FIPS Object Module 2.0, fipsalgtest.pl fails

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

FIPS Object Module 2.0, fipsalgtest.pl fails

Joseddg_digi
I am trying to validate the FIPS Object Module.

I have built the test tools as specified in [1] Appendix B.1 and I have downloaded and extract the test vectors from [2].

At that point I run the following:

perl fipsalgtest.pl --dir=/run/media/sda1/fips_tv/OSF_JN2859_OE46.results

(where /run/media/sda1/fips_tv/OSF_JN2859_OE46.results is the path I extracted the test vectors to).

That  produces the following output:

Running DSA2 tests
Running DSA tests
Running ECDSA2 tests
Running RSA tests
FATAL parse error processing line 4
FATAL RSAVTEST file processing error
WARNING: error executing verify test SigGen15 ../test/fips_rsavtest "/run/media/sda1/fips_tv/OSF_JN2859_OE46.results/OSF_2859_OE46/RSA2/resp/SigGen15_186-3.tst" "/run/m
edia/sda1/fips_tv/OSF_JN2859_OE46.results/OSF_2859_OE46/RSA2/resp/SigGen15_186-3.ver"
Running RSA tests
FATAL parse error processing line 4
FATAL RSAVTEST file processing error
WARNING: error executing verify test SigGenPSS(0) ../test/fips_rsavtest -saltlen 0 "/run/media/sda1/fips_tv/OSF_JN2859_OE46.results/OSF_2859_OE46/RSA2/resp/SigGenPSS_18
6-3.tst" "/run/media/sda1/fips_tv/OSF_JN2859_OE46.results/OSF_2859_OE46/RSA2/resp/SigGenPSS_186-3.ver"
Running RSA tests
FATAL parse error processing line 4
FATAL RSAVTEST file processing error
WARNING: error executing verify test SigGenPSS(62) ../test/fips_rsavtest -saltlen 62 "/run/media/sda1/fips_tv/OSF_JN2859_OE46.results/OSF_2859_OE46_RSA62_PSS/RSA2/resp/
SigGenPSS_186-3.tst" "/run/media/sda1/fips_tv/OSF_JN2859_OE46.results/OSF_2859_OE46_RSA62_PSS/RSA2/resp/SigGenPSS_186-3.ver"
Running SHA tests
Running SP800-90 DRBG tests
Running HMAC tests
Running CMAC tests
Running AES tests
Running Triple DES tests
Running AES CCM tests
Running AES GCM tests
Running AES XTS tests
Running ECDH Ephemeral Primitives Only tests
ALGORITHM TEST VERIFY SUMMARY REPORT:
Tests skipped due to missing files:        0
Algorithm test program execution failures: 0
Test comparisons successful:               223
Test comparisons failed:                   0
Test sanity checks successful:             6
Test sanity checks failed:                 0
Sanity check program execution failures:   3
***TEST FAILURE***


What could be causing those errors?

Some more information:
 * OpenSSL 1.0.2j-fips  26 Sep 2016
 * ARM7 platform.
 *  The fips_test_suite binary runs successfully ("All tests completed with 0 errors").

Thanks

[1] User Guide for the OpenSSL FIPS Objet Module 2.0: https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
[2] Test vector tarball: https://www.openssl.com/testing/validation-2.0/testvectors/tv.tar.gz 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: FIPS Object Module 2.0, fipsalgtest.pl fails

Steve Marquess-4
On 09/28/2017 11:07 AM, Diaz de Grenu, Jose wrote:

> I am trying to validate the FIPS Object Module.
>
> I have built the test tools as specified in [1] Appendix B.1 and I have downloaded and extract the test vectors from [2].
>
> At that point I run the following:
>
> perl fipsalgtest.pl --dir=/run/media/sda1/fips_tv/OSF_JN2859_OE46.results
>
> (where /run/media/sda1/fips_tv/OSF_JN2859_OE46.results is the path I extracted the test vectors to).
>
> That  produces the following output:
>
> Running DSA2 tests
> Running DSA tests
> Running ECDSA2 tests
> Running RSA tests
> FATAL parse error processing line 4
> ...

The FIPS module and test suite software (fipsalgtest.pl) are designed to
work with exactly those algorithm tests relevant to the associated
validations (#1747/2398/2473). The test labs generate a unique set of
test vectors for each platform validation; those test vectors must be of
the expected format to be successfully processed. Often they are not,
either because they we incorrectly specified or due to errors. Figuring
out such discrepancies can be lots of fun (not!).

You will want to compare your test vectors with a known good set from
http://openssl.com/testing/validation-2.0/testvectors/. Pick a recent
set, as the format of the test vectors changes over time. Note that as a
result frequent adjustment of fipsalgtest.pl is often necessary.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 301 874 2571
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: FIPS Object Module 2.0, fipsalgtest.pl fails

Joseddg_digi

> The FIPS module and test suite software (fipsalgtest.pl) are designed to work with exactly those algorithm tests relevant to the associated validations
> (#1747/2398/2473). The test labs generate a unique set of test vectors for each platform validation; those test vectors must be of the expected format to
>  be successfully processed. Often they are not, either because they we incorrectly specified or due to errors. Figuring out such discrepancies can be lots of
 > fun (not!).

> You will want to compare your test vectors with a known good set from http://openssl.com/testing/validation-2.0/testvectors/. Pick a recent set, as the format of the test vectors changes over time. Note that as
> a result frequent adjustment of fipsalgtest.pl is often necessary.

I have tried with all the tarballs but I am not able to find one which works without errors.

Is there any way to check which test vector were used for FIPS Object Module 2.0.16?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: FIPS Object Module 2.0, fipsalgtest.pl fails

Steve Marquess-4
On 10/02/2017 10:29 AM, Diaz de Grenu, Jose wrote:

>
>> The FIPS module and test suite software (fipsalgtest.pl) are designed to work with exactly those algorithm tests relevant to the associated validations
>> (#1747/2398/2473). The test labs generate a unique set of test vectors for each platform validation; those test vectors must be of the expected format to
>>  be successfully processed. Often they are not, either because they we incorrectly specified or due to errors. Figuring out such discrepancies can be lots of
>  > fun (not!).
>
>> You will want to compare your test vectors with a known good set from http://openssl.com/testing/validation-2.0/testvectors/. Pick a recent set, as the format of the test vectors changes over time. Note that as
>> a result frequent adjustment of fipsalgtest.pl is often necessary.
>
> I have tried with all the tarballs but I am not able to find one which works without errors.

You reprocessed all of the hundreds of test vectors? I'm impressed. That
must have taken many days of compute time.

>
> Is there any way to check which test vector were used for FIPS Object Module 2.0.16?
>

The most recent set of test vectors used for a 2.0.16 OE is:


http://openssl.com/testing/validation-2.0/testvectors/OVS_2859_OE82.results.tar.gz

You have no way of knowing that because we don't publish a mapping of
test vectors to OEs (and most FIPS 140 module vendors don't publish
anything at all). And before you ask, no, while we're delighted to be an
open source model for other validations I'm not keen on spending time
specifically supporting proprietary validations that don't benefit the
OpenSSL community as a whole.

Please note that if you're trying to do your own "private label"
validation you'll have to use a new unique set of test vectors provided
by your accredited test lab; reprocessing a previously used set doesn't
buy you much.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 301 874 2571
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: FIPS Object Module 2.0, fipsalgtest.pl fails

Joseddg_digi

> You reprocessed all of the hundreds of test vectors? I'm impressed. That
> must have taken many days of compute time.

Sorry, the download script I set up seg faulted after some time, and I didn't noticed. In fact it only tested a few tarballs.


> The most recent set of test vectors used for a 2.0.16 OE is:
>http://openssl.com/testing/validation-2.0/testvectors/OVS_2859_OE82.results.tar.gz

That one also fails.

Thanks for all the information anyways. I will keep trying with other test vector, just in case.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: FIPS Object Module 2.0, fipsalgtest.pl fails

Steve Marquess-4
On 10/03/2017 05:26 PM, Diaz de Grenu, Jose wrote:

>
>> You reprocessed all of the hundreds of test vectors? I'm impressed. That
>> must have taken many days of compute time.
>
> Sorry, the download script I set up seg faulted after some time, and I didn't noticed. In fact it only tested a few tarballs.
>
>
>> The most recent set of test vectors used for a 2.0.16 OE is:
>> http://openssl.com/testing/validation-2.0/testvectors/OVS_2859_OE82.results.tar.gz
>
> That one also fails.
>
> Thanks for all the information anyways. I will keep trying with other test vector, just in case.
>

If you use a stock unmodified openssl-fips-2.0.N.tar.gz tarball and an
appropriate matching set of test vectors then they can be successfully
processed (on a very wide range of platforms). That has literally been
done with hundreds of test vector sets. I suggest you circle back to the
basics. Download an unmodified openssl-fips-2.0.16.tar.gz and build that
on a known supported platform, for instance a modern Linux distro. Then
process a recent test vector set, for instance the one noted above.

If that fails you have something very broken in your build environment
or platform; you'll want to sort that out before trying anything
adventurous.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 301 874 2571
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users