X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=README.FIPS;h=3b51d4de4504abd80fa688d20f5061bb02256e68;hb=75359644d0c905a21ddba5928a62d2aa3ebcf8b2;hp=5e3b5ab79c7c79a8eab65fabdb2463efdf5559ce;hpb=8aa6cff40fa392c993929a1661cc4ca66f3f5a8f;p=oweals%2Fopenssl.git diff --git a/README.FIPS b/README.FIPS index 5e3b5ab79c..3b51d4de45 100644 --- a/README.FIPS +++ b/README.FIPS @@ -1,5 +1,9 @@ Preliminary status and build information for FIPS module v2.0 +If you have any object files from a previous build do: + +make clean + To build the module do: ./config fipscanisterbuild @@ -28,6 +32,12 @@ Run test vectors: 4. It should say "passed all tests" at the end. Report full details of any failures. +Run: + +make clean + +to remove any object modules from previous compile. + Run symbol hiding test: ./config fipscanisteronly -DOPENSSL_FIPSSYMS @@ -40,14 +50,34 @@ with FIPS or fips. One way to check with GNU nm is: nm -g --defined-only fips/fipscanister.o | grep -v -i fips +Restricted tarball tests. + +The validated module will have its own tarball containing sufficient code to +build fipscanister.o and the associated algorithm tests. You can create a +similar tarball yourself for testing purposes using the commands below. + +Standard restricted tarball: + +make -f Makefile.fips dist + +Prime field field only ECC tarball: + +make NOEC2M=1 -f Makefile.fips dist + +Once you've created the tarball extract into a fresh directory and do: + +./config +make + +You can then run the algorithm tests as above. This build automatically uses +fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate. + Known issues: Algorithm tests are pre-2011. The fipslagtest.pl script wont auto run new algorithm tests such as DSA2. -No ECDH. -No primitives tests for ECDH/DH -Selftests need updating with larger key sizes in some cases and redundant -tests pruned. -No SP800-90 PRNG. -No CMAC. -No CCM. +Code needs extensively reviewing to ensure it builds correctly on +supported platforms and is compliant with FIPS 140-2. +The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of +OpenSSL doesn't always use the correct FIPS module APIs and block others +in FIPS mode.