f9bf6314ea
Give error for "make depend" in restricted tarball builds. Document how restricted tarballs work.
85 lines
2.2 KiB
Text
85 lines
2.2 KiB
Text
Preliminary status and build information for FIPS module v2.0
|
|
|
|
To build the module do:
|
|
|
|
./config fipscanisterbuild
|
|
make
|
|
|
|
Build should complete without errors.
|
|
|
|
Run test suite:
|
|
|
|
test/fips_test_suite
|
|
|
|
again should complete without errors.
|
|
|
|
Run test vectors:
|
|
|
|
1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
|
|
those for 2007 are OK.
|
|
|
|
2. Extract the files to a suitable directory.
|
|
|
|
3. Run the test vector perl script, for example:
|
|
|
|
cd fips
|
|
perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
|
|
|
|
4. It should say "passed all tests" at the end. Report full details of any
|
|
failures.
|
|
|
|
Run:
|
|
|
|
make clean
|
|
|
|
to remove any object modules from previous compile.
|
|
|
|
Run symbol hiding test:
|
|
|
|
./config fipscanisteronly -DOPENSSL_FIPSSYMS
|
|
make
|
|
|
|
This time only the fips utilities should be built.
|
|
|
|
Examine the external symbols in fips/fipscanister.o they should all begin
|
|
with FIPS or fips. One way to check with GNU nm is:
|
|
|
|
nm -g --defined-only fips/fipscanister.o | grep -v -i fips
|
|
|
|
Restricted tarball tests.
|
|
|
|
The validated module will have its own tarball containing sufficient code to
|
|
build fipscanister.o and the associated algorithm tests. You can create a
|
|
similar tarball yourself for testing purposes using the commands below.
|
|
|
|
Standard restricted tarball:
|
|
|
|
make -f Makefile.fips dist
|
|
|
|
Prime field field only ECC tarball:
|
|
|
|
make NOEC2M=1 -f Makefile.fips dist
|
|
|
|
Once you've created the tarball extract into a fresh directory and do:
|
|
|
|
./config
|
|
make
|
|
|
|
You can then run the algorithm tests as above. This build automatically uses
|
|
fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate.
|
|
|
|
Known issues:
|
|
|
|
Algorithm tests are pre-2011.
|
|
The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
|
|
Usage of ECDH/DH needs review and whether any KDFs need to be implemented.
|
|
Selftests need updating with larger key sizes in some cases and redundant
|
|
tests pruned.
|
|
SP800-90 DRBG needs more work: check for compliance, continuous PRNG test
|
|
when entropy gathering, periodic health tests.
|
|
Some algorithms need to check security strength of PRNG: keygen etc.
|
|
No CCM.
|
|
No XTS.
|
|
The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of
|
|
OpenSSL doesn't always use the correct FIPS module APIs and block others
|
|
in FIPS mode.
|