On 06/12/2021 15:49, Cristian Andrei Sandu wrote:
Hi guys,
Is there any way I can re-load the FIPS provider after it reached its
error state? I’d like to do it without restarting the process. (If it
matters, I’m already using a non-default library context with a separate
configuration file that I load with OSSL_LIB_CTX_load_config()).
I’d like to be able to explicitly load the provider with
OSSL_PROVIDER_load(), call OSSL_PROVIDER_self_test() with a corrupted
test, unload the provider, re-load it and run OSSL_self_test() again
without the previous corrupted test. (all of these without killing the
process)
Which approach would you recommend?
In principle if you unload the provider using OSSL_PROVIDER_unload() and
free anything you fetched from the provider as well as freeing the
libctx using OSSL_LIB_CTX_free() - then this should result in dlclose
being called on the fips.so file. What happens then is up to the mercy
of the OS - but it is likely to unload the .so from the process.
Subsequently loading it again into a new libctx should then give you a
blank slate to start again. However this all very much depends on
whether the fips.so does actually get removed by the OS. If it doesn't
then it will simply remember the self test result from last time and
will fail to start up properly - so this is probably not sufficiently
reliable for you to depend on it.
There isn't another way of doing this AFAIK.
Matt
Thanks,
Cristian Sandu
This email message and any attachments are intended solely for the use
of the addressees hereof.
This message and any attachments may contain information that is
confidential, privileged and exempt from disclosure under applicable law.
If you are not the intended recipient of this message, you are
prohibited from reading, disclosing, reproducing, distributing,
disseminating or otherwise using this transmission.
If you have received this message in error, please promptly notify the
sender at Ceragon by reply E-mail and immediately delete this message
from your system.
