[openssl-dev] Where is the sample-comprehensive CAVS test vectors' set with all 259 test vectors

Steve Marquess marquess at openssl.com
Thu Apr 14 11:57:47 UTC 2016 

On 04/14/2016 06:09 AM, cyriac wrote:
> Hi,
> 
> *In FIPS Userguide 2.0*, Appendix B, about CAVS testing, I could find:
> Note this step requires a large directory tree of input test data files
> produced by the
> testing lab using a NIST provided tool (CAVS); several sets of input and
> response values can be
> found http://openssl.com/testing/validation-2.0/testvectors/. The file
> *http://openssl.com/testing/validation-2.0/testvectors/tv.tar.gz
> contains a complete set of 259 test vector files with correct responses that
> can be used for a single
> comprehensive test. *Note the number and format of these test vector files
> changes over time, so this
> set may not correspond exactly to what the CAVS tool currently produces.
> 
> Unfortunately, this sample comprehensive test vector tar-ball (tv.tar.gz) is
> not present in this location.
> I have been searching all out, but I could not get hold of this set with all
> 259 vectors from anywhere.
> Could I know how to get hold of this complete test vector set. (Any web link
> available?). Kindly help…

The tv.tar.gz symlink was missing; I've restored it. Unfortunately that
doesn't do you much good.

You can find a huge collection of historical test vectors at:

  http://openssl.com/testing/validation-2.0/testvectors/

and tv.tar.gz is now pointing to one of them. But, the format and
contents of these test vector data sets change over time, frequently.
Having one of them doesn't do you much good for a number of reasons:

1) Even if you appear to have processed them without error, you can't
properly verify them without an accredited test lab, and if you were
working with an accredited test lab they would supply you with a current
set of test vectors.

2) There is no reason to fool with these test vectors unless you're
trying for your own validation using the OpenSSL FIPS module code, in
which case you'll have to engage an accredited test lab.

3) Even if you have a current set (unlikely), any official algorithm
validation action requires a unique new set of test vectors (which ...
wait for it ... you can only get from an accredited test lab).

4) If you're working with a non-current set of test vectors (which is
usually all of them as the format changes frequently), you'll waste time
barking up the wrong tree. They can change substantially in a short
period of time; note for instance the file count is no longer 259.

Notice I mention "accredited test lab" a lot. You're wasting your time
if you've not engaged one. Our open source test suite software makes the
mechanics of validation a lot easier, but you still have to use a test
lab. Yes, you have to pay the lab, but welcome to the wonderful world of
FIPS 140-2.

-Steve M.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-dev mailing list