[openssl-users] openssl fipsalgtest

[Steve Marquess]

On 12/09/2015 12:06 AM, xxiao8 wrote:
> I'm trying to run the algorithm tests under linux for fips 2.0.10 +
> openssl 1.0.1e, using the fips-2.0-tv.tar.gz from openssl website, and
> saw quite some errors, anything am I missing?

fipsalgtest.pl is a utility of value only for performing formal CAVP
algorithm testing. Unfortunately the CAVP is constantly changing the
format of the algorithm test files ("test vectors"), so by the time you
try to use fipsalgtest.pl on a newly obtained set of test vectors for
your validation attempt it probably won't exactly match. You'll need to
dig in and figure out the discrepancies.

Also note it's not at all unusual to receive incorrect test vectors (the
CAVS tool that generates them is very labor intensive and it's all too
easy for the test lab to miss a checkbox or whatever). Figuring out
whether a discrepancy is due to a legitimate format change or outright
error, and then convincing the test lab and CAVP of the latter, can be fun.

We developed this tool because we were doing platform tests by the
hundreds. For a one-off validation you may want to consider just
hand-jamming the "--generate-script" file.

I'll also note that sorting out the algorithm tests will be relatively
trivial compared to hacking the OpenSSL FIPS Object Module v2.0 code to
meet all the new requirements that have accumulated since that
validation was obtained. You'll want to do those mods before the
algorithm testing.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc