X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=README.FIPS;h=859348664ef6b08db3421bedc535298520526997;hp=3b51d4de4504abd80fa688d20f5061bb02256e68;hb=826e154481e93413a79c37cb1bf4da6175a05875;hpb=c9adde0699c140840572f3bae976b8bae94fc7af diff --git a/README.FIPS b/README.FIPS index 3b51d4de45..859348664e 100644 --- a/README.FIPS +++ b/README.FIPS @@ -1,83 +1 @@ -Preliminary status and build information for FIPS module v2.0 - -If you have any object files from a previous build do: - -make clean - -To build the module do: - -./config fipscanisterbuild -make - -Build should complete without errors. - -Run test suite: - -test/fips_test_suite - -again should complete without errors. - -Run test vectors: - -1. Download an appropriate set of testvectors from www.openssl.org/docs/fips - those for 2007 are OK. - -2. Extract the files to a suitable directory. - -3. Run the test vector perl script, for example: - - cd fips - perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted - -4. It should say "passed all tests" at the end. Report full details of any - failures. - -Run: - -make clean - -to remove any object modules from previous compile. - -Run symbol hiding test: - -./config fipscanisteronly -DOPENSSL_FIPSSYMS -make - -This time only the fips utilities should be built. - -Examine the external symbols in fips/fipscanister.o they should all begin -with FIPS or fips. One way to check with GNU nm is: - -nm -g --defined-only fips/fipscanister.o | grep -v -i fips - -Restricted tarball tests. - -The validated module will have its own tarball containing sufficient code to -build fipscanister.o and the associated algorithm tests. You can create a -similar tarball yourself for testing purposes using the commands below. - -Standard restricted tarball: - -make -f Makefile.fips dist - -Prime field field only ECC tarball: - -make NOEC2M=1 -f Makefile.fips dist - -Once you've created the tarball extract into a fresh directory and do: - -./config -make - -You can then run the algorithm tests as above. This build automatically uses -fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate. - -Known issues: - -Algorithm tests are pre-2011. -The fipslagtest.pl script wont auto run new algorithm tests such as DSA2. -Code needs extensively reviewing to ensure it builds correctly on -supported platforms and is compliant with FIPS 140-2. -The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of -OpenSSL doesn't always use the correct FIPS module APIs and block others -in FIPS mode. +This release does not support a FIPS 140-2 validated module.