Hi,
Thanks Pauli, the API worked but also I have a callback defined as
below which is failing at corrupt phase:
int SelfTestCb(const OSSL_PARAM params[], void *arg)
{
int ret = 0;
const OSSL_PARAM *p = NULL;
const char *phase = NULL;
const char *type = NULL;
const char *desc = NULL;
//BIO *bio_out = BIO_new_file("FipsSelfTestFile.txt", "w");
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_PHASE);
if ((p == NULL) || (arg) || (p -> data_type !=
OSSL_PARAM_UTF8_STRING))
goto err;
phase = (const char *)p -> data;
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_DESC);
if ((p == NULL) || (p -> data_type != OSSL_PARAM_UTF8_STRING))
goto err;
desc = (const char *)p -> data;
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_TYPE);
if ((p == NULL) || (p -> data_type != OSSL_PARAM_UTF8_STRING))
goto err;
type = (const char *)p ->data;
/* Do some logging */
if (strcmp(phase, OSSL_SELF_TEST_PHASE_START) == 0)
syslog(LOG_NOTICE, "%s : (%s) : ", desc, type);
if ((strcmp(phase, OSSL_SELF_TEST_PHASE_PASS) == 0)
|| (strcmp(phase, OSSL_SELF_TEST_PHASE_FAIL) ==0))
syslog(LOG_NOTICE, "%s\n", phase);
/* Corrupt the SHA1 self-test during the 'corrupt' phase by
returning 0 */
if (strcmp(phase, OSSL_SELF_TEST_PHASE_CORRUPT) ==
0){ // ß--------------THIS FAILS
syslog(LOG_NOTICE, "%s %s", phase, desc);
return 0;
}
ret = 1;
err:
return ret;
}
Thanks,
Ashish
*From:* openssl-users <openssl-users-boun...@openssl.org> *On Behalf
Of *Dr Paul Dale
*Sent:* Tuesday, February 8, 2022 1:35 PM
*To:* openssl-users@openssl.org
*Subject:* [EXTERNAL] Re: Not able to perform FIPS self-tests
Have you considered using the provided for this:
OSSL_PROVIDER_self_test()?
https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER.html
<https://clicktime.symantec.com/3MLQWE4xgv1bwQFXJyvrWt87GS?u=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FOSSL_PROVIDER.html>
Pauli
On 8/2/22 17:41, Gahlot, Ashish Kumar wrote:
Hello All,
I’m trying to execute self-tests that FIPS runs after installation
manually by calling the APIs. I’m using code from
https://github.com/openssl/openssl/blob/7cce994d3e57345ba729388b9321d9bf8b661b4f/providers/fips/self_test_kats.c
<https://clicktime.symantec.com/34e4QufezjLGGtyNv3jNidX7GS?u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2F7cce994d3e57345ba729388b9321d9bf8b661b4f%2Fproviders%2Ffips%2Fself_test_kats.c>
but I’m getting NULL when I’m trying to fetch the encryption
algorithm. Is there a way to perform self-tests that FIPS runs
after installation because I did not find any code in
fipsinstall.c where it is directly calling the APIs.
int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
OSSL_LIB_CTX *libctx)
{
int ok = 0;
unsigned char out[EVP_MAX_MD_SIZE];
unsigned int out_len = 0;
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);
OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST,
t->desc);
if (ctx == NULL)
{syslog(LOG_NOTICE, "ctx NULL"); goto err;}
if (md == NULL)
{syslog(LOG_NOTICE, "md is NULL"); goto err;} //
<------------------- This is getting failed!
if (!EVP_DigestInit_ex(ctx, md, NULL))
{syslog(LOG_NOTICE, "digest failed"); goto err;}
if (!EVP_DigestUpdate(ctx, sha1_pt, t->pt_len))
{syslog(LOG_NOTICE, "digest update failed"); goto err;}
if (!EVP_DigestFinal(ctx, out, &out_len))
{syslog(LOG_NOTICE, "digest final failed"); goto err;}
/* Optional corruption */
OSSL_SELF_TEST_oncorrupt_byte(st, out);
for (int i=0; i < (int)t->expected_len; i++)
{syslog(LOG_NOTICE, "%x", out[i]);}
if (out_len != t->expected_len
|| memcmp(out, sha1_digest, out_len) != 0)
goto err;
ok = 1;
err:
EVP_MD_free(md);
EVP_MD_CTX_free(ctx);
OSSL_SELF_TEST_onend(st, ok);
return ok;
}
static int self_test_digests(OSSL_LIB_CTX *libctx)
{
OSSL_SELF_TEST *st = NULL;
st = OSSL_SELF_TEST_new(SelfTestCb, NULL);
if (st == NULL)
syslog(LOG_NOTICE, "OSSL_SELF_TEST_new failed");
int i, ret = 1;
for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
ret = 0;
}
return ret;
}
if (!EVP_default_properties_enable_fips(libctx,1))
{
...
}
self_test_digests(libctx);
Thanks,
Ashish
Notice: This e-mail together with any attachments may contain
information of Ribbon Communications Inc. and its Affiliates that
is confidential and/or proprietary for the sole use of the
intended recipient. Any review, disclosure, reliance or
distribution by others or forwarding without express permission is
strictly prohibited. If you are not the intended recipient, please
notify the sender immediately and then delete all copies,
including any attachments.
Notice: This e-mail together with any attachments may contain
information of Ribbon Communications Inc. and its Affiliates that is
confidential and/or proprietary for the sole use of the intended
recipient. Any review, disclosure, reliance or distribution by others
or forwarding without express permission is strictly prohibited. If
you are not the intended recipient, please notify the sender
immediately and then delete all copies, including any attachments.