Re: [openssl-dev] FIPS validation
On 09/07/2016 12:49 AM, Leon Brits wrote: > Hi SteveM, > > Yes we are copycats - thanks for making it possible. > > I was also amazed when I received the email very close to our final > source code review and operational testing phase. > > I've used the fips_algv tests suite to have the algorithms validated > (#3768) using this lab but I cannot see how to use it to "induce" and > error in the FIPS module. > Look at what the "fips_test_suite" option of fips_algv does. That's also discussed in the OpenSSL FIPS module user guide. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] FIPS validation
Hi SteveM, Yes we are copycats - thanks for making it possible. I was also amazed when I received the email very close to our final source code review and operational testing phase. I've used the fips_algv tests suite to have the algorithms validated (#3768) using this lab but I cannot see how to use it to "induce" and error in the FIPS module. I think they want to see that we go into an error state in such cases. Should I use gdb to step into the module and alter return values? Can I compile the FIPS module like that without breaking the compile rules? Thanks for your time LJB > -Original Message- > From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of > Steve Marquess > Sent: 05 September 2016 01:33 PM > To: openssl-dev@openssl.org > Subject: Re: [openssl-dev] FIPS validation > > On 09/05/2016 02:09 AM, Leon Brits wrote: > > The FIPS validation company says: > > > > > > > > "The tests I am most interested in are the failure cases, where you > > induce an error in each of the power-on self-tests and conditional > > tests (i.e, continuous RNG test, pairwise consistency test)." > > > > > > > > Can anybody tell me how I can induce these errors? > > > > > > > > I do run the FIPS_selftest() function on demand and the POST has never > > failed when I switch to FIPS mode with FIPS_mode_set(). > > > > > > > > Thanks > > > > LJB > > > > > > > > So you're trying to obtain your own copycat validation based on the > OpenSSL FIPS Object Module code (as many vendors have done). > > Since that has been done so many times your unnamed FIPS validation > consultant or test lab should already be familiar enough with the OpenSSL > FIPS module code to immediately know the answer to this question, rather > than asking it of you (that's a hint). > > Most labs or consultants would direct you to the "fips_test_suite" test > harness (also called from fips_algvs), which is included in the OpenSSL > FIPS module tarballs and documented in the User Guide: > > https://www.openssl.org/docs/fips/UserGuide-2.0.pdf > > Test labs typically just run "fips_algv fips_test_suite" for the > functional testing, as it was designed for exactly that purpose. > > -Steve M. > > -- > Steve Marquess > OpenSSL Validation Services, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marqu...@openssl.com > gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] FIPS validation
On 09/05/2016 02:09 AM, Leon Brits wrote: > The FIPS validation company says: > > > > “The tests I am most interested in are the failure cases, where you > induce an error in each of the power-on self-tests and conditional tests > (i.e, continuous RNG test, pairwise consistency test).” > > > > Can anybody tell me how I can induce these errors? > > > > I do run the FIPS_selftest() function on demand and the POST has never > failed when I switch to FIPS mode with FIPS_mode_set(). > > > > Thanks > > LJB > > > So you're trying to obtain your own copycat validation based on the OpenSSL FIPS Object Module code (as many vendors have done). Since that has been done so many times your unnamed FIPS validation consultant or test lab should already be familiar enough with the OpenSSL FIPS module code to immediately know the answer to this question, rather than asking it of you (that's a hint). Most labs or consultants would direct you to the "fips_test_suite" test harness (also called from fips_algvs), which is included in the OpenSSL FIPS module tarballs and documented in the User Guide: https://www.openssl.org/docs/fips/UserGuide-2.0.pdf Test labs typically just run "fips_algv fips_test_suite" for the functional testing, as it was designed for exactly that purpose. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] FIPS validation
The FIPS validation company says: "The tests I am most interested in are the failure cases, where you induce an error in each of the power-on self-tests and conditional tests (i.e, continuous RNG test, pairwise consistency test)." Can anybody tell me how I can induce these errors? I do run the FIPS_selftest() function on demand and the POST has never failed when I switch to FIPS mode with FIPS_mode_set(). Thanks LJB -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
