Preliminary status and build information for FIPS module v2.0
-NB: if you are cross compiling you now need to use the latest "incore2" script
-from http://www.openssl.org/docs/fips/incore2
+NB: if you are cross compiling you now need to use the latest "incore" script
+this can be found at util/incore in the tarballs.
If you have any object files from a previous build do:
To build the module do:
-./config fipscanisterbuild
+./config fipscanisteronly
make
Build should complete without errors.
+Build test utilities:
+
+make build_tests
+
Run test suite:
test/fips_test_suite
Run test vectors:
1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
- those for 2007 are OK.
+ only the fips-2.0 testvector files are usable for complete tests.
2. Extract the files to a suitable directory.
4. It should say "passed all tests" at the end. Report full details of any
failures.
-Run:
-
-make clean
-
-to remove any object modules from previous compile.
-
-Run symbol hiding test:
-
-./config fipscanisteronly -DOPENSSL_FIPSSYMS
-make
-
-This time only the fips utilities should be built.
+If you wish to use the older 1.2.x testvectors (for example those from 2007)
+you need the command line switch --disable-v2 to fipsalgtest.pl
Examine the external symbols in fips/fipscanister.o they should all begin
with FIPS or fips. One way to check with GNU nm is:
-nm -g --defined-only fips/fipscanister.o | grep -v -i fips
+ nm -g --defined-only fips/fipscanister.o | grep -v -i fips
If you get *any* output at all from this test (i.e. symbols not starting with
fips or FIPS) please report it.
make
You can then run the algorithm tests as above. This build automatically uses
-fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate.
+fipscanisterbuild and no-ec2m as appropriate.
FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE.
For Windows:
-perl Configure VC-WIN32 [other args]
+perl Configure VC-WIN32 fips [other args]
ms\do_nasm
nmake -f ms\ntdll.mak
Known issues:
-Algorithm tests are pre-2011.
-The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
Code needs extensively reviewing to ensure it builds correctly on
supported platforms and is compliant with FIPS 140-2.
The "FIPS capable OpenSSL" is still largely untested, it builds and runs