57 lines
1.5 KiB
Text
57 lines
1.5 KiB
Text
Preliminary status and build information for FIPS module v2.0
|
|
|
|
To build the module do:
|
|
|
|
./config fipscanisterbuild
|
|
make
|
|
|
|
Build should complete without errors.
|
|
|
|
Run test suite:
|
|
|
|
test/fips_test_suite
|
|
|
|
again should complete without errors.
|
|
|
|
Run test vectors:
|
|
|
|
1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
|
|
those for 2007 are OK.
|
|
|
|
2. Extract the files to a suitable directory.
|
|
|
|
3. Run the test vector perl script, for example:
|
|
|
|
cd fips
|
|
perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
|
|
|
|
4. It should say "passed all tests" at the end. Report full details of any
|
|
failures.
|
|
|
|
Run symbol hiding test:
|
|
|
|
./config fipscanisteronly -DOPENSSL_FIPSSYMS
|
|
make
|
|
|
|
This time only the fips utilities should be built.
|
|
|
|
Examine the external symbols in fips/fipscanister.o they should all begin
|
|
with FIPS or fips. One way to check with GNU nm is:
|
|
|
|
nm -g --defined-only fips/fipscanister.o | grep -v -i fips
|
|
|
|
Known issues:
|
|
|
|
Algorithm tests are pre-2011.
|
|
The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
|
|
Usage of ECDH/DH needs review and whether any KDFs need to be implemented.
|
|
Selftests need updating with larger key sizes in some cases and redundant
|
|
tests pruned.
|
|
SP800-90 DRBG needs more work: check for compliance, continuous PRNG test
|
|
when entropy gathering, periodic health tests.
|
|
Some algorithms need to check security strength of PRNG: keygen etc.
|
|
No CCM.
|
|
No XTS.
|
|
The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of
|
|
OpenSSL doesn't always use the correct FIPS module APIs and block others
|
|
in FIPS mode.
|