Preliminary status and build information for FIPS module v2.0 NB: if you are cross compiling you now need to use the latest "incore2" script from http://www.openssl.org/docs/fips/incore2 If you have any object files from a previous build do: make clean To build the module do: ./config fipscanisterbuild make Build should complete without errors. Run test suite: test/fips_test_suite again should complete without errors. Run test vectors: 1. Download an appropriate set of testvectors from www.openssl.org/docs/fips those for 2007 are OK. 2. Extract the files to a suitable directory. 3. Run the test vector perl script, for example: cd fips perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted 4. It should say "passed all tests" at the end. Report full details of any failures. Run: make clean to remove any object modules from previous compile. Run symbol hiding test: ./config fipscanisteronly -DOPENSSL_FIPSSYMS make This time only the fips utilities should be built. Examine the external symbols in fips/fipscanister.o they should all begin with FIPS or fips. One way to check with GNU nm is: nm -g --defined-only fips/fipscanister.o | grep -v -i fips Restricted tarball tests. The validated module will have its own tarball containing sufficient code to build fipscanister.o and the associated algorithm tests. You can create a similar tarball yourself for testing purposes using the commands below. Standard restricted tarball: make -f Makefile.fips dist Prime field field only ECC tarball: make NOEC2M=1 -f Makefile.fips dist Once you've created the tarball extract into a fresh directory and do: ./config make You can then run the algorithm tests as above. This build automatically uses fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate. Known issues: Algorithm tests are pre-2011. The fipslagtest.pl script wont auto run new algorithm tests such as DSA2. Code needs extensively reviewing to ensure it builds correctly on supported platforms and is compliant with FIPS 140-2. The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of OpenSSL doesn't always use the correct FIPS module APIs and block others in FIPS mode.