openssl/README.FIPS

85 lines
2.6 KiB
Text
Raw Normal View History

2007-12-16 18:02:17 +00:00
Brief instructions on using OpenSSL 0.9.8 FIPS 140-2 test branch.
2007-03-22 00:39:24 +00:00
2007-12-16 18:02:17 +00:00
NOTE: this distribution is NOT FIPS140-2 validated. These instructions are
intended for people who wish to test the OpenSSL FIPS 140-2 1.2 module. More
complete instructions will be made available after validation.
2007-03-22 00:39:24 +00:00
2007-12-16 18:02:17 +00:00
1. Build from test tarball.
2007-03-22 00:39:24 +00:00
2007-12-16 18:02:17 +00:00
Download the OpenSSL test 1.2 source tree. The current version has the CVS tag
2007-12-16 23:32:10 +00:00
FIPS_098_TEST_8 or can be downloaded from:
ftp://ftp.openssl.org/snapshot/openssl-fips-test-1.2.0.tar.gz
Ignore any instructions in that tree: they are likely to be out of date.
2007-03-22 00:39:24 +00:00
2007-12-16 18:02:17 +00:00
If you are using a Unix like environment run the following commands. You may
2007-12-16 23:32:10 +00:00
NOT specify ANY other options at this stage.
2007-03-22 00:39:24 +00:00
2007-12-16 18:02:17 +00:00
./config fipscanisterbuild
make
make install
2007-03-22 00:39:24 +00:00
2007-12-16 18:36:12 +00:00
This will build and install the test 1.2 module and binaries under
2007-12-16 18:02:17 +00:00
/usr/local/fips-1.0
2007-03-22 00:39:24 +00:00
2007-12-16 18:02:17 +00:00
For Windows you need VC++, perl and NASM installed. This is now a pure VC++
build: no alternative compilers or tools are required. From a VC++ environment
do:
2007-03-22 00:39:24 +00:00
2007-12-14 01:43:41 +00:00
ms\do_fips
2007-03-22 00:39:24 +00:00
2007-12-16 18:02:17 +00:00
It should report that the compile was successful.
This will compile binaries into the out32dll directory. They can be copied to
a more convenient location.
2. Link test module to a more recent version of OpenSSL.
Once the test module has been installed it can be linked against a more recent
version of OpenSSL. Currently only versions from the 0.9.8-fips stable branch
2007-12-16 23:32:10 +00:00
can be used. It has the CVS tag OpenSSL-fips-0_9_8-stable daily snaphots can
also be downloaded as:
ftp://ftp.openssl.org/snapshot/openssl-0.9.8-fips-test-SNAP-YYMMDD.tar.gz
2007-12-16 18:02:17 +00:00
For a Unix build the standrd build procedure is followed and the option "fips"
is passed to either the config or Configure scripts. The fipscanisterbuild
option MUST NOT be used. Any other options may be included. Static libraries
can be built using the no-shared option.
For example:
./config fips
./config fips no-shared
For Windows builds the options "fips" and --with-fipslibdir=<path> are passed
2007-12-16 23:32:10 +00:00
to the Configure script where <path> is wherever the module was installed
2007-12-16 18:02:17 +00:00
For example:
perl Configure fips --with-fipslibdir=C:\some\path\fips
Then the build process continues in the normal way for example:
ms\do_nasm
nmake -f ms\ntdll.mak
for DLLs or
ms\do_nasm
nmake -f ms\nt.mak
for static builds.
3. Test new version of OpenSSL.
The new test FIPS enabled OpenSSL can now be tested in the usual way.
Additionally binary compatibility tests against OpenSSL 0.9.8x would be
MOST welcomed. This will help avoid any major issues when the 0.9.8-fips
branch is merged into 0.9.8 branch.
2007-03-22 00:39:24 +00:00
2007-12-16 18:02:17 +00:00
Any problems should be reported to the openssl-dev mailing list.
2007-03-22 00:39:24 +00:00