Building the CAVP Test Apparatus
2013-04-02 17:21 by Ian
The last entry in this series gave a quick practical overview for building a FIPS capable OpenSSL. This one will explain how to compile a program against it.
The particular program I will be compiling is one that I wrote to execute a set of test-vectors issued by NIST's CAVP.
I have poasted the code for this test program at GitHub. It is not complete, and is a bit fragile, but it works for what it was meant to do (run test-vectors). While writing it, I drew from similarly-purposed code in OpenSSL's test programs. I have specific attributions in the source commentary. I might go into a digression on the program itself at a later date, but for the moment, I am mostly concerned with giving instructions for making it compile and run.
So that I don't lose anyone who just joined us, I am working from the directory into which I archived my compile products from the last post...
ian@coRTex ~/openssl-done/2013-03-08.1362729251 $ pwd /home/ian/openssl-done/2013-03-08.1362729251/
Last time, I declined to "make install" in the FIPS object module to avoid installing out-of-band software. Here, we will need to manually install some of the FIPS Object Module in order to compile against it.
So if you followed the instructions in the previous post, (and didn't install the FIPS compilation product), you will need to copy some files...
sudo mkdir /usr/local/ssl/fips-2.0/lib sudo mkdir /usr/local/ssl/lib/ sudo cp openssl-1.0.1e/libcrypto.a /usr/local/ssl/lib/ sudo cp openssl-fips-2.0.2/fips/fips_premain.c /usr/local/ssl/fips-2.0/lib sudo cp openssl-fips-2.0.2/fips/fipscanister.o /usr/local/ssl/fips-2.0/lib sudo cp openssl-fips-2.0.2/fips/*.sha1 /usr/local/ssl/fips-2.0/lib
Download the code and the test-vectors, and enter the directory so created...
git clone https://github.com/jspark311/fips-openssl-test.git fips-test cd fips-test
I have used Jan Brittenson's implementation of the getline function because later I will be compiling this on a platform that does not have glibc (android). So for the sake of simplicity, I have declined to use the native getline function on my platform.
Compile that guy....
make
The makefile itself has something important to say. To maintain the integrity of the FIPS standard, we are obliged to compile the program against the static OpenSSL library (libcrypto.a). Technically, we can compile against a shared library (and we will be doing so in part 3), but here I am striving for maximum adherence to the User Guide, against which this makefile was patterned.
Run it
./fips-test
Use of the program
When you first start it, the program issues a prompt and waits for a command. Try hitting enter (or type help) to see it print the menu...
==< HELP >========================================================================================= Ian's OpenSSL Workbench (v0.1.3) Build date: Apr 1 2013 14:01:54 This program was designed to run CAVP 14.2 test vectors. It may work with other CAVP versions. The output of this program should NOT be construed as an indication of FIPS compliance. This program was written around OpenSSL v1.0.1d and FIPS Canister v2.0. But it should work with other recent versions. Type the name of a test to dump the test results. Type the name of a block to dump all tests within that block. 'help' This. 'path' Set the path to the test vectors. Use if you didn't supply the path at launch. 'run' Equivalent to 'load exec validate errors'. 'load' Loads all supported tests from the filesystem. 'list' Lists all loaded tests. 'exec' Executes all loaded tests. 'errors' List all tests that experienced problems or irregularities. 'validate' Validate all tests against their repsective answer keys. 'write' Write all test data to output files suitable for CAVP reply. 'unload' Unload all vectors for tests matching the given pattern. 'quit' Bail? Bail. The commands {list, run, exec, validate, write, load, unload} accept an optional unbounded list of arguments for Tests on which the command ought to be run. For example, 'load sha aes' would load only the SHA and AES test blocks. Typical usage sees the following sequence of commands: {load, exec, validate, write, quit}. ./fips-test>
There is a list of default vectors (in a subdirectory named 'vector_root') that should have come with the source. You can replace them with the contents of your own known-answer test. But if you've made it this far, try to load, execute, and validate the given vectors by issuing the command run. Depending on your CPU, this might take awhile.
Presently, this program supports the following five test blocks:
- AES
- SHA
- HMAC
- RNG
- ECDSA
This is not the full range of FIPS algorithms, but it is enough to convince us that the FIPS object module discussed in our past post was built correctly. The FIPS Object Module provides pass-through functions for most of the OpenSSL calls. These have been used in lieu of the stock OpenSSL functions, and they will have failed the compile if you did something wrong.
Previous: Bury it under the noise floor (Steganography)
Next: Real-Time Scheduler Library For Arduino