self test on demand

Dr Paul Dale pauli at openssl.org
Mon Apr 10 21:50:07 UTC 2023


To know for certain that the tests are being run, set up a test call 
back and print something out.
Look at the manual for "OSSL_SELF_TEST_new" and the fipsinstall command 
for specifics.

Paul Dale

On 7/4/23 03:08, Prasad, PCRaghavendra wrote:
>
> Hi Dr.Paul,
>
> GM,
>
> We have tried using the OSSL_PROVIDER_self_test() call and went thru 
> the documentation of the provider module.
>
> Code:
>
> ====
>
> OSSL_PROVIDER* fips;
>
>       OSSL_PROVIDER* base;
>
> fips = OSSL_PROVIDER_load(NULL, "fips");
>
> if(fips == NULL) {
>
>              printf("Failed to load FIPS provider\n");
>
> return1;
>
>       }
>
> //EVP_set_default_properties(NULL, "fips=yes");
>
> EVP_default_properties_enable_fips(NULL, enable);
>
> intiCheckProv = OSSL_PROVIDER_available(NULL, "fips");
>
>       printf("check for fips provider : %d\n", iCheckProv);
>
> iCheckProv = OSSL_PROVIDER_self_test(fips);
>
>       printf("check for self test FIPS provider : %d\n", iCheckProv);
>
> Output
>
> =====
>
> check for fips provider : 1
>
> check for self test FIPS provider : 1
>
> -----------
>
> Doubt is it is executing very fast that we are not sure whether the 
> tests are passed or failed ?
>
> In the provider.c code after looking into the function
>
> intret;
>
> if(prov->self_test == NULL)
>
> return1; ---------------------- > assuming it has come out of here
>
>     ret = prov->self_test(prov->provctx);
>
> So is there a way to check if the self tests are really ran 
> successfully or not
>
> Please provide your input
>
> Thanks,
>
> Internal Use - Confidential
>
> *From:* openssl-users <openssl-users-bounces at openssl.org> *On Behalf 
> Of *Dr Paul Dale
> *Sent:* Thursday, April 6, 2023 4:44 AM
> *To:* openssl-users at openssl.org
> *Subject:* Re: self test on demand
>
> [EXTERNAL EMAIL]
>
> Try the OSSL_PROVIDER_self_test() call.  You should not call any of 
> the SELF_TEST APIs unless you are writing self tests.
>
> Also note that only the 3.0.0 FIPS provider is validated.  You cannot 
> just build any 3.0.x version and expect to be FIPS compliant.
>
>
> Paul Dale
>
> On 6/4/23 00:20, Prasad, PCRaghavendra via openssl-users wrote:
>
>     Hi Team,
>
>     Good morning.
>
>     We are in the process of enabling FIPS using OpenSSL 3.0.x and
>     using python 3.11.2.
>
>     In self-test code, we could see few methods where it can be called
>     on demand
>
>     /* This API is triggered either on loading of the FIPS module or
>     on demand */
>
>     int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
>
>     so wanted to get some information on how it can be called on
>     demand. We know when we call the fipsinstall will internally call
>     this method and do self-test, but just we are doing POC of calling
>     it on demand
>
>     so is it possible to call this method or we should not call it? If
>     we can in the SELF_TEST_POST_PARAMS structure what needs to be filled?
>
>     Please provide your input/thoughts.
>
>     Thanks,
>
>     Raghu
>
>     Internal Use - Confidential
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230411/2165bdf7/attachment-0001.htm>


More information about the openssl-users mailing list