X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=README.FIPS;h=859348664ef6b08db3421bedc535298520526997;hp=a30adea8c9b540ca85fdde7e77d10339f8e7c8f8;hb=ae97a654cadef86d063b4917fdf67f81f5e71f19;hpb=f9bf6314ea4fc5b4ad98d1319a548e455b60eb1a diff --git a/README.FIPS b/README.FIPS index a30adea8c9..859348664e 100644 --- a/README.FIPS +++ b/README.FIPS @@ -1,85 +1 @@ -Preliminary status and build information for FIPS module v2.0 - -To build the module do: - -./config fipscanisterbuild -make - -Build should complete without errors. - -Run test suite: - -test/fips_test_suite - -again should complete without errors. - -Run test vectors: - -1. Download an appropriate set of testvectors from www.openssl.org/docs/fips - those for 2007 are OK. - -2. Extract the files to a suitable directory. - -3. Run the test vector perl script, for example: - - cd fips - perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted - -4. It should say "passed all tests" at the end. Report full details of any - failures. - -Run: - -make clean - -to remove any object modules from previous compile. - -Run symbol hiding test: - -./config fipscanisteronly -DOPENSSL_FIPSSYMS -make - -This time only the fips utilities should be built. - -Examine the external symbols in fips/fipscanister.o they should all begin -with FIPS or fips. One way to check with GNU nm is: - -nm -g --defined-only fips/fipscanister.o | grep -v -i fips - -Restricted tarball tests. - -The validated module will have its own tarball containing sufficient code to -build fipscanister.o and the associated algorithm tests. You can create a -similar tarball yourself for testing purposes using the commands below. - -Standard restricted tarball: - -make -f Makefile.fips dist - -Prime field field only ECC tarball: - -make NOEC2M=1 -f Makefile.fips dist - -Once you've created the tarball extract into a fresh directory and do: - -./config -make - -You can then run the algorithm tests as above. This build automatically uses -fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate. - -Known issues: - -Algorithm tests are pre-2011. -The fipslagtest.pl script wont auto run new algorithm tests such as DSA2. -Usage of ECDH/DH needs review and whether any KDFs need to be implemented. -Selftests need updating with larger key sizes in some cases and redundant -tests pruned. -SP800-90 DRBG needs more work: check for compliance, continuous PRNG test -when entropy gathering, periodic health tests. -Some algorithms need to check security strength of PRNG: keygen etc. -No CCM. -No XTS. -The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of -OpenSSL doesn't always use the correct FIPS module APIs and block others -in FIPS mode. +This release does not support a FIPS 140-2 validated module.