[openssl-users] FIPS errors: finding causes for failure
Dr. Stephen Henson
steve at openssl.org
Wed Apr 1 16:16:09 UTC 2015
On Wed, Apr 01, 2015, jonetsu wrote:
> Hello,
>
> As part of development, still using the fips_hmac test code, this time on a target unit using 1.0.1e, the following errors are shown at the console:
>
> 3069614096:error:2D088086:FIPS
> routines:FIPS_selftest_x931:selftest
> failed:fips_rand_selftest.c:171:
>
> 3069614096:error:2D082086:FIPS
> routines:FIPS_selftest_cmac:selftest
> failed:fips_cmac_selftest.c:178:
>
> 3069614096:error:2D080086:FIPS
> routines:FIPS_selftest_aes:selftest
> failed:fips_aes_selftest.c:97:
>
> 3069614096:error:2D090086:FIPS
> routines:FIPS_selftest_aes_xts:selftest
> failed:fips_aes_selftest.c:383:
>
> 3069614096:error:2D083086:FIPS
> routines:FIPS_selftest_des:selftest
> failed:fips_des_selftest.c:102:
>
> What is the troubleshooting path from here ? Is it only by going to the appropriate code line ? In the first case, the FIPS_selftest_x931() is concerned, with the 171 line being: FIPSerr(FIPS_F_FIPS_SELFTEST_X931,FIPS_R_SELFTEST_FAILED). Which basically means that the actual test code has to be examined. There is documentation in the User Guide, section 6.3.1, although it does not seem to be practical to find out the cause of the failure. There are seemingly no log messages generated. Information that would give hints as to why a specific test could fail would be useful. In this case, there's mention of the V seed value being corrupted but only for simulation mode.
>
> In short, how to find what could be the cause(s) of FIPS test(s) failure(s) ?
>
Does fips_test_suite from the FIPS module produce similar errors?
Most tests are known answer tests (KAT). That is they pass known inputs to
the algorithm and check to see if the output matches the expected value. As
such the only reason a self test could fail is that the algorithm is
misbehaving: the most common reason for that is a compiler bug.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list