[openssl-dev] FIPS validation
Steve Marquess
marquess at openssl.com
Mon Sep 5 11:32:53 UTC 2016
On 09/05/2016 02:09 AM, Leon Brits wrote:
> The FIPS validation company says:
>
>
>
> “The tests I am most interested in are the failure cases, where you
> induce an error in each of the power-on self-tests and conditional tests
> (i.e, continuous RNG test, pairwise consistency test).”
>
>
>
> Can anybody tell me how I can induce these errors?
>
>
>
> I do run the FIPS_selftest() function on demand and the POST has never
> failed when I switch to FIPS mode with FIPS_mode_set().
>
>
>
> Thanks
>
> LJB
>
>
>
So you're trying to obtain your own copycat validation based on the
OpenSSL FIPS Object Module code (as many vendors have done).
Since that has been done so many times your unnamed FIPS validation
consultant or test lab should already be familiar enough with the
OpenSSL FIPS module code to immediately know the answer to this
question, rather than asking it of you (that's a hint).
Most labs or consultants would direct you to the "fips_test_suite" test
harness (also called from fips_algvs), which is included in the OpenSSL
FIPS module tarballs and documented in the User Guide:
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
Test labs typically just run "fips_algv fips_test_suite" for the
functional testing, as it was designed for exactly that purpose.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
More information about the openssl-dev
mailing list