ce02589259
build options. All fispcanisterbuild builds only build fipscanister.o and include symbol renaming. Move all renamed symbols to fipssyms.h Update README.FIPS
125 lines
3.5 KiB
Text
125 lines
3.5 KiB
Text
Preliminary status and build information for FIPS module v2.0
|
|
|
|
NB: if you are cross compiling you now need to use the latest "incore2" script
|
|
from http://www.openssl.org/docs/fips/incore2
|
|
|
|
If you have any object files from a previous build do:
|
|
|
|
make clean
|
|
|
|
To build the module do:
|
|
|
|
./config fipscanisterbuild
|
|
make
|
|
|
|
Build should complete without errors.
|
|
|
|
Run test suite:
|
|
|
|
test/fips_test_suite
|
|
|
|
again should complete without errors.
|
|
|
|
Run test vectors:
|
|
|
|
1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
|
|
those for 2007 are OK.
|
|
|
|
2. Extract the files to a suitable directory.
|
|
|
|
3. Run the test vector perl script, for example:
|
|
|
|
cd fips
|
|
perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
|
|
|
|
4. It should say "passed all tests" at the end. Report full details of any
|
|
failures.
|
|
|
|
Examine the external symbols in fips/fipscanister.o they should all begin
|
|
with FIPS or fips. One way to check with GNU nm is:
|
|
|
|
nm -g --defined-only fips/fipscanister.o | grep -v -i fips
|
|
|
|
If you get *any* output at all from this test (i.e. symbols not starting with
|
|
fips or FIPS) please report it.
|
|
|
|
Restricted tarball tests.
|
|
|
|
The validated module will have its own tarball containing sufficient code to
|
|
build fipscanister.o and the associated algorithm tests. You can create a
|
|
similar tarball yourself for testing purposes using the commands below.
|
|
|
|
Standard restricted tarball:
|
|
|
|
make -f Makefile.fips dist
|
|
|
|
Prime field field only ECC tarball:
|
|
|
|
make NOEC2M=1 -f Makefile.fips dist
|
|
|
|
Once you've created the tarball extract into a fresh directory and do:
|
|
|
|
./config
|
|
make
|
|
|
|
You can then run the algorithm tests as above. This build automatically uses
|
|
fipscanisterbuild and no-ec2m as appropriate.
|
|
|
|
FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE.
|
|
|
|
At least initially the test module and FIPS capable OpenSSL may change and
|
|
by out of sync. You are advised to check for any changes and pull the latest
|
|
source from CVS if you have problems. See anon CVS and rsync instructions at:
|
|
|
|
http://www.openssl.org/source/repos.html
|
|
|
|
Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/
|
|
|
|
If required set the environment variable FIPSDIR to an appropriate location
|
|
to install the test module. If cross compiling set other environment
|
|
variables too.
|
|
|
|
In this restricted tarball on a Linux or U*ix like system run:
|
|
|
|
./config
|
|
make
|
|
make install
|
|
|
|
On Windows from a VC++ environment do:
|
|
|
|
ms\do_fips
|
|
|
|
This will build and install the test module and some associated files.
|
|
|
|
Now download the latest version of the OpenSSL 1.0.1 branch from either a
|
|
snapshot or preferably CVS. For Linux do:
|
|
|
|
./config fips [other args]
|
|
make
|
|
|
|
For Windows:
|
|
|
|
perl Configure VC-WIN32 fips [other args]
|
|
ms\do_nasm
|
|
nmake -f ms\ntdll.mak
|
|
|
|
(or ms\nt.mak for a static build).
|
|
|
|
Where [other args] can be any other arguments you use for an OpenSSL build
|
|
such as "shared" or "zlib".
|
|
|
|
This will build the fips capable OpenSSL and link it to the test module. You
|
|
can now try linking and testing applications against the FIPS capable OpenSSL.
|
|
|
|
Please report any problems to either the openssl-dev mailing list or directly
|
|
to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate
|
|
reports.
|
|
|
|
Known issues:
|
|
|
|
Algorithm tests are pre-2011.
|
|
The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
|
|
Code needs extensively reviewing to ensure it builds correctly on
|
|
supported platforms and is compliant with FIPS 140-2.
|
|
The "FIPS capable OpenSSL" is still largely untested, it builds and runs
|
|
some simple tests OK on some systems but needs far more "real world" testing.
|