-Preliminary status and build information for FIPS module v2.0
-
-If you have any object files from a previous build do:
-
-make clean
-
-To build the module do:
-
-./config fipscanisterbuild
-make
-
-Build should complete without errors.
-
-Run test suite:
-
-test/fips_test_suite
-
-again should complete without errors.
-
-Run test vectors:
-
-1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
- those for 2007 are OK.
-
-2. Extract the files to a suitable directory.
-
-3. Run the test vector perl script, for example:
-
- cd fips
- perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
-
-4. It should say "passed all tests" at the end. Report full details of any
- failures.
-
-Run:
-
-make clean
-
-to remove any object modules from previous compile.
-
-Run symbol hiding test:
-
-./config fipscanisteronly -DOPENSSL_FIPSSYMS
-make
-
-This time only the fips utilities should be built.
-
-Examine the external symbols in fips/fipscanister.o they should all begin
-with FIPS or fips. One way to check with GNU nm is:
-
-nm -g --defined-only fips/fipscanister.o | grep -v -i fips
-
-Restricted tarball tests.
-
-The validated module will have its own tarball containing sufficient code to
-build fipscanister.o and the associated algorithm tests. You can create a
-similar tarball yourself for testing purposes using the commands below.
-
-Standard restricted tarball:
-
-make -f Makefile.fips dist
-
-Prime field field only ECC tarball:
-
-make NOEC2M=1 -f Makefile.fips dist
-
-Once you've created the tarball extract into a fresh directory and do:
-
-./config
-make
-
-You can then run the algorithm tests as above. This build automatically uses
-fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate.
-
-Known issues:
-
-Algorithm tests are pre-2011.
-The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
-Usage of ECDH/DH needs review and whether any KDFs need to be implemented.
-Selftests need updating with larger key sizes in some cases and redundant
-tests pruned.
-SP800-90 DRBG needs more work: check for compliance, continuous PRNG test
-when entropy gathering, periodic health tests.
-Some algorithms need to check security strength of PRNG: keygen etc.
-No CCM.
-No XTS.
-The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of
-OpenSSL doesn't always use the correct FIPS module APIs and block others
-in FIPS mode.
+This release does not support a FIPS 140-2 validated module.
projects / openssl.git / blobdiff