openssl/README.FIPS

Preliminary status and build information for FIPS module v2.0

If you have any object files from a previous build do:

make clean

To build the module do:

./config fipscanisterbuild
make

Build should complete without errors.

Run test suite:

test/fips_test_suite

again should complete without errors.

Run test vectors: 

1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
   those for 2007 are OK.

2. Extract the files to a suitable directory.

3. Run the test vector perl script, for example:

   cd fips
   perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted

4. It should say "passed all tests" at the end. Report full details of any
   failures.

Run:

make clean

to remove any object modules from previous compile.

Run symbol hiding test:

./config fipscanisteronly -DOPENSSL_FIPSSYMS
make

This time only the fips utilities should be built.

Examine the external symbols in fips/fipscanister.o they should all begin
with FIPS or fips. One way to check with GNU nm is:

nm -g --defined-only fips/fipscanister.o | grep -v -i fips

Restricted tarball tests.

The validated module will have its own tarball containing sufficient code to
build fipscanister.o and the associated algorithm tests. You can create a
similar tarball yourself for testing purposes using the commands below.

Standard restricted tarball:

make -f Makefile.fips dist

Prime field field only ECC tarball:

make NOEC2M=1 -f Makefile.fips dist

Once you've created the tarball extract into a fresh directory and do:

./config
make

You can then run the algorithm tests as above. This build automatically uses
fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate.

Known issues:

Algorithm tests are pre-2011.
The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
Usage of ECDH/DH needs review and whether any KDFs need to be implemented.
Selftests need updating with larger key sizes in some cases and redundant
tests pruned.
SP800-90 DRBG needs more work: check for compliance, continuous PRNG test
when entropy gathering, periodic health tests.
Some algorithms need to check security strength of PRNG: keygen etc.
No CCM.
No XTS.
The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of
OpenSSL doesn't always use the correct FIPS module APIs and block others
in FIPS mode.
Add preliminary FIPS information. 2011-01-29 17:05:25 +00:00			`Preliminary status and build information for FIPS module v2.0`

Clarification. 2011-04-24 11:38:22 +00:00			`If you have any object files from a previous build do:`

			`make clean`

Add preliminary FIPS information. 2011-01-29 17:05:25 +00:00			`To build the module do:`

			`./config fipscanisterbuild`
			`make`

			`Build should complete without errors.`

			`Run test suite:`

			`test/fips_test_suite`

			`again should complete without errors.`

update README.FIPS 2011-02-01 17:14:07 +00:00			`Run test vectors:`

			`1. Download an appropriate set of testvectors from www.openssl.org/docs/fips`
			`those for 2007 are OK.`

			`2. Extract the files to a suitable directory.`

			`3. Run the test vector perl script, for example:`

			`cd fips`
			`perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted`

			`4. It should say "passed all tests" at the end. Report full details of any`
			`failures.`

Clarify README.FIPS. 2011-04-10 16:23:31 +00:00			`Run:`

			`make clean`

			`to remove any object modules from previous compile.`

Update status information. 2011-02-23 16:06:50 +00:00			`Run symbol hiding test:`

			`./config fipscanisteronly -DOPENSSL_FIPSSYMS`
			`make`

			`This time only the fips utilities should be built.`

			`Examine the external symbols in fips/fipscanister.o they should all begin`
			`with FIPS or fips. One way to check with GNU nm is:`

			`nm -g --defined-only fips/fipscanister.o \| grep -v -i fips`
Add preliminary FIPS information. 2011-01-29 17:05:25 +00:00
Don't give dependency warning for fips builds. Give error for "make depend" in restricted tarball builds. Document how restricted tarballs work. 2011-04-11 00:22:42 +00:00			`Restricted tarball tests.`

			`The validated module will have its own tarball containing sufficient code to`
			`build fipscanister.o and the associated algorithm tests. You can create a`
			`similar tarball yourself for testing purposes using the commands below.`

			`Standard restricted tarball:`

			`make -f Makefile.fips dist`

			`Prime field field only ECC tarball:`

			`make NOEC2M=1 -f Makefile.fips dist`

			`Once you've created the tarball extract into a fresh directory and do:`

			`./config`
			`make`

			`You can then run the algorithm tests as above. This build automatically uses`
			`fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate.`

Add preliminary FIPS information. 2011-01-29 17:05:25 +00:00			`Known issues:`

			`Algorithm tests are pre-2011.`
Update status information. 2011-02-23 16:06:50 +00:00			`The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.`
updated FIPS status 2011-04-06 13:40:36 +00:00			`Usage of ECDH/DH needs review and whether any KDFs need to be implemented.`
Update status information. 2011-02-23 16:06:50 +00:00			`Selftests need updating with larger key sizes in some cases and redundant`
			`tests pruned.`
updated FIPS status 2011-04-06 13:40:36 +00:00			`SP800-90 DRBG needs more work: check for compliance, continuous PRNG test`
			`when entropy gathering, periodic health tests.`
			`Some algorithms need to check security strength of PRNG: keygen etc.`
Update status information. 2011-02-23 16:06:50 +00:00			`No CCM.`
updated FIPS status 2011-04-06 13:40:36 +00:00			`No XTS.`
			`The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of`
			`OpenSSL doesn't always use the correct FIPS module APIs and block others`
			`in FIPS mode.`