X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=README.FIPS;h=c41bab99307bfc71bc69ea876e6640b68b099667;hp=31fd61c395d19bfa800962f667652be066cb5155;hb=ab97b2cd4301074fd88fd2f13b8c79342593dae4;hpb=21a40da045119f903572f6aeae6fd91a2f77996c diff --git a/README.FIPS b/README.FIPS index 31fd61c395..c41bab9930 100644 --- a/README.FIPS +++ b/README.FIPS @@ -1,7 +1,7 @@ Preliminary status and build information for FIPS module v2.0 -NB: if you are cross compiling you now need to use the latest "incore2" script -from http://www.openssl.org/docs/fips/incore2 +NB: if you are cross compiling you now need to use the latest "incore" script +this can be found at util/incore in the tarballs. If you have any object files from a previous build do: @@ -9,11 +9,15 @@ make clean To build the module do: -./config fipscanisterbuild +./config fipscanisteronly make Build should complete without errors. +Build test utilities: + +make build_tests + Run test suite: test/fips_test_suite @@ -23,7 +27,7 @@ again should complete without errors. Run test vectors: 1. Download an appropriate set of testvectors from www.openssl.org/docs/fips - those for 2007 are OK. + only the fips-2.0 testvector files are usable for complete tests. 2. Extract the files to a suitable directory. @@ -35,23 +39,16 @@ Run test vectors: 4. It should say "passed all tests" at the end. Report full details of any failures. -Run: - -make clean - -to remove any object modules from previous compile. - -Run symbol hiding test: - -./config fipscanisteronly -DOPENSSL_FIPSSYMS -make - -This time only the fips utilities should be built. +If you wish to use the older 1.2.x testvectors (for example those from 2007) +you need the command line switch --disable-v2 to fipsalgtest.pl Examine the external symbols in fips/fipscanister.o they should all begin with FIPS or fips. One way to check with GNU nm is: -nm -g --defined-only fips/fipscanister.o | grep -v -i fips + nm -g --defined-only fips/fipscanister.o | grep -v -i fips + +If you get *any* output at all from this test (i.e. symbols not starting with +fips or FIPS) please report it. Restricted tarball tests. @@ -73,14 +70,61 @@ Once you've created the tarball extract into a fresh directory and do: make You can then run the algorithm tests as above. This build automatically uses -fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate. +fipscanisterbuild and no-ec2m as appropriate. + +FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE. + +At least initially the test module and FIPS capable OpenSSL may change and +by out of sync. You are advised to check for any changes and pull the latest +source from CVS if you have problems. See anon CVS and rsync instructions at: + +http://www.openssl.org/source/repos.html + +Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/ + +If required set the environment variable FIPSDIR to an appropriate location +to install the test module. If cross compiling set other environment +variables too. + +In this restricted tarball on a Linux or U*ix like system run: + +./config +make +make install + +On Windows from a VC++ environment do: + +ms\do_fips + +This will build and install the test module and some associated files. + +Now download the latest version of the OpenSSL 1.0.1 branch from either a +snapshot or preferably CVS. For Linux do: + +./config fips [other args] +make + +For Windows: + +perl Configure VC-WIN32 fips [other args] +ms\do_nasm +nmake -f ms\ntdll.mak + +(or ms\nt.mak for a static build). + +Where [other args] can be any other arguments you use for an OpenSSL build +such as "shared" or "zlib". + +This will build the fips capable OpenSSL and link it to the test module. You +can now try linking and testing applications against the FIPS capable OpenSSL. + +Please report any problems to either the openssl-dev mailing list or directly +to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate +reports. Known issues: -Algorithm tests are pre-2011. -The fipslagtest.pl script wont auto run new algorithm tests such as DSA2. Code needs extensively reviewing to ensure it builds correctly on supported platforms and is compliant with FIPS 140-2. -The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of -OpenSSL doesn't always use the correct FIPS module APIs and block others -in FIPS mode. +The "FIPS capable OpenSSL" is still largely untested, it builds and runs +some simple tests OK on some systems but needs far more "real world" testing.