diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2020-08-09 18:06:52 +1000 |
|---|---|---|
| committer | Shane Lontis <shane.lontis@oracle.com> | 2020-08-09 18:06:52 +1000 |
| commit | 04cb5ec0b74896fe806625ac4d87e3396890f246 (patch) | |
| tree | 558c92ddf1b1fb2421d9f3f9aae3c82595a94830 /doc/man7/provider-base.pod | |
| parent | dda4e259e51aeaf05a2417ef577accf778c9f6f6 (diff) | |
| download | openssl-04cb5ec0b74896fe806625ac4d87e3396890f246.tar.gz | |
Add 'on demand self test' and status test to providers
The default and legacy providers currently return 1 for status and self test checks.
Added test to show the 3 different stages the self test can be run (for installation, loading and on demand).
For the fips provider:
- If the on demand self test fails, then any subsequent fetches should also fail. To implement this the
cached algorithms are flushed on failure.
- getting the self test callback in the fips provider is a bit complicated since the callback hangs off the core
libctx (as it is set by the application) not the actual fips library context. Also the callback can be set at
any time not just during the OSSL_provider_init() so it is calculated each time before doing any self test.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11752)
Diffstat (limited to 'doc/man7/provider-base.pod')
| -rw-r--r-- | doc/man7/provider-base.pod | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index d61645f961..efec869e25 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -139,6 +139,7 @@ F<libcrypto>): provider_query_operation OSSL_FUNC_PROVIDER_QUERY_OPERATION provider_get_reason_strings OSSL_FUNC_PROVIDER_GET_REASON_STRINGS provider_get_capabilities OSSL_FUNC_PROVIDER_GET_CAPABILITIES + provider_self_test OSSL_FUNC_PROVIDER_SELF_TEST =head2 Core functions @@ -241,6 +242,11 @@ callback multiple times (one for each capability). Capabilities can be useful fo describing the services that a provider can offer. For further details see the L</CAPABILITIES> section below. It should return 1 on success or 0 on error. +The provider_self_test() function should perform known answer tests on a subset +of the algorithms that it uses, and may also verify the integrity of the +provider module. It should return 1 on success or 0 on error. It will return 1 +if this function is not used. + None of these functions are mandatory, but a provider is fairly useless without at least provider_query_operation(), and provider_gettable_params() is fairly useless if not accompanied by @@ -268,6 +274,11 @@ This points to a string that is a build information associated with this provide OpenSSL in-built providers use OPENSSL_FULL_VERSION_STR, but this may be different for any third party provider. +=item "status" (B<OSSL_PROV_PARAM_STATUS>) <unsigned integer> + +This returns 0 if the provider has entered an error state, otherwise it returns +1. + =back provider_gettable_params() should return the above parameters. |