X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=README.FIPS;h=3b51d4de4504abd80fa688d20f5061bb02256e68;hb=75359644d0c905a21ddba5928a62d2aa3ebcf8b2;hp=5197276740af8cec5c980693b6204b07b2287ca0;hpb=4d5d28675ebe00fbe2bbf89d80122625ae0c13cb;p=oweals%2Fopenssl.git diff --git a/README.FIPS b/README.FIPS index 5197276740..3b51d4de45 100644 --- a/README.FIPS +++ b/README.FIPS @@ -1,5 +1,9 @@ Preliminary status and build information for FIPS module v2.0 +If you have any object files from a previous build do: + +make clean + To build the module do: ./config fipscanisterbuild @@ -28,6 +32,12 @@ Run test vectors: 4. It should say "passed all tests" at the end. Report full details of any failures. +Run: + +make clean + +to remove any object modules from previous compile. + Run symbol hiding test: ./config fipscanisteronly -DOPENSSL_FIPSSYMS @@ -40,15 +50,34 @@ with FIPS or fips. One way to check with GNU nm is: nm -g --defined-only fips/fipscanister.o | grep -v -i fips +Restricted tarball tests. + +The validated module will have its own tarball containing sufficient code to +build fipscanister.o and the associated algorithm tests. You can create a +similar tarball yourself for testing purposes using the commands below. + +Standard restricted tarball: + +make -f Makefile.fips dist + +Prime field field only ECC tarball: + +make NOEC2M=1 -f Makefile.fips dist + +Once you've created the tarball extract into a fresh directory and do: + +./config +make + +You can then run the algorithm tests as above. This build automatically uses +fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate. + Known issues: Algorithm tests are pre-2011. The fipslagtest.pl script wont auto run new algorithm tests such as DSA2. -Usage of ECDH/DH needs review and adding appropriate self tests. -Selftests need updating with larger key sizes in some cases and redundant -tests pruned. -SP800-90 DRBG needs more work: health checks, continuous PRNG test, -entropy gathering, security checks in algorithms, add appropriate RAND method -for use by rest of OpenSSL. -No CMAC. -No CCM. +Code needs extensively reviewing to ensure it builds correctly on +supported platforms and is compliant with FIPS 140-2. +The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of +OpenSSL doesn't always use the correct FIPS module APIs and block others +in FIPS mode.