openssl/README.FIPS

Preliminary status and build information for FIPS module v2.0

To build the module do:

./config fipscanisterbuild
make

Build should complete without errors.

Run test suite:

test/fips_test_suite

again should complete without errors.

Run test vectors: 

1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
   those for 2007 are OK.

2. Extract the files to a suitable directory.

3. Run the test vector perl script, for example:

   cd fips
   perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted

4. It should say "passed all tests" at the end. Report full details of any
   failures.

Run symbol hiding test:

./config fipscanisteronly -DOPENSSL_FIPSSYMS
make

This time only the fips utilities should be built.

Examine the external symbols in fips/fipscanister.o they should all begin
with FIPS or fips. One way to check with GNU nm is:

nm -g --defined-only fips/fipscanister.o | grep -v -i fips

Known issues:

Algorithm tests are pre-2011.
The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
Usage of ECDH/DH needs review and whether any KDFs need to be implemented.
Selftests need updating with larger key sizes in some cases and redundant
tests pruned.
SP800-90 DRBG needs more work: check for compliance, continuous PRNG test
when entropy gathering, periodic health tests.
Some algorithms need to check security strength of PRNG: keygen etc.
No CCM.
No XTS.
The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of
OpenSSL doesn't always use the correct FIPS module APIs and block others
in FIPS mode.
Add preliminary FIPS information. 2011-01-29 17:05:25 +00:00			`Preliminary status and build information for FIPS module v2.0`

			`To build the module do:`

			`./config fipscanisterbuild`
			`make`

			`Build should complete without errors.`

			`Run test suite:`

			`test/fips_test_suite`

			`again should complete without errors.`

update README.FIPS 2011-02-01 17:14:07 +00:00			`Run test vectors:`

			`1. Download an appropriate set of testvectors from www.openssl.org/docs/fips`
			`those for 2007 are OK.`

			`2. Extract the files to a suitable directory.`

			`3. Run the test vector perl script, for example:`

			`cd fips`
			`perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted`

			`4. It should say "passed all tests" at the end. Report full details of any`
			`failures.`

Update status information. 2011-02-23 16:06:50 +00:00			`Run symbol hiding test:`

			`./config fipscanisteronly -DOPENSSL_FIPSSYMS`
			`make`

			`This time only the fips utilities should be built.`

			`Examine the external symbols in fips/fipscanister.o they should all begin`
			`with FIPS or fips. One way to check with GNU nm is:`

			`nm -g --defined-only fips/fipscanister.o \| grep -v -i fips`
Add preliminary FIPS information. 2011-01-29 17:05:25 +00:00
			`Known issues:`

			`Algorithm tests are pre-2011.`
Update status information. 2011-02-23 16:06:50 +00:00			`The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.`
updated FIPS status 2011-04-06 13:40:36 +00:00			`Usage of ECDH/DH needs review and whether any KDFs need to be implemented.`
Update status information. 2011-02-23 16:06:50 +00:00			`Selftests need updating with larger key sizes in some cases and redundant`
			`tests pruned.`
updated FIPS status 2011-04-06 13:40:36 +00:00			`SP800-90 DRBG needs more work: check for compliance, continuous PRNG test`
			`when entropy gathering, periodic health tests.`
			`Some algorithms need to check security strength of PRNG: keygen etc.`
Update status information. 2011-02-23 16:06:50 +00:00			`No CCM.`
updated FIPS status 2011-04-06 13:40:36 +00:00			`No XTS.`
			`The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of`
			`OpenSSL doesn't always use the correct FIPS module APIs and block others`
			`in FIPS mode.`