123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125 |
- Preliminary status and build information for FIPS module v2.0
- NB: if you are cross compiling you now need to use the latest "incore" script
- this can be found at util/incore in the tarballs.
- If you have any object files from a previous build do:
- make clean
- To build the module do:
- ./config fipscanisterbuild
- make
- Build should complete without errors.
- Run test suite:
- test/fips_test_suite
- again should complete without errors.
- Run test vectors:
- 1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
- those for 2007 are OK.
- 2. Extract the files to a suitable directory.
- 3. Run the test vector perl script, for example:
- cd fips
- perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
- 4. It should say "passed all tests" at the end. Report full details of any
- failures.
- Examine the external symbols in fips/fipscanister.o they should all begin
- with FIPS or fips. One way to check with GNU nm is:
- nm -g --defined-only fips/fipscanister.o | grep -v -i fips
- If you get *any* output at all from this test (i.e. symbols not starting with
- fips or FIPS) please report it.
- Restricted tarball tests.
- The validated module will have its own tarball containing sufficient code to
- build fipscanister.o and the associated algorithm tests. You can create a
- similar tarball yourself for testing purposes using the commands below.
- Standard restricted tarball:
- make -f Makefile.fips dist
- Prime field field only ECC tarball:
- make NOEC2M=1 -f Makefile.fips dist
- Once you've created the tarball extract into a fresh directory and do:
- ./config
- make
- You can then run the algorithm tests as above. This build automatically uses
- fipscanisterbuild and no-ec2m as appropriate.
- FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE.
- At least initially the test module and FIPS capable OpenSSL may change and
- by out of sync. You are advised to check for any changes and pull the latest
- source from CVS if you have problems. See anon CVS and rsync instructions at:
- http://www.openssl.org/source/repos.html
- Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/
- If required set the environment variable FIPSDIR to an appropriate location
- to install the test module. If cross compiling set other environment
- variables too.
- In this restricted tarball on a Linux or U*ix like system run:
- ./config
- make
- make install
- On Windows from a VC++ environment do:
- ms\do_fips
- This will build and install the test module and some associated files.
- Now download the latest version of the OpenSSL 1.0.1 branch from either a
- snapshot or preferably CVS. For Linux do:
- ./config fips [other args]
- make
- For Windows:
- perl Configure VC-WIN32 fips [other args]
- ms\do_nasm
- nmake -f ms\ntdll.mak
- (or ms\nt.mak for a static build).
- Where [other args] can be any other arguments you use for an OpenSSL build
- such as "shared" or "zlib".
- This will build the fips capable OpenSSL and link it to the test module. You
- can now try linking and testing applications against the FIPS capable OpenSSL.
- Please report any problems to either the openssl-dev mailing list or directly
- to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate
- reports.
- Known issues:
- Algorithm tests are pre-2011.
- The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
- Code needs extensively reviewing to ensure it builds correctly on
- supported platforms and is compliant with FIPS 140-2.
- The "FIPS capable OpenSSL" is still largely untested, it builds and runs
- some simple tests OK on some systems but needs far more "real world" testing.
|