1 Preliminary status and build information for FIPS module v2.0
3 To build the module do:
5 ./config fipscanisterbuild
8 Build should complete without errors.
14 again should complete without errors.
18 1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
19 those for 2007 are OK.
21 2. Extract the files to a suitable directory.
23 3. Run the test vector perl script, for example:
26 perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
28 4. It should say "passed all tests" at the end. Report full details of any
35 to remove any object modules from previous compile.
37 Run symbol hiding test:
39 ./config fipscanisteronly -DOPENSSL_FIPSSYMS
42 This time only the fips utilities should be built.
44 Examine the external symbols in fips/fipscanister.o they should all begin
45 with FIPS or fips. One way to check with GNU nm is:
47 nm -g --defined-only fips/fipscanister.o | grep -v -i fips
51 Algorithm tests are pre-2011.
52 The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
53 Usage of ECDH/DH needs review and whether any KDFs need to be implemented.
54 Selftests need updating with larger key sizes in some cases and redundant
56 SP800-90 DRBG needs more work: check for compliance, continuous PRNG test
57 when entropy gathering, periodic health tests.
58 Some algorithms need to check security strength of PRNG: keygen etc.
61 The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of
62 OpenSSL doesn't always use the correct FIPS module APIs and block others