openssl/README.FIPS
2011-05-10 10:59:25 +00:00

87 lines
2.2 KiB
Plaintext

Preliminary status and build information for FIPS module v2.0
NB: if you are cross compiling you now need to use the latest "incore2" script
from http://www.openssl.org/docs/fips/incore2
If you have any object files from a previous build do:
make clean
To build the module do:
./config fipscanisterbuild
make
Build should complete without errors.
Run test suite:
test/fips_test_suite
again should complete without errors.
Run test vectors:
1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
those for 2007 are OK.
2. Extract the files to a suitable directory.
3. Run the test vector perl script, for example:
cd fips
perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
4. It should say "passed all tests" at the end. Report full details of any
failures.
Run:
make clean
to remove any object modules from previous compile.
Run symbol hiding test:
./config fipscanisteronly -DOPENSSL_FIPSSYMS
make
This time only the fips utilities should be built.
Examine the external symbols in fips/fipscanister.o they should all begin
with FIPS or fips. One way to check with GNU nm is:
nm -g --defined-only fips/fipscanister.o | grep -v -i fips
Restricted tarball tests.
The validated module will have its own tarball containing sufficient code to
build fipscanister.o and the associated algorithm tests. You can create a
similar tarball yourself for testing purposes using the commands below.
Standard restricted tarball:
make -f Makefile.fips dist
Prime field field only ECC tarball:
make NOEC2M=1 -f Makefile.fips dist
Once you've created the tarball extract into a fresh directory and do:
./config
make
You can then run the algorithm tests as above. This build automatically uses
fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate.
Known issues:
Algorithm tests are pre-2011.
The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
Code needs extensively reviewing to ensure it builds correctly on
supported platforms and is compliant with FIPS 140-2.
The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of
OpenSSL doesn't always use the correct FIPS module APIs and block others
in FIPS mode.