Not able to perform FIPS self-tests
Dr Paul Dale
pauli at openssl.org
Tue Feb 8 08:04:56 UTC 2022
Have you considered using the provided for this: OSSL_PROVIDER_self_test()?
https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER.html
Pauli
On 8/2/22 17:41, Gahlot, Ashish Kumar wrote:
>
> Hello All,
>
> I’m trying to execute self-tests that FIPS runs after installation
> manually by calling the APIs. I’m using code from
> https://github.com/openssl/openssl/blob/7cce994d3e57345ba729388b9321d9bf8b661b4f/providers/fips/self_test_kats.c
> but I’m getting NULL when I’m trying to fetch the encryption
> algorithm. Is there a way to perform self-tests that FIPS runs after
> installation because I did not find any code in fipsinstall.c where it
> is directly calling the APIs.
>
> int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
> OSSL_LIB_CTX *libctx)
>
> {
>
> int ok = 0;
>
> unsigned char out[EVP_MAX_MD_SIZE];
>
> unsigned int out_len = 0;
>
> EVP_MD_CTX *ctx = EVP_MD_CTX_new();
>
> EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);
>
> OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST, t->desc);
>
> if (ctx == NULL)
>
> {syslog(LOG_NOTICE, "ctx NULL"); goto err;}
>
> if (md == NULL)
>
> {syslog(LOG_NOTICE, "md is NULL"); goto err;} //
> <------------------- This is getting failed!
>
> if (!EVP_DigestInit_ex(ctx, md, NULL))
>
> {syslog(LOG_NOTICE, "digest failed"); goto err;}
>
> if (!EVP_DigestUpdate(ctx, sha1_pt, t->pt_len))
>
> {syslog(LOG_NOTICE, "digest update failed"); goto err;}
>
> if (!EVP_DigestFinal(ctx, out, &out_len))
>
> {syslog(LOG_NOTICE, "digest final failed"); goto err;}
>
> /* Optional corruption */
>
> OSSL_SELF_TEST_oncorrupt_byte(st, out);
>
> for (int i=0; i < (int)t->expected_len; i++)
>
> {syslog(LOG_NOTICE, "%x", out[i]);}
>
> if (out_len != t->expected_len
>
> || memcmp(out, sha1_digest, out_len) != 0)
>
> goto err;
>
> ok = 1;
>
> err:
>
> EVP_MD_free(md);
>
> EVP_MD_CTX_free(ctx);
>
> OSSL_SELF_TEST_onend(st, ok);
>
> return ok;
>
> }
>
> static int self_test_digests(OSSL_LIB_CTX *libctx)
>
> {
>
> OSSL_SELF_TEST *st = NULL;
>
> st = OSSL_SELF_TEST_new(SelfTestCb, NULL);
>
> if (st == NULL)
>
> syslog(LOG_NOTICE, "OSSL_SELF_TEST_new failed");
>
> int i, ret = 1;
>
> for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
>
> if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
>
> ret = 0;
>
> }
>
> return ret;
>
> }
>
> if (!EVP_default_properties_enable_fips(libctx,1))
>
> {
>
> ...
>
> }
>
> self_test_digests(libctx);
>
> Thanks,
>
> Ashish
>
>
> Notice: This e-mail together with any attachments may contain
> information of Ribbon Communications Inc. and its Affiliates that is
> confidential and/or proprietary for the sole use of the intended
> recipient. Any review, disclosure, reliance or distribution by others
> or forwarding without express permission is strictly prohibited. If
> you are not the intended recipient, please notify the sender
> immediately and then delete all copies, including any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220208/49550725/attachment-0001.htm>
More information about the openssl-users
mailing list