[openssl-dev] FIPS validation

Leon Brits leonb at parsec.co.za
Wed Sep 7 04:49:52 UTC 2016 

Hi SteveM,

Yes we are copycats - thanks for making it possible.

I was also amazed when I received the email very close to our final source code review and operational testing phase.

I've used the fips_algv tests suite to have the algorithms validated (#3768) using this lab but I cannot see how to use it to "induce" and error in the FIPS module.

I think they want to see that we go into an error state in such cases.

Should I use gdb to step into the module and alter return values? Can I compile the FIPS module like that without breaking the compile rules?

Thanks for your time
LJB



> -----Original Message-----
> From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of
> Steve Marquess
> Sent: 05 September 2016 01:33 PM
> To: openssl-dev at openssl.org
> Subject: Re: [openssl-dev] FIPS validation
> 
> On 09/05/2016 02:09 AM, Leon Brits wrote:
> > The FIPS validation company says:
> >
> >
> >
> > "The tests I am most interested in are the failure cases, where you
> > induce an error in each of the power-on self-tests and conditional
> > tests (i.e, continuous RNG test, pairwise consistency test)."
> >
> >
> >
> > Can anybody tell me how I can induce these errors?
> >
> >
> >
> > I do run the FIPS_selftest() function on demand and the POST has never
> > failed when I switch to FIPS mode with FIPS_mode_set().
> >
> >
> >
> > Thanks
> >
> > LJB
> >
> >
> >
> 
> So you're trying to obtain your own copycat validation based on the
> OpenSSL FIPS Object Module code (as many vendors have done).
> 
> Since that has been done so many times your unnamed FIPS validation
> consultant or test lab should already be familiar enough with the OpenSSL
> FIPS module code to immediately know the answer to this question, rather
> than asking it of you (that's a hint).
> 
> Most labs or consultants would direct you to the "fips_test_suite" test
> harness (also called from fips_algvs), which is included in the OpenSSL
> FIPS module tarballs and documented in the User Guide:
> 
>   https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
> 
> Test labs typically just run "fips_algv fips_test_suite" for the
> functional testing, as it was designed for exactly that purpose.
> 
> -Steve M.
> 
> --
> Steve Marquess
> OpenSSL Validation Services, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD  21710
> USA
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marquess at openssl.com
> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

More information about the openssl-dev mailing list