On 02/19/2015 11:09 AM, Salz, Rich wrote: >> For instance, any of the void DES_*_encrypt(). This cursory observation is >> also supported by a vendor application code such as: > > Ah, okay. Those functions are 'just math' They depend on no external state. They can't fail. It's shifts and masking, etc. Which incidentally is true also of most of the FIPS 140-2 required KATs; they are tautological in the sense that they only way they can possibly fail is if the math is wrong, i.e. 1+1 != 2. Apparently in the dim mists of time from whence the basic FIPS 140-2 requirements originated, when cryptography was done with mechanical devices and dedicated discrete component electronics, such failures were a serious concern. So to this day in a FIPS module the POST does the equivalent of diligently confirming that 1+1=2, many times over. If one of those tautological tests *does* fail, then you have worse problems than a non-functioning FIPS module. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
