Clarify README.FIPS.

[openssl.git] / README.FIPS

diff --git a/README.FIPS b/README.FIPS
index 2829bf789bd79073eafbf3c835088536742b640e..6c5250cf44f882581a5bdac09ab22d390596aa0e 100644 (file)
--- a/README.FIPS
+++ b/README.FIPS
@@ -28,13 +28,36 @@ Run test vectors:
 4. It should say "passed all tests" at the end. Report full details of any
    failures.
 
 4. It should say "passed all tests" at the end. Report full details of any
    failures.
 

+Run:
+
+make clean
+
+to remove any object modules from previous compile.
+
+Run symbol hiding test:
+
+./config fipscanisteronly -DOPENSSL_FIPSSYMS
+make
+
+This time only the fips utilities should be built.
+
+Examine the external symbols in fips/fipscanister.o they should all begin
+with FIPS or fips. One way to check with GNU nm is:
+
+nm -g --defined-only fips/fipscanister.o | grep -v -i fips

 
 Known issues:
 
 
 Known issues:
 

-No Windows support. 

 Algorithm tests are pre-2011.
 Algorithm tests are pre-2011.

-No SP800-90 PRNG.
-No ECDSA2 support.
-No DSA2 support: work in progress.
-No GCM.
-No CMAC.
+The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
+Usage of ECDH/DH needs review and whether any KDFs need to be implemented.
+Selftests need updating with larger key sizes in some cases and redundant
+tests pruned.
+SP800-90 DRBG needs more work: check for compliance, continuous PRNG test
+when entropy gathering, periodic health tests.
+Some algorithms need to check security strength of PRNG: keygen etc.
+No CCM.
+No XTS.
+The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of
+OpenSSL doesn't always use the correct FIPS module APIs and block others
+in FIPS mode.