I don't know why this has degenerated into an argument about use of non-FIPS-approved algorithms.
For some reason I don't understand, there is a line about "Non-approved cryptographic operation test". But that is not what caused the failure. The failure came from the fips_rand_selftest. There are four sorts of test for FIPS random number generators. At one time there were a bunch of statistical tests. But those were removed from the requirements several years ago. There is a test that no two consecutive values are the same. Then there is a known answer test where you have to provide a known seed and then get the right sequence of random numbers. And finally some testing labs will require, based on a very legalistic reading of the rules, that the "seed" and "seed key" be compaired and a failure reported if they are the same. (In my opinion, the rule was intended to mean that you should not intentionally supply the same data for the intitial value of "seed" and "seed-key".) I don't know which case is causing the reported error. But, as I said in a previous post, the fact that it works on Linux and not on Solaris x86 makes me suspect that the code or the test was written with the assumption that Solaris is always big-endian, but, in fact, Solaris x86 is little-endian, and that is causing it to fail a known-answer test. (But I haven't looked at the code.) -- David Jacobson --- On Thu, 2/12/09, RussMitch <[email protected]> wrote: From: RussMitch <[email protected]> Subject: Re: FIPS_selftest_rng fails on Solaris10 x86 To: [email protected] Date: Thursday, February 12, 2009, 11:49 AM No, the test/fips_test_suite does not run correctly, here's the results: FIPS-mode test application 1. Non-Approved cryptographic operation test... a. Included algorithm (D-H)...successful ERROR:2d072065:lib=45,func=114,reason=101:file=fips_rand_selftest.c:line=364: <===== 2. Automatic power-up self test...FAILED! <===== /Russ Dr. Stephen Henson wrote: > > On Thu, Feb 12, 2009, RussMitch wrote: > >> >> Hello, >> >> I've built openssl-0.9.8j on Solaris10 Update 5 as follows: >> >> ./config fipscanisterbuild >> make clean >> make >> > > That's against the security policy. > >> Next, I've created a simple program that calls FIPS_mode_set(1) and links >> to >> the libraries in /usr/local/ssl/fips/lib. >> >> The first two tests, FIPS_signature_witness() and >> FIPS_check_incore_fingerprint() PASS. >> >> The third test, FIPS_selftest_rng FAILS. >> >> I've also tried the exact same procedure on a Fedora Core5 linux based >> machine, and all of the tests PASS. >> >> Anyone have an idea of what may be wrong? >> > > Does test/fips_test_suite run correctly? > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] > > -- View this message in context: http://www.nabble.com/FIPS_selftest_rng-fails-on-Solaris10-x86-tp21980325p21983578.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
