self test on demand
Dr Paul Dale
pauli at openssl.org
Mon Apr 10 21:50:07 UTC 2023
To know for certain that the tests are being run, set up a test call
back and print something out.
Look at the manual for "OSSL_SELF_TEST_new" and the fipsinstall command
for specifics.
Paul Dale
On 7/4/23 03:08, Prasad, PCRaghavendra wrote:
>
> Hi Dr.Paul,
>
> GM,
>
> We have tried using the OSSL_PROVIDER_self_test() call and went thru
> the documentation of the provider module.
>
> Code:
>
> ====
>
> OSSL_PROVIDER* fips;
>
> OSSL_PROVIDER* base;
>
> fips = OSSL_PROVIDER_load(NULL, "fips");
>
> if(fips == NULL) {
>
> printf("Failed to load FIPS provider\n");
>
> return1;
>
> }
>
> //EVP_set_default_properties(NULL, "fips=yes");
>
> EVP_default_properties_enable_fips(NULL, enable);
>
> intiCheckProv = OSSL_PROVIDER_available(NULL, "fips");
>
> printf("check for fips provider : %d\n", iCheckProv);
>
> iCheckProv = OSSL_PROVIDER_self_test(fips);
>
> printf("check for self test FIPS provider : %d\n", iCheckProv);
>
> Output
>
> =====
>
> check for fips provider : 1
>
> check for self test FIPS provider : 1
>
> -----------
>
> Doubt is it is executing very fast that we are not sure whether the
> tests are passed or failed ?
>
> In the provider.c code after looking into the function
>
> intret;
>
> if(prov->self_test == NULL)
>
> return1; ---------------------- > assuming it has come out of here
>
> ret = prov->self_test(prov->provctx);
>
> So is there a way to check if the self tests are really ran
> successfully or not
>
> Please provide your input
>
> Thanks,
>
> Internal Use - Confidential
>
> *From:* openssl-users <openssl-users-bounces at openssl.org> *On Behalf
> Of *Dr Paul Dale
> *Sent:* Thursday, April 6, 2023 4:44 AM
> *To:* openssl-users at openssl.org
> *Subject:* Re: self test on demand
>
> [EXTERNAL EMAIL]
>
> Try the OSSL_PROVIDER_self_test() call. You should not call any of
> the SELF_TEST APIs unless you are writing self tests.
>
> Also note that only the 3.0.0 FIPS provider is validated. You cannot
> just build any 3.0.x version and expect to be FIPS compliant.
>
>
> Paul Dale
>
> On 6/4/23 00:20, Prasad, PCRaghavendra via openssl-users wrote:
>
> Hi Team,
>
> Good morning.
>
> We are in the process of enabling FIPS using OpenSSL 3.0.x and
> using python 3.11.2.
>
> In self-test code, we could see few methods where it can be called
> on demand
>
> /* This API is triggered either on loading of the FIPS module or
> on demand */
>
> int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
>
> so wanted to get some information on how it can be called on
> demand. We know when we call the fipsinstall will internally call
> this method and do self-test, but just we are doing POC of calling
> it on demand
>
> so is it possible to call this method or we should not call it? If
> we can in the SELF_TEST_POST_PARAMS structure what needs to be filled?
>
> Please provide your input/thoughts.
>
> Thanks,
>
> Raghu
>
> Internal Use - Confidential
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230411/2165bdf7/attachment-0001.htm>
More information about the openssl-users
mailing list