Hi SteveM, Yes we are copycats - thanks for making it possible.
I was also amazed when I received the email very close to our final source code review and operational testing phase. I've used the fips_algv tests suite to have the algorithms validated (#3768) using this lab but I cannot see how to use it to "induce" and error in the FIPS module. I think they want to see that we go into an error state in such cases. Should I use gdb to step into the module and alter return values? Can I compile the FIPS module like that without breaking the compile rules? Thanks for your time LJB > -----Original Message----- > From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of > Steve Marquess > Sent: 05 September 2016 01:33 PM > To: openssl-dev@openssl.org > Subject: Re: [openssl-dev] FIPS validation > > On 09/05/2016 02:09 AM, Leon Brits wrote: > > The FIPS validation company says: > > > > > > > > "The tests I am most interested in are the failure cases, where you > > induce an error in each of the power-on self-tests and conditional > > tests (i.e, continuous RNG test, pairwise consistency test)." > > > > > > > > Can anybody tell me how I can induce these errors? > > > > > > > > I do run the FIPS_selftest() function on demand and the POST has never > > failed when I switch to FIPS mode with FIPS_mode_set(). > > > > > > > > Thanks > > > > LJB > > > > > > > > So you're trying to obtain your own copycat validation based on the > OpenSSL FIPS Object Module code (as many vendors have done). > > Since that has been done so many times your unnamed FIPS validation > consultant or test lab should already be familiar enough with the OpenSSL > FIPS module code to immediately know the answer to this question, rather > than asking it of you (that's a hint). > > Most labs or consultants would direct you to the "fips_test_suite" test > harness (also called from fips_algvs), which is included in the OpenSSL > FIPS module tarballs and documented in the User Guide: > > https://www.openssl.org/docs/fips/UserGuide-2.0.pdf > > Test labs typically just run "fips_algv fips_test_suite" for the > functional testing, as it was designed for exactly that purpose. > > -Steve M. > > -- > Steve Marquess > OpenSSL Validation Services, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marqu...@openssl.com > gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev