2007-12-16 18:02:17 +00:00
|
|
|
Brief instructions on using OpenSSL 0.9.8 FIPS 140-2 test branch.
|
2007-03-22 00:39:24 +00:00
|
|
|
|
2007-12-16 18:02:17 +00:00
|
|
|
NOTE: this distribution is NOT FIPS140-2 validated. These instructions are
|
|
|
|
intended for people who wish to test the OpenSSL FIPS 140-2 1.2 module. More
|
|
|
|
complete instructions will be made available after validation.
|
2007-03-22 00:39:24 +00:00
|
|
|
|
2007-12-16 18:02:17 +00:00
|
|
|
1. Build from test tarball.
|
2007-03-22 00:39:24 +00:00
|
|
|
|
2007-12-16 18:02:17 +00:00
|
|
|
Download the OpenSSL test 1.2 source tree. The current version has the CVS tag
|
2007-12-16 23:32:10 +00:00
|
|
|
FIPS_098_TEST_8 or can be downloaded from:
|
|
|
|
|
|
|
|
ftp://ftp.openssl.org/snapshot/openssl-fips-test-1.2.0.tar.gz
|
|
|
|
|
|
|
|
Ignore any instructions in that tree: they are likely to be out of date.
|
2007-03-22 00:39:24 +00:00
|
|
|
|
2007-12-16 18:02:17 +00:00
|
|
|
If you are using a Unix like environment run the following commands. You may
|
2007-12-16 23:32:10 +00:00
|
|
|
NOT specify ANY other options at this stage.
|
2007-03-22 00:39:24 +00:00
|
|
|
|
2007-12-16 18:02:17 +00:00
|
|
|
./config fipscanisterbuild
|
|
|
|
make
|
|
|
|
make install
|
2007-03-22 00:39:24 +00:00
|
|
|
|
2007-12-16 18:36:12 +00:00
|
|
|
This will build and install the test 1.2 module and binaries under
|
2007-12-16 18:02:17 +00:00
|
|
|
/usr/local/fips-1.0
|
2007-03-22 00:39:24 +00:00
|
|
|
|
2007-12-16 18:02:17 +00:00
|
|
|
For Windows you need VC++, perl and NASM installed. This is now a pure VC++
|
|
|
|
build: no alternative compilers or tools are required. From a VC++ environment
|
|
|
|
do:
|
2007-03-22 00:39:24 +00:00
|
|
|
|
2007-12-14 01:43:41 +00:00
|
|
|
ms\do_fips
|
2007-03-22 00:39:24 +00:00
|
|
|
|
2007-12-16 18:02:17 +00:00
|
|
|
It should report that the compile was successful.
|
|
|
|
|
|
|
|
This will compile binaries into the out32dll directory. They can be copied to
|
|
|
|
a more convenient location.
|
|
|
|
|
|
|
|
2. Link test module to a more recent version of OpenSSL.
|
|
|
|
|
|
|
|
Once the test module has been installed it can be linked against a more recent
|
|
|
|
version of OpenSSL. Currently only versions from the 0.9.8-fips stable branch
|
2007-12-16 23:32:10 +00:00
|
|
|
can be used. It has the CVS tag OpenSSL-fips-0_9_8-stable daily snaphots can
|
|
|
|
also be downloaded as:
|
|
|
|
|
|
|
|
ftp://ftp.openssl.org/snapshot/openssl-0.9.8-fips-test-SNAP-YYMMDD.tar.gz
|
2007-12-16 18:02:17 +00:00
|
|
|
|
|
|
|
For a Unix build the standrd build procedure is followed and the option "fips"
|
|
|
|
is passed to either the config or Configure scripts. The fipscanisterbuild
|
|
|
|
option MUST NOT be used. Any other options may be included. Static libraries
|
|
|
|
can be built using the no-shared option.
|
|
|
|
|
|
|
|
For example:
|
|
|
|
|
|
|
|
./config fips
|
|
|
|
|
|
|
|
./config fips no-shared
|
|
|
|
|
|
|
|
For Windows builds the options "fips" and --with-fipslibdir=<path> are passed
|
2007-12-16 23:32:10 +00:00
|
|
|
to the Configure script where <path> is wherever the module was installed
|
2007-12-16 18:02:17 +00:00
|
|
|
For example:
|
|
|
|
|
|
|
|
perl Configure fips --with-fipslibdir=C:\some\path\fips
|
|
|
|
|
|
|
|
Then the build process continues in the normal way for example:
|
|
|
|
|
|
|
|
ms\do_nasm
|
|
|
|
nmake -f ms\ntdll.mak
|
|
|
|
|
|
|
|
for DLLs or
|
|
|
|
|
|
|
|
ms\do_nasm
|
|
|
|
nmake -f ms\nt.mak
|
|
|
|
|
|
|
|
for static builds.
|
|
|
|
|
|
|
|
3. Test new version of OpenSSL.
|
|
|
|
|
|
|
|
The new test FIPS enabled OpenSSL can now be tested in the usual way.
|
|
|
|
|
|
|
|
Additionally binary compatibility tests against OpenSSL 0.9.8x would be
|
|
|
|
MOST welcomed. This will help avoid any major issues when the 0.9.8-fips
|
|
|
|
branch is merged into 0.9.8 branch.
|
2007-03-22 00:39:24 +00:00
|
|
|
|
2007-12-16 18:02:17 +00:00
|
|
|
Any problems should be reported to the openssl-dev mailing list.
|
2007-03-22 00:39:24 +00:00
|
|
|
|