123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 |
- # Notes on the wolfssl-fips project
- First, if you did not get the FIPS files with your archive, you must contact
- wolfSSL to obtain them.
- The IDE/WIN10/wolfssl-fips.sln solution is for the FIPS v2 #3389 certificate or later.
- # Building the wolfssl-fips project
- The wolfCrypt FIPS library for Windows is a part of the wolfSSL library. It
- must be built as a static library, for the moment.
- The library project is built with Whole Program Optimization disabled. This is
- required so that necessary components of the library are not optimized away.
- There are two functions added to the library that are used as markers in
- memory for the in-core memory check of the code. WPO consolidates them into a
- single function. WPO also optimizes away the automatic FIPS entry function.
- Each of the source files inside the FIPS boundary defines their own code and
- constant section. The code section names start with ".fipsA$" and the constant
- section names start with ".fipsB$". Each subsection has a letter to organize
- them in a specific order. This specific ordering puts marker functions and
- constants on either end of the boundary so it can be hashed.
- # In Core Memory Test
- The In Core Memory test calculates a checksum (HMAC-SHA256) of the wolfCrypt
- FIPS library code and constant data and compares it with a known value in
- the code.
- The Randomized Base Address setting needs to be disabled on the 32-bit builds
- but can be enabled on the 64-bit builds. In the 32-bit mode the addresses
- being different throws off the in-core memory calculation. It looks like in
- 64-bit mode the library uses all offsets, so the core hash calculation
- is the same every time.
- The "verifyCore" check value in the source fips_test.c needs to be updated when
- building the code. The POS performs this check and the default failure callback
- will print out the calculated checksum. When developing your code, copy this
- value and paste it back into your code in the verifyCore initializer then
- rebuild the code. When statically linking, you may have to recalculate your
- check value when changing your application.
- # Build Options
- The default build options should be the proper default set of options:
- * HAVE_FIPS
- * HAVE_FIPS_VERSION=2 (or 3 with WOLFSSL_FIPS_READY)
- * HAVE_THREAD_LS
- * HAVE_AESGCM
- * HAVE_HASHDRBG
- * WOLFSSL_SHA384
- * WOLFSSL_SHA512
- * NO_HC128
- * NO_RC4
- * NO_RABBIT
- * NO_DSA
- * NO_MD4
- The "NO" options explicitly disable algorithms that are not allowed in
- FIPS mode.
- Additionally one may enable:
- * HAVE_ECC
- * OPENSSL_EXTRA
- * WOLFSSL_KEY_GEN
- These settings are defined in IDE/WIN10/user_settings.h.
|