<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
To know for certain that the tests are being run, set up a test call
back and print something out.<br>
Look at the manual for "OSSL_SELF_TEST_new" and the fipsinstall
command for specifics.<br>
<br>
Paul Dale<br>
<br>
<div class="moz-cite-prefix">On 7/4/23 03:08, Prasad, PCRaghavendra
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MN2PR19MB402963B9D56A3C65158EFE3D9A919@MN2PR19MB4029.namprd19.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:"Cascadia Mono";
panose-1:2 11 6 9 2 0 0 2 0 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}p.msipfooter90245289, li.msipfooter90245289, div.msipfooter90245289
{mso-style-name:msipfooter90245289;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Dr.Paul,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">GM,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We have tried using the
OSSL_PROVIDER_self_test() call and went thru the documentation
of the provider module.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Code:<o:p></o:p></p>
<p class="MsoNormal">====<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">OSSL_PROVIDER* fips;<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"> OSSL_PROVIDER* base;<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">fips = OSSL_PROVIDER_load(</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#6F008A">NULL</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">,
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#A31515">"fips"</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">);<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:blue">if</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"> (fips ==
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#6F008A">NULL</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">) {<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"> printf(</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#A31515">"Failed to load FIPS provider\n"</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">);<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:blue">return</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"> 1;<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"> }<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:green">//EVP_set_default_properties(NULL,
"fips=yes");</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">EVP_default_properties_enable_fips(</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#6F008A">NULL</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">,
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:gray">enable</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">);<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:blue">int</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"> iCheckProv =
OSSL_PROVIDER_available(</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#6F008A">NULL</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">,
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#A31515">"fips"</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">);<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"> printf(</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#A31515">"check for fips provider : %d\n"</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">, iCheckProv);<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">iCheckProv =
OSSL_PROVIDER_self_test(fips);<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"> printf(</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#A31515">"check for self test FIPS provider
: %d\n"</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">, iCheckProv);<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">Output<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">=====<o:p></o:p></span></p>
<p class="MsoNormal">check for fips provider : 1<o:p></o:p></p>
<p class="MsoNormal">check for self test FIPS provider : 1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-----------<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Doubt is it is executing very fast that we
are not sure whether the tests are passed or failed ?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In the provider.c code after looking into
the function<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:blue">int</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"> ret;<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:blue">if</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"> (</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:gray">prov</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">->self_test == </span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#6F008A">NULL</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:blue">return</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"> 1; ---------------------- >
assuming it has come out of here<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"> ret =
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:gray">prov</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">->self_test(</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:gray">prov</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">->provctx);<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So is there a way to check if the self
tests are really ran successfully or not<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please provide your input<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="msipfooter90245289" style="margin:0in"><span
style="font-size:7.0pt;color:#737373">Internal Use -
Confidential</span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> openssl-users
<a class="moz-txt-link-rfc2396E" href="mailto:openssl-users-bounces@openssl.org"><openssl-users-bounces@openssl.org></a>
<b>On Behalf Of </b>Dr Paul Dale<br>
<b>Sent:</b> Thursday, April 6, 2023 4:44 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
<b>Subject:</b> Re: self test on demand<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p><span style="color:#CE1126">[EXTERNAL EMAIL] <o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Try the
OSSL_PROVIDER_self_test() call. You should not call any of
the SELF_TEST APIs unless you are writing self tests.<br>
<br>
Also note that only the 3.0.0 FIPS provider is validated. You
cannot just build any 3.0.x version and expect to be FIPS
compliant.<br>
<br>
<br>
Paul Dale<o:p></o:p></p>
<div>
<p class="MsoNormal">On 6/4/23 00:20, Prasad, PCRaghavendra
via openssl-users wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi Team,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Good morning.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">We are in the process of enabling FIPS
using OpenSSL 3.0.x and using python 3.11.2.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">In self-test code, we could see few
methods where it can be called on demand<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">/* This API is triggered either on
loading of the FIPS module or on demand */<o:p></o:p></p>
<p class="MsoNormal">int SELF_TEST_post(SELF_TEST_POST_PARAMS
*st, int on_demand_test)<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">so wanted to get some information on how
it can be called on demand. We know when we call the
fipsinstall will internally call this method and do
self-test, but just we are doing POC of calling it on demand<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">so is it possible to call this method or
we should not call it? If we can in the
SELF_TEST_POST_PARAMS structure what needs to be filled?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Please provide your input/thoughts.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Raghu<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="msipfooter90245289" style="margin:0in"><span
style="font-size:7.0pt;color:#737373">Internal Use -
Confidential</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>