updated FIPS status

author Dr. Stephen Henson <steve@openssl.org>

Wed, 6 Apr 2011 13:40:36 +0000 (13:40 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Wed, 6 Apr 2011 13:40:36 +0000 (13:40 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Wed, 6 Apr 2011 13:40:36 +0000 (13:40 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Wed, 6 Apr 2011 13:40:36 +0000 (13:40 +0000)
diff --git a/README.FIPS b/README.FIPS

index 5197276740af8cec5c980693b6204b07b2287ca0..5c5fa295ceccbe6bc81a8d74dc3a41505107157d 100644 (file)
--- a/README.FIPS
+++ b/README.FIPS
@@ -44,11 +44,14 @@ Known issues:
  
  Algorithm tests are pre-2011.
  The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
  
  Algorithm tests are pre-2011.
  The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
-Usage of ECDH/DH needs review and adding appropriate self tests.
+Usage of ECDH/DH needs review and whether any KDFs need to be implemented.
  Selftests need updating with larger key sizes in some cases and redundant
  tests pruned.
  Selftests need updating with larger key sizes in some cases and redundant
  tests pruned.
-SP800-90 DRBG needs more work: health checks, continuous PRNG test,
-entropy gathering, security checks in algorithms, add appropriate RAND method
-for use by rest of OpenSSL.
-No CMAC.
+SP800-90 DRBG needs more work: check for compliance, continuous PRNG test
+when entropy gathering, periodic health tests.
+Some algorithms need to check security strength of PRNG: keygen etc.
  No CCM.
  No CCM.
+No XTS.
+The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of
+OpenSSL doesn't always use the correct FIPS module APIs and block others
+in FIPS mode.
author	Dr. Stephen Henson <steve@openssl.org>
	Wed, 6 Apr 2011 13:40:36 +0000 (13:40 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Wed, 6 Apr 2011 13:40:36 +0000 (13:40 +0000)