mirror of
https://github.com/openssl/openssl.git
synced 2024-12-09 05:51:54 +08:00
90 lines
2.3 KiB
Plaintext
90 lines
2.3 KiB
Plaintext
Preliminary status and build information for FIPS module v2.0
|
|
|
|
If you have any object files from a previous build do:
|
|
|
|
make clean
|
|
|
|
To build the module do:
|
|
|
|
./config fipscanisterbuild
|
|
make
|
|
|
|
Build should complete without errors.
|
|
|
|
Run test suite:
|
|
|
|
test/fips_test_suite
|
|
|
|
again should complete without errors.
|
|
|
|
Run test vectors:
|
|
|
|
1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
|
|
those for 2007 are OK.
|
|
|
|
2. Extract the files to a suitable directory.
|
|
|
|
3. Run the test vector perl script, for example:
|
|
|
|
cd fips
|
|
perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
|
|
|
|
4. It should say "passed all tests" at the end. Report full details of any
|
|
failures.
|
|
|
|
Run:
|
|
|
|
make clean
|
|
|
|
to remove any object modules from previous compile.
|
|
|
|
Run symbol hiding test:
|
|
|
|
./config fipscanisteronly -DOPENSSL_FIPSSYMS
|
|
make
|
|
|
|
This time only the fips utilities should be built.
|
|
|
|
Examine the external symbols in fips/fipscanister.o they should all begin
|
|
with FIPS or fips. One way to check with GNU nm is:
|
|
|
|
nm -g --defined-only fips/fipscanister.o | grep -v -i fips
|
|
|
|
Restricted tarball tests.
|
|
|
|
The validated module will have its own tarball containing sufficient code to
|
|
build fipscanister.o and the associated algorithm tests. You can create a
|
|
similar tarball yourself for testing purposes using the commands below.
|
|
|
|
Standard restricted tarball:
|
|
|
|
make -f Makefile.fips dist
|
|
|
|
Prime field field only ECC tarball:
|
|
|
|
make NOEC2M=1 -f Makefile.fips dist
|
|
|
|
Once you've created the tarball extract into a fresh directory and do:
|
|
|
|
./config
|
|
make
|
|
|
|
You can then run the algorithm tests as above. This build automatically uses
|
|
fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate.
|
|
|
|
Known issues:
|
|
|
|
Algorithm tests are pre-2011.
|
|
The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
|
|
Usage of ECDH/DH needs review and whether any KDFs need to be implemented.
|
|
Selftests need updating with larger key sizes in some cases and redundant
|
|
tests pruned.
|
|
SP800-90 DRBG needs more work: check for compliance, continuous PRNG test
|
|
when entropy gathering, periodic health tests.
|
|
Some algorithms need to check security strength of PRNG: keygen etc.
|
|
No CCM.
|
|
No XTS.
|
|
The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of
|
|
OpenSSL doesn't always use the correct FIPS module APIs and block others
|
|
in FIPS mode.
|