
   ec_point_in = EC_POINT_new(ec_group);
   ec_point_out = EC_POINT_new(ec_group);
   ec_scalar = BN_new();
-  uint8_t z_comp_result[65];
+  uint8_t z_comp_result[65] = {0};
   if (ec_point_in == NULL || ec_point_out == NULL || ec_scalar == NULL ||
       !EC_POINT_oct2point(ec_group, ec_point_in, kP256Point, sizeof(kP256Point),
                           NULL) ||
@@ -2276,7 +2276,7 @@ void boringssl_ensure_ffdh_self_test(void) {
 
 static void run_self_test_ml_kem(void) {
   if (!boringssl_self_test_ml_kem()) {
-    AWS_LC_FIPS_failure("RSA self tests failed");
+    AWS_LC_FIPS_failure("ML-KEM self tests failed");
   }
 }
 
@@ -2390,9 +2390,10 @@ int boringssl_self_test_hmac_sha256(void) {
 }
 
 static int boringssl_self_test_hkdf_sha256(void) {
-  static const uint8_t kHKDF_ikm_tc1[] = {   // RFC 5869 Test Case 1
-      0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-      0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
+  static const uint8_t kHKDF_ikm_tc1[] = {
+      0x58, 0x3e, 0xa3, 0xcf, 0x8f, 0xcf, 0xc8, 0x08, 0x73, 0xcc, 0x7b, 0x88,
+      0x00, 0x9d, 0x4a, 0xed, 0x07, 0xd8, 0xd8, 0x88, 0xae, 0x98, 0x76, 0x8d,
+      0xca, 0x07, 0xcb, 0x1e, 0x4b, 0x33, 0x1e, 0xb9
   };
   static const uint8_t kHKDF_salt_tc1[] = {
       0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
@@ -2402,10 +2403,10 @@ static int boringssl_self_test_hkdf_sha256(void) {
       0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9
   };
   static const uint8_t kHKDF_okm_tc1_sha256[] = {
-      0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f, 0x64,
-      0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
-      0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34, 0x00, 0x72, 0x08,
-      0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65
+      0xca, 0x5e, 0x64, 0x10, 0xe7, 0xa5, 0x23, 0x32, 0xfe, 0x0a, 0xb3, 0x60,
+      0x12, 0x12, 0xa7, 0xd3, 0xdb, 0xdf, 0x55, 0xa1, 0x62, 0xaf, 0x42, 0xa5,
+      0xda, 0xf3, 0x8b, 0x94, 0xf2, 0x45, 0x23, 0x47, 0x7e, 0x88, 0x0d, 0xd7,
+      0x11, 0x50, 0x86, 0x84, 0xcc, 0x21
   };
 
   uint8_t output[sizeof(kHKDF_okm_tc1_sha256)];
@@ -2669,11 +2670,9 @@ static int boringssl_self_test_fast(void) {
     goto err;
   }
 
-  // PBKDF2 KAT - password/salt data from RFC 6070, derived key generated by
-  // Python's cryptography module
   static const uint8_t kPBKDF2Password[] = {
-    'p', 'a', 's', 's', 'w', 'o', 'r', 'd', 'P', 'A', 'S', 'S', 'W', 'O', 'R',
-    'D', 'p', 'a', 's', 's', 'w', 'o', 'r', 'd'
+    'A', 'W', 'S', '-', 'L', 'C', 'F', 'I', 'P', 'S', 'p', 'a', 's', 's', 'w',
+    'o', 'r', 'd'
   };
   static const uint8_t kPBKDF2Salt[] = {
     's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L',
@@ -2682,9 +2681,9 @@ static int boringssl_self_test_fast(void) {
   };
   const unsigned kPBKDF2Iterations = 2;
   static const uint8_t kPBKDF2DerivedKey[] = {
-    0x13, 0xdc, 0x8a, 0x7c, 0x13, 0xd3, 0x72, 0xc9, 0x03, 0x82, 0x82, 0x2d,
-    0x2d, 0xc4, 0x92, 0xf2, 0xed, 0x52, 0x46, 0x7f, 0xb7, 0x82, 0x8e, 0xa8,
-    0x64    // 25 bytes
+    0xc6, 0xac, 0x07, 0x79, 0xe4, 0xa1, 0x17, 0xc9, 0x22, 0x28, 0x7f, 0x5e,
+    0x10, 0xe7, 0xee, 0x6b, 0xa7, 0x4d, 0x8b, 0x19, 0x51, 0x9b, 0x4c, 0xc7,
+    0x38
   };
   uint8_t pbkdf2_output[sizeof(kPBKDF2DerivedKey)];
   if (!PKCS5_PBKDF2_HMAC((const char *)kPBKDF2Password, sizeof(kPBKDF2Password),
diff --git a/crypto/internal.h b/crypto/internal.h
index 5a59c1e11f..2e8cf3785c 100644
--- a/crypto/internal.h
+++ b/crypto/internal.h
@@ -1272,12 +1272,15 @@ static inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow,
 // AWS_LC_FIPS_failure is called when a FIPS power-on or continuous test
 // fails. If the library is built in FIPS mode it prevents any further
 // cryptographic operations by the current process.
+#if defined(AWSLC_FIPS_FAILURE_CALLBACK)
+void AWS_LC_FIPS_failure(const char* message);
+#else
 #if defined(_MSC_VER)
 __declspec(noreturn) void AWS_LC_FIPS_failure(const char* message);
 #else
 void AWS_LC_FIPS_failure(const char* message) __attribute__((noreturn));
 #endif
-
+#endif
 // boringssl_self_test_startup runs all startup self tests and returns one on
 // success or zero on error. Startup self tests do not include lazy tests.
 // Call |BORINGSSL_self_test| to run every self test.
@@ -1420,6 +1423,17 @@ OPENSSL_EXPORT int OPENSSL_vasprintf_internal(char **str, const char *format,
 #define GUARD_PTR(ptr) __AWS_LC_ENSURE((ptr) != NULL, OPENSSL_PUT_ERROR(CRYPTO, ERR_R_PASSED_NULL_PARAMETER); \
                                        return AWS_LC_ERROR)
 
+
+// Windows doesn't really support weak symbols as of May 2019, and Clang on
+// Windows will emit strong symbols instead. See
+// https://bugs.llvm.org/show_bug.cgi?id=37598
+#if defined(__ELF__) && defined(__GNUC__)
+#define WEAK_SYMBOL_FUNC(rettype, name, args) \
+rettype name args __attribute__((weak));
+#else
+#define WEAK_SYMBOL_FUNC(rettype, name, args) static rettype(*name) args = NULL;
+#endif
+
 #if defined(__cplusplus)
 }  // extern C
 #endif
diff --git a/crypto/mem.c b/crypto/mem.c
index 2490358ce4..2e296b3779 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -86,16 +86,6 @@ static void __asan_poison_memory_region(const void *addr, size_t size) {}
 static void __asan_unpoison_memory_region(const void *addr, size_t size) {}
 #endif
 
-// Windows doesn't really support weak symbols as of May 2019, and Clang on
-// Windows will emit strong symbols instead. See
-// https://bugs.llvm.org/show_bug.cgi?id=37598
-#if defined(__ELF__) && defined(__GNUC__)
-#define WEAK_SYMBOL_FUNC(rettype, name, args) \
-  rettype name args __attribute__((weak));
-#else
-#define WEAK_SYMBOL_FUNC(rettype, name, args) static rettype(*name) args = NULL;
-#endif
-
 #define AWSLC_FILE ""
 #define AWSLC_LINE 0
 
diff --git a/tests/ci/run_fips_callback_tests.sh b/tests/ci/run_fips_callback_tests.sh
new file mode 100755
index 0000000000..b788a68c76
--- /dev/null
+++ b/tests/ci/run_fips_callback_tests.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -ex
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+source tests/ci/common_posix_setup.sh
+
+original_test="${BUILD_ROOT}/crypto/crypto_test"
+broken_test="${BUILD_ROOT}/crypto/crypto_test_broken"
+
+# By default the test should pass
+$original_test --gtest_filter=FIPSCallback.PowerOnSelfTests
+$original_test --gtest_filter=FIPSCallback.PWCT
+
+# Break the tests
+KATS=$(go run "${SRC_ROOT}/util/fipstools/break-kat.go" --list-tests)
+for kat in $KATS; do
+  go run "${SRC_ROOT}/util/fipstools/break-kat.go" "$original_test" "$kat" > "$broken_test"
+  chmod +x "$broken_test"
+  export FIPS_CALLBACK_TEST_EXPECTED_FAILURE="$kat"
+  # When a callback is defined AWS-LC will not abort and the test should exit successfully
+  $broken_test --gtest_filter=FIPSCallback.PowerOnSelfTests
+  unset FIPS_CALLBACK_TEST_EXPECTED_FAILURE
+done
+
+for TEST in RSA_PWCT ECDSA_PWCT EDDSA_PWCT MLKEM_PWCT MLDSA_PWCT; do
+    export FIPS_CALLBACK_TEST_EXPECTED_FAILURE="${TEST}"
+    export BORINGSSL_FIPS_BREAK_TEST="${TEST}"
+    $original_test --gtest_filter=FIPSCallback.PWCT
+done
diff --git a/tests/ci/run_fips_tests.sh b/tests/ci/run_fips_tests.sh
index af432696eb..4d0e4fd181 100755
--- a/tests/ci/run_fips_tests.sh
+++ b/tests/ci/run_fips_tests.sh
@@ -31,6 +31,10 @@ if static_linux_supported || static_openbsd_supported; then
   echo "Testing AWS-LC static library in FIPS Release mode."
   fips_build_and_test -DCMAKE_BUILD_TYPE=Release
 
+  echo "Testing AWS-LC static breakable build with custom callback enabled"
+  run_build -DFIPS=1 -DCMAKE_C_FLAGS="-DBORINGSSL_FIPS_BREAK_TESTS -DAWSLC_FIPS_FAILURE_CALLBACK"
+  ./tests/ci/run_fips_callback_tests.sh
+
   echo "Testing AWS-LC static breakable release build"
   run_build -DFIPS=1 -DCMAKE_C_FLAGS="-DBORINGSSL_FIPS_BREAK_TESTS"
   ./util/fipstools/test-break-kat.sh
diff --git a/util/fipstools/break-kat.go b/util/fipstools/break-kat.go
index 793da5d4ea..e4c1a4642f 100644
--- a/util/fipstools/break-kat.go
+++ b/util/fipstools/break-kat.go
@@ -25,9 +25,9 @@ var (
 		"SHA-256":                          "ff3b857da7236a2baa0f396b51522217",
 		"SHA-512":                          "212512f8d2ad8322781c6c4d69a9daa1",
 		"SHA3-256":                         "d83c721ee51b060c5a41438a8221e040",
-		"HKDF-SHA-256":                     "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
+		"HKDF-SHA-256":                     "ca5e6410e7a52332fe0ab3601212a7d3dbdf55a162af42a5daf38b94f24523477e880dd711508684cc21",
 		"TLS-KDF":                          "abc3657b094c7628a0b282996fe75a75f4984fd94d4ecc2fcf53a2c469a3f731",
-		"PBKDF2":                           "70617373776F726450415353574F524470617373776F7264",
+		"PBKDF2":                           "4157532d4c434649505370617373776f7264",
 		"SSKDF":                            "39a1e2b3899e87efecf6271282d8f8008f252686dd35bfc39a0f71478da48c691565cee431254dd50cab7462c6cf199be9bf5c",
 		"KBKDF":                            "dd1d91b7d90b2bd3138533ce92b272fbf8a369316aefe242e659cc0ae238afe0",
 		"RSA-sign":                         "d2b56e53306f720d7929d8708bf46f1c22300305582b115bedcac722d8aa5ab2",