X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=README.FIPS;h=3b51d4de4504abd80fa688d20f5061bb02256e68;hb=75359644d0c905a21ddba5928a62d2aa3ebcf8b2;hp=edd92e32924cd2f841195d8cd03ea4a2edacea92;hpb=44f54a130b3b183636de05bf6aa2ed38004d1740;p=oweals%2Fopenssl.git diff --git a/README.FIPS b/README.FIPS index edd92e3292..3b51d4de45 100644 --- a/README.FIPS +++ b/README.FIPS @@ -1,5 +1,9 @@ Preliminary status and build information for FIPS module v2.0 +If you have any object files from a previous build do: + +make clean + To build the module do: ./config fipscanisterbuild @@ -13,14 +17,67 @@ test/fips_test_suite again should complete without errors. -Run test vectors: TBA. +Run test vectors: + +1. Download an appropriate set of testvectors from www.openssl.org/docs/fips + those for 2007 are OK. + +2. Extract the files to a suitable directory. + +3. Run the test vector perl script, for example: + + cd fips + perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted + +4. It should say "passed all tests" at the end. Report full details of any + failures. + +Run: + +make clean + +to remove any object modules from previous compile. + +Run symbol hiding test: + +./config fipscanisteronly -DOPENSSL_FIPSSYMS +make + +This time only the fips utilities should be built. + +Examine the external symbols in fips/fipscanister.o they should all begin +with FIPS or fips. One way to check with GNU nm is: + +nm -g --defined-only fips/fipscanister.o | grep -v -i fips + +Restricted tarball tests. + +The validated module will have its own tarball containing sufficient code to +build fipscanister.o and the associated algorithm tests. You can create a +similar tarball yourself for testing purposes using the commands below. + +Standard restricted tarball: + +make -f Makefile.fips dist + +Prime field field only ECC tarball: + +make NOEC2M=1 -f Makefile.fips dist + +Once you've created the tarball extract into a fresh directory and do: + +./config +make + +You can then run the algorithm tests as above. This build automatically uses +fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate. Known issues: -No Windows support. Algorithm tests are pre-2011. -No SP800-90 PRNG. -No ECDSA2 support. -No DSA2 support. -No GCM. -No CMAC. +The fipslagtest.pl script wont auto run new algorithm tests such as DSA2. +Code needs extensively reviewing to ensure it builds correctly on +supported platforms and is compliant with FIPS 140-2. +The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of +OpenSSL doesn't always use the correct FIPS module APIs and block others +in FIPS mode.