Not able to perform FIPS self-tests

Dr Paul Dale pauli at openssl.org
Tue Feb 8 08:04:56 UTC 2022


Have you considered using the provided for this: OSSL_PROVIDER_self_test()?
https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER.html

Pauli

On 8/2/22 17:41, Gahlot, Ashish Kumar wrote:
>
> Hello All,
>
> I’m trying to execute self-tests that FIPS runs after installation 
> manually by calling the APIs. I’m using code from 
> https://github.com/openssl/openssl/blob/7cce994d3e57345ba729388b9321d9bf8b661b4f/providers/fips/self_test_kats.c 
> but I’m getting NULL when I’m trying to fetch the encryption 
> algorithm. Is there a way to perform self-tests that FIPS runs after 
> installation because I did not find any code in fipsinstall.c where it 
> is directly calling the APIs.
>
> int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st, 
> OSSL_LIB_CTX *libctx)
>
> {
>
>     int ok = 0;
>
>     unsigned char out[EVP_MAX_MD_SIZE];
>
>     unsigned int out_len = 0;
>
>     EVP_MD_CTX *ctx = EVP_MD_CTX_new();
>
>     EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);
>
>     OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST, t->desc);
>
>     if (ctx == NULL)
>
>     {syslog(LOG_NOTICE, "ctx NULL"); goto err;}
>
>     if (md == NULL)
>
>     {syslog(LOG_NOTICE, "md is NULL"); goto err;}    //  
> <-------------------  This is getting failed!
>
>     if (!EVP_DigestInit_ex(ctx, md, NULL))
>
>     {syslog(LOG_NOTICE, "digest failed"); goto err;}
>
>     if (!EVP_DigestUpdate(ctx, sha1_pt, t->pt_len))
>
>     {syslog(LOG_NOTICE, "digest update failed"); goto err;}
>
>     if (!EVP_DigestFinal(ctx, out, &out_len))
>
>     {syslog(LOG_NOTICE, "digest final failed"); goto err;}
>
>     /* Optional corruption */
>
>     OSSL_SELF_TEST_oncorrupt_byte(st, out);
>
>     for (int i=0; i < (int)t->expected_len; i++)
>
>    {syslog(LOG_NOTICE, "%x", out[i]);}
>
>     if (out_len != t->expected_len
>
>             || memcmp(out, sha1_digest, out_len) != 0)
>
>         goto err;
>
>     ok = 1;
>
> err:
>
>     EVP_MD_free(md);
>
>     EVP_MD_CTX_free(ctx);
>
>     OSSL_SELF_TEST_onend(st, ok);
>
>     return ok;
>
> }
>
> static int self_test_digests(OSSL_LIB_CTX *libctx)
>
> {
>
>     OSSL_SELF_TEST *st = NULL;
>
>     st = OSSL_SELF_TEST_new(SelfTestCb, NULL);
>
>     if (st == NULL)
>
>         syslog(LOG_NOTICE, "OSSL_SELF_TEST_new failed");
>
>     int i, ret = 1;
>
>     for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
>
>         if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
>
>             ret = 0;
>
>     }
>
>     return ret;
>
> }
>
> if (!EVP_default_properties_enable_fips(libctx,1))
>
> {
>
>                 ...
>
> }
>
> self_test_digests(libctx);
>
> Thanks,
>
> Ashish
>
>
> Notice: This e-mail together with any attachments may contain 
> information of Ribbon Communications Inc. and its Affiliates that is 
> confidential and/or proprietary for the sole use of the intended 
> recipient. Any review, disclosure, reliance or distribution by others 
> or forwarding without express permission is strictly prohibited. If 
> you are not the intended recipient, please notify the sender 
> immediately and then delete all copies, including any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220208/49550725/attachment-0001.htm>


More information about the openssl-users mailing list