[EXTERNAL] Re: Not able to perform FIPS self-tests
Dr Paul Dale
pauli at openssl.org
Tue Feb 15 08:09:59 UTC 2022
Shane Lontis suggested this:
/Don't return 0 during the Corruption phase unless you are trying to
deliberately make it fail./
//
/OSSL_PROVIDER_self_test() can be used to run the self tests on demand./
//
Dr Paul Dale
On 11/2/22 17:23, Gahlot, Ashish Kumar wrote:
>
> Hi,
>
> Thanks Pauli, the API worked but also I have a callback defined as
> below which is failing at corrupt phase:
>
> int SelfTestCb(const OSSL_PARAM params[], void *arg)
>
> {
>
> int ret = 0;
>
> const OSSL_PARAM *p = NULL;
>
> const char *phase = NULL;
>
> const char *type = NULL;
>
> const char *desc = NULL;
>
> //BIO *bio_out = BIO_new_file("FipsSelfTestFile.txt", "w");
>
> p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_PHASE);
>
> if ((p == NULL) || (arg) || (p -> data_type !=
> OSSL_PARAM_UTF8_STRING))
>
> goto err;
>
> phase = (const char *)p -> data;
>
> p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_DESC);
>
> if ((p == NULL) || (p -> data_type != OSSL_PARAM_UTF8_STRING))
>
> goto err;
>
> desc = (const char *)p -> data;
>
> p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_TYPE);
>
> if ((p == NULL) || (p -> data_type != OSSL_PARAM_UTF8_STRING))
>
> goto err;
>
> type = (const char *)p ->data;
>
> /* Do some logging */
>
> if (strcmp(phase, OSSL_SELF_TEST_PHASE_START) == 0)
>
> syslog(LOG_NOTICE, "%s : (%s) : ", desc, type);
>
> if ((strcmp(phase, OSSL_SELF_TEST_PHASE_PASS) == 0)
>
> || (strcmp(phase, OSSL_SELF_TEST_PHASE_FAIL) ==0))
>
> syslog(LOG_NOTICE, "%s\n", phase);
>
> /* Corrupt the SHA1 self-test during the 'corrupt' phase by
> returning 0 */
>
> if (strcmp(phase, OSSL_SELF_TEST_PHASE_CORRUPT) ==
> 0){ // ß--------------THIS FAILS
>
> syslog(LOG_NOTICE, "%s %s", phase, desc);
>
> return 0;
>
> }
>
> ret = 1;
>
> err:
>
> return ret;
>
> }
>
> Thanks,
>
> Ashish
>
> *From:* openssl-users <openssl-users-bounces at openssl.org> *On Behalf
> Of *Dr Paul Dale
> *Sent:* Tuesday, February 8, 2022 1:35 PM
> *To:* openssl-users at openssl.org
> *Subject:* [EXTERNAL] Re: Not able to perform FIPS self-tests
>
> Have you considered using the provided for this:
> OSSL_PROVIDER_self_test()?
> https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER.html
> <https://clicktime.symantec.com/3MLQWE4xgv1bwQFXJyvrWt87GS?u=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FOSSL_PROVIDER.html>
>
> Pauli
>
> On 8/2/22 17:41, Gahlot, Ashish Kumar wrote:
>
> Hello All,
>
> I’m trying to execute self-tests that FIPS runs after installation
> manually by calling the APIs. I’m using code from
> https://github.com/openssl/openssl/blob/7cce994d3e57345ba729388b9321d9bf8b661b4f/providers/fips/self_test_kats.c
> <https://clicktime.symantec.com/34e4QufezjLGGtyNv3jNidX7GS?u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2F7cce994d3e57345ba729388b9321d9bf8b661b4f%2Fproviders%2Ffips%2Fself_test_kats.c>
> but I’m getting NULL when I’m trying to fetch the encryption
> algorithm. Is there a way to perform self-tests that FIPS runs
> after installation because I did not find any code in
> fipsinstall.c where it is directly calling the APIs.
>
> int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
> OSSL_LIB_CTX *libctx)
>
> {
>
> int ok = 0;
>
> unsigned char out[EVP_MAX_MD_SIZE];
>
> unsigned int out_len = 0;
>
> EVP_MD_CTX *ctx = EVP_MD_CTX_new();
>
> EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);
>
> OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST,
> t->desc);
>
> if (ctx == NULL)
>
> {syslog(LOG_NOTICE, "ctx NULL"); goto err;}
>
> if (md == NULL)
>
> {syslog(LOG_NOTICE, "md is NULL"); goto err;} //
> <------------------- This is getting failed!
>
> if (!EVP_DigestInit_ex(ctx, md, NULL))
>
> {syslog(LOG_NOTICE, "digest failed"); goto err;}
>
> if (!EVP_DigestUpdate(ctx, sha1_pt, t->pt_len))
>
> {syslog(LOG_NOTICE, "digest update failed"); goto err;}
>
> if (!EVP_DigestFinal(ctx, out, &out_len))
>
> {syslog(LOG_NOTICE, "digest final failed"); goto err;}
>
> /* Optional corruption */
>
> OSSL_SELF_TEST_oncorrupt_byte(st, out);
>
> for (int i=0; i < (int)t->expected_len; i++)
>
> {syslog(LOG_NOTICE, "%x", out[i]);}
>
> if (out_len != t->expected_len
>
> || memcmp(out, sha1_digest, out_len) != 0)
>
> goto err;
>
> ok = 1;
>
> err:
>
> EVP_MD_free(md);
>
> EVP_MD_CTX_free(ctx);
>
> OSSL_SELF_TEST_onend(st, ok);
>
> return ok;
>
> }
>
> static int self_test_digests(OSSL_LIB_CTX *libctx)
>
> {
>
> OSSL_SELF_TEST *st = NULL;
>
> st = OSSL_SELF_TEST_new(SelfTestCb, NULL);
>
> if (st == NULL)
>
> syslog(LOG_NOTICE, "OSSL_SELF_TEST_new failed");
>
> int i, ret = 1;
>
> for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
>
> if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
>
> ret = 0;
>
> }
>
> return ret;
>
> }
>
> if (!EVP_default_properties_enable_fips(libctx,1))
>
> {
>
> ...
>
> }
>
> self_test_digests(libctx);
>
> Thanks,
>
> Ashish
>
>
> Notice: This e-mail together with any attachments may contain
> information of Ribbon Communications Inc. and its Affiliates that
> is confidential and/or proprietary for the sole use of the
> intended recipient. Any review, disclosure, reliance or
> distribution by others or forwarding without express permission is
> strictly prohibited. If you are not the intended recipient, please
> notify the sender immediately and then delete all copies,
> including any attachments.
>
>
> Notice: This e-mail together with any attachments may contain
> information of Ribbon Communications Inc. and its Affiliates that is
> confidential and/or proprietary for the sole use of the intended
> recipient. Any review, disclosure, reliance or distribution by others
> or forwarding without express permission is strictly prohibited. If
> you are not the intended recipient, please notify the sender
> immediately and then delete all copies, including any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220215/f9acbfc3/attachment-0001.htm>
More information about the openssl-users
mailing list