Preliminary status and build information for FIPS module v2.0
+NB: if you are cross compiling you now need to use the latest "incore2" script
+from http://www.openssl.org/docs/fips/incore2
+
+If you have any object files from a previous build do:
+
+make clean
+
To build the module do:
./config fipscanisterbuild
nm -g --defined-only fips/fipscanister.o | grep -v -i fips
+Restricted tarball tests.
+
+The validated module will have its own tarball containing sufficient code to
+build fipscanister.o and the associated algorithm tests. You can create a
+similar tarball yourself for testing purposes using the commands below.
+
+Standard restricted tarball:
+
+make -f Makefile.fips dist
+
+Prime field field only ECC tarball:
+
+make NOEC2M=1 -f Makefile.fips dist
+
+Once you've created the tarball extract into a fresh directory and do:
+
+./config
+make
+
+You can then run the algorithm tests as above. This build automatically uses
+fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate.
+
Known issues:
Algorithm tests are pre-2011.
The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
-Usage of ECDH/DH needs review and whether any KDFs need to be implemented.
-Selftests need updating with larger key sizes in some cases and redundant
-tests pruned.
-SP800-90 DRBG needs more work: check for compliance, continuous PRNG test
-when entropy gathering, periodic health tests.
-Some algorithms need to check security strength of PRNG: keygen etc.
-No CCM.
-No XTS.
+Code needs extensively reviewing to ensure it builds correctly on
+supported platforms and is compliant with FIPS 140-2.
The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of
OpenSSL doesn't always use the correct FIPS module APIs and block others
in FIPS mode.
projects / openssl.git / blobdiff