[EXTERNAL] Re: Not able to perform FIPS self-tests

Dr Paul Dale pauli at openssl.org
Tue Feb 15 08:09:59 UTC 2022


Shane Lontis suggested this:

    /Don't return 0 during the Corruption phase unless you are trying to
    deliberately make it fail./
    //
    /OSSL_PROVIDER_self_test() can be used to run the self tests on demand./

//

Dr Paul Dale


On 11/2/22 17:23, Gahlot, Ashish Kumar wrote:
>
> Hi,
>
> Thanks Pauli, the API worked but also I have a callback defined as 
> below which is failing at corrupt phase:
>
> int SelfTestCb(const OSSL_PARAM params[], void *arg)
>
> {
>
>     int ret = 0;
>
>     const OSSL_PARAM *p = NULL;
>
>     const char *phase = NULL;
>
>     const char *type = NULL;
>
>     const char *desc = NULL;
>
>     //BIO *bio_out = BIO_new_file("FipsSelfTestFile.txt", "w");
>
>     p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_PHASE);
>
>     if ((p == NULL) || (arg) || (p -> data_type != 
> OSSL_PARAM_UTF8_STRING))
>
>         goto err;
>
>     phase = (const char *)p -> data;
>
>     p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_DESC);
>
>     if ((p == NULL) || (p -> data_type != OSSL_PARAM_UTF8_STRING))
>
>         goto err;
>
>     desc = (const char *)p -> data;
>
>     p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_TYPE);
>
>     if ((p == NULL) || (p -> data_type != OSSL_PARAM_UTF8_STRING))
>
>         goto err;
>
>     type = (const char *)p ->data;
>
>     /* Do some logging */
>
>     if (strcmp(phase, OSSL_SELF_TEST_PHASE_START) == 0)
>
>         syslog(LOG_NOTICE, "%s : (%s) : ", desc, type);
>
>     if ((strcmp(phase, OSSL_SELF_TEST_PHASE_PASS) == 0)
>
>             || (strcmp(phase, OSSL_SELF_TEST_PHASE_FAIL) ==0))
>
>         syslog(LOG_NOTICE, "%s\n", phase);
>
>     /* Corrupt the SHA1 self-test during the 'corrupt' phase by 
> returning 0 */
>
>     if (strcmp(phase, OSSL_SELF_TEST_PHASE_CORRUPT) == 
> 0){                // ß--------------THIS FAILS
>
>         syslog(LOG_NOTICE, "%s %s", phase, desc);
>
>         return 0;
>
>         }
>
>     ret = 1;
>
> err:
>
>     return ret;
>
> }
>
> Thanks,
>
> Ashish
>
> *From:* openssl-users <openssl-users-bounces at openssl.org> *On Behalf 
> Of *Dr Paul Dale
> *Sent:* Tuesday, February 8, 2022 1:35 PM
> *To:* openssl-users at openssl.org
> *Subject:* [EXTERNAL] Re: Not able to perform FIPS self-tests
>
> Have you considered using the provided for this: 
> OSSL_PROVIDER_self_test()?
> https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER.html 
> <https://clicktime.symantec.com/3MLQWE4xgv1bwQFXJyvrWt87GS?u=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FOSSL_PROVIDER.html>
>
> Pauli
>
> On 8/2/22 17:41, Gahlot, Ashish Kumar wrote:
>
>     Hello All,
>
>     I’m trying to execute self-tests that FIPS runs after installation
>     manually by calling the APIs. I’m using code from
>     https://github.com/openssl/openssl/blob/7cce994d3e57345ba729388b9321d9bf8b661b4f/providers/fips/self_test_kats.c
>     <https://clicktime.symantec.com/34e4QufezjLGGtyNv3jNidX7GS?u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2F7cce994d3e57345ba729388b9321d9bf8b661b4f%2Fproviders%2Ffips%2Fself_test_kats.c>
>     but I’m getting NULL when I’m trying to fetch the encryption
>     algorithm. Is there a way to perform self-tests that FIPS runs
>     after installation because I did not find any code in
>     fipsinstall.c where it is directly calling the APIs.
>
>     int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
>     OSSL_LIB_CTX *libctx)
>
>     {
>
>         int ok = 0;
>
>         unsigned char out[EVP_MAX_MD_SIZE];
>
>         unsigned int out_len = 0;
>
>         EVP_MD_CTX *ctx = EVP_MD_CTX_new();
>
>         EVP_MD *md = EVP_MD_fetch(libctx, t->algorithm, NULL);
>
>         OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_DIGEST,
>     t->desc);
>
>         if (ctx == NULL)
>
>         {syslog(LOG_NOTICE, "ctx NULL"); goto err;}
>
>         if (md == NULL)
>
>         {syslog(LOG_NOTICE, "md is NULL"); goto err;}    // 
>     <-------------------  This is getting failed!
>
>         if (!EVP_DigestInit_ex(ctx, md, NULL))
>
>         {syslog(LOG_NOTICE, "digest failed"); goto err;}
>
>         if (!EVP_DigestUpdate(ctx, sha1_pt, t->pt_len))
>
>         {syslog(LOG_NOTICE, "digest update failed"); goto err;}
>
>         if (!EVP_DigestFinal(ctx, out, &out_len))
>
>         {syslog(LOG_NOTICE, "digest final failed"); goto err;}
>
>         /* Optional corruption */
>
>         OSSL_SELF_TEST_oncorrupt_byte(st, out);
>
>         for (int i=0; i < (int)t->expected_len; i++)
>
>        {syslog(LOG_NOTICE, "%x", out[i]);}
>
>         if (out_len != t->expected_len
>
>                 || memcmp(out, sha1_digest, out_len) != 0)
>
>             goto err;
>
>         ok = 1;
>
>     err:
>
>         EVP_MD_free(md);
>
>         EVP_MD_CTX_free(ctx);
>
>         OSSL_SELF_TEST_onend(st, ok);
>
>         return ok;
>
>     }
>
>     static int self_test_digests(OSSL_LIB_CTX *libctx)
>
>     {
>
>         OSSL_SELF_TEST *st = NULL;
>
>         st = OSSL_SELF_TEST_new(SelfTestCb, NULL);
>
>         if (st == NULL)
>
>             syslog(LOG_NOTICE, "OSSL_SELF_TEST_new failed");
>
>         int i, ret = 1;
>
>         for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
>
>             if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
>
>                 ret = 0;
>
>         }
>
>         return ret;
>
>     }
>
>     if (!EVP_default_properties_enable_fips(libctx,1))
>
>     {
>
>                     ...
>
>     }
>
>     self_test_digests(libctx);
>
>     Thanks,
>
>     Ashish
>
>
>     Notice: This e-mail together with any attachments may contain
>     information of Ribbon Communications Inc. and its Affiliates that
>     is confidential and/or proprietary for the sole use of the
>     intended recipient. Any review, disclosure, reliance or
>     distribution by others or forwarding without express permission is
>     strictly prohibited. If you are not the intended recipient, please
>     notify the sender immediately and then delete all copies,
>     including any attachments.
>
>
> Notice: This e-mail together with any attachments may contain 
> information of Ribbon Communications Inc. and its Affiliates that is 
> confidential and/or proprietary for the sole use of the intended 
> recipient. Any review, disclosure, reliance or distribution by others 
> or forwarding without express permission is strictly prohibited. If 
> you are not the intended recipient, please notify the sender 
> immediately and then delete all copies, including any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220215/f9acbfc3/attachment-0001.htm>


More information about the openssl-users mailing list