FIPS POST induced failure in OpenSSL3.0.0 for FIPS 140-2 compliance

[Cristian Andrei Sandu]

Hi all,

I'm currently updating an application from OpenSSL 1.0.2d to OpenSSL 3.0.0 in preparation for a FIPS 140-2 submission and I'm not sure how to approach the issue of induced failures for the power on self tests.

In OpenSSL 1.0.2d we used to use FIPS_post_set_callback() for this purpose, by setting a callback that would trigger a failure of a specific test.

The OpensSSL 3.0.0 design states that "Any special case code needed to return intermediate values (say for CAVS key generation), to display info (self test states), or change the normal flow of FIPS module code (e.g - self test failure or failing a keygen loop that supplies fixed rand values) will be controlled by embedding callbacks into the FIPS module code."

Could you give me some pointers on what would be the best approach for this in OpenSSL 3.0.0?  Am I supposed to use the OSSL_SELF_TEST_* APIs to replace the fips_self_test() callback inside the FIPS module or do I somehow need to patch the FIPS provider with new functionality? Any help would be greatly appreciated.

Thanks,
Cristian Sandu
This email message and any attachments are intended solely for the use of the addressees hereof. 
This message and any attachments may contain information that is confidential, privileged and exempt from disclosure under applicable law.
If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission.
If you have received this message in error, please promptly notify the sender at Ceragon by reply E-mail and immediately delete this message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211029/59730ffd/attachment.html>