self test on demand

Prasad, PCRaghavendra Pcraghavendra.Prasad at dell.com
Thu Apr 6 17:08:46 UTC 2023 

Hi Dr.Paul,

GM,

We have tried using the OSSL_PROVIDER_self_test() call and went thru the documentation of the provider module.

Code:
====
OSSL_PROVIDER* fips;
      OSSL_PROVIDER* base;

fips = OSSL_PROVIDER_load(NULL, "fips");
      if (fips == NULL) {
             printf("Failed to load FIPS provider\n");
             return 1;
      }

//EVP_set_default_properties(NULL, "fips=yes");
EVP_default_properties_enable_fips(NULL, enable);

int iCheckProv = OSSL_PROVIDER_available(NULL, "fips");
      printf("check for fips provider : %d\n", iCheckProv);

iCheckProv = OSSL_PROVIDER_self_test(fips);
      printf("check for self test FIPS provider : %d\n", iCheckProv);

Output
=====
check for fips provider : 1
check for self test FIPS provider : 1

-----------

Doubt is it is executing very fast that we are not sure whether the tests are passed or failed ?

In the provider.c code after looking into the function
int ret;

    if (prov->self_test == NULL)
        return 1; ---------------------- > assuming it has come out of here
    ret = prov->self_test(prov->provctx);

So is there a way to check if the self tests are really ran successfully or not

Please provide your input

Thanks,



Internal Use - Confidential
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Dr Paul Dale
Sent: Thursday, April 6, 2023 4:44 AM
To: openssl-users at openssl.org
Subject: Re: self test on demand


[EXTERNAL EMAIL]
Try the OSSL_PROVIDER_self_test() call.  You should not call any of the SELF_TEST APIs unless you are writing self tests.

Also note that only the 3.0.0 FIPS provider is validated.  You cannot just build any 3.0.x version and expect to be FIPS compliant.


Paul Dale
On 6/4/23 00:20, Prasad, PCRaghavendra via openssl-users wrote:
Hi Team,

Good morning.

We are in the process of enabling FIPS using OpenSSL 3.0.x and using python 3.11.2.

In self-test code, we could see few methods where it can be called on demand

/* This API is triggered either on loading of the FIPS module or on demand */
int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)

so wanted to get some information on how it can be called on demand. We know when we call the fipsinstall will internally call this method and do self-test, but just we are doing POC of calling it on demand

so is it possible to call this method or we should not call it? If we can in the SELF_TEST_POST_PARAMS structure what needs to be filled?

Please provide your input/thoughts.

Thanks,
Raghu



Internal Use - Confidential

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230406/71d17bc5/attachment.htm>

More information about the openssl-users mailing list