Not able to perform FIPS self-tests

Gahlot, Ashish Kumar Ashish-Kumar.Gahlot at rbbn.com
Tue Feb 8 06:41:34 UTC 2022 

Hello All,

I'm trying to execute self-tests that FIPS runs after installation manually by calling the APIs. I'm using code from https://github.com/openssl/openssl/blob/7cce994d3e57345ba729388b9321d9bf8b661b4f/providers/fips/self_test_kats.c but I'm getting NULL when I'm trying to fetch the encryption algorithm. Is there a way to perform self-tests that FIPS runs after installation because I did not find any code in fipsinstall.c where it is directly calling the APIs.


int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
{

    int ok = 0;
    unsigned char out[EVP_MAX_MD_SIZE];
    unsigned int out_len = 0;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);

    OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST, t->desc);

    if (ctx == NULL)
    {syslog(LOG_NOTICE, "ctx NULL"); goto err;}

    if (md == NULL)
    {syslog(LOG_NOTICE, "md is NULL"); goto err;}    //  <-------------------  This is getting failed!

    if (!EVP_DigestInit_ex(ctx, md, NULL))
    {syslog(LOG_NOTICE, "digest failed"); goto err;}

    if (!EVP_DigestUpdate(ctx, sha1_pt, t->pt_len))
    {syslog(LOG_NOTICE, "digest update failed"); goto err;}

    if (!EVP_DigestFinal(ctx, out, &out_len))
    {syslog(LOG_NOTICE, "digest final failed"); goto err;}

    /* Optional corruption */
    OSSL_SELF_TEST_oncorrupt_byte(st, out);
    for (int i=0; i < (int)t->expected_len; i++)
   {syslog(LOG_NOTICE, "%x", out[i]);}

    if (out_len != t->expected_len
            || memcmp(out, sha1_digest, out_len) != 0)
        goto err;
    ok = 1;
err:
    EVP_MD_free(md);
    EVP_MD_CTX_free(ctx);
    OSSL_SELF_TEST_onend(st, ok);
    return ok;
}

static int self_test_digests(OSSL_LIB_CTX *libctx)
{
    OSSL_SELF_TEST *st = NULL;
    st = OSSL_SELF_TEST_new(SelfTestCb, NULL);
    if (st == NULL)
        syslog(LOG_NOTICE, "OSSL_SELF_TEST_new failed");
    int i, ret = 1;

    for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
        if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
            ret = 0;
    }
    return ret;
}

if (!EVP_default_properties_enable_fips(libctx,1))
{
                ...
}

self_test_digests(libctx);

Thanks,
Ashish

Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220208/2cdb05e3/attachment.htm>

More information about the openssl-users mailing list