README.txt 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114
  1. # Notes on the wolfssl-fips project
  2. First, if you did not get the FIPS files with your archive, you must contact
  3. wolfSSL to obtain them.
  4. The IDE/WIN10/wolfssl-fips.sln solution is for the FIPS 140-3 certificate or later.
  5. # Building the wolfssl-fips project
  6. The wolfCrypt FIPS library for Windows is a part of the wolfSSL library. It
  7. must be built as a static library, for the moment.
  8. The library project is built with Whole Program Optimization disabled. This is
  9. required so that necessary components of the library are not optimized away.
  10. There are two functions added to the library that are used as markers in
  11. memory for the in-core memory check of the code. WPO consolidates them into a
  12. single function. WPO also optimizes away the automatic FIPS entry function.
  13. Each of the source files inside the FIPS boundary defines their own code and
  14. constant section. The code section names start with ".fipsA$" and the constant
  15. section names start with ".fipsB$". Each subsection has a letter to organize
  16. them in a specific order. This specific ordering puts marker functions and
  17. constants on either end of the boundary so it can be hashed.
  18. # In Core Memory Test
  19. The In Core Memory test calculates a checksum (HMAC-SHA256) of the wolfCrypt
  20. FIPS library code and constant data and compares it with a known value in
  21. the code.
  22. The Randomized Base Address setting needs to be disabled on all builds as the
  23. feature throws off the in-core memory calculation causing the test to fail.
  24. The "verifyCore" check value in the source fips_test.c needs to be updated when
  25. building the code. The POS performs this check and the default failure callback
  26. will print out the calculated checksum. When developing your code, copy this
  27. value and paste it back into your code in the verifyCore initializer then
  28. rebuild the code. When statically linking, you may have to recalculate your
  29. check value when changing your application.
  30. # Build Options
  31. The default build options should be the proper default set of options:
  32. * HAVE_FIPS
  33. * HAVE_FIPS_VERSION=5
  34. * HAVE_FIPS_VERSION_MINOR=1 (Also for FIPS Ready)
  35. * HAVE_THREAD_LS
  36. * WOLFSSL_KEY_GEN
  37. * HAVE_AESGCM
  38. * HAVE_HASHDRBG
  39. * WOLFSSL_SHA384
  40. * WOLFSSL_SHA512
  41. * NO_PSK
  42. * NO_RC4
  43. * NO_DSA
  44. * NO_MD4
  45. * WOLFSSL_SHA224
  46. * WOLFSSL_SHA3
  47. * WC_RSA_PSS
  48. * WC_RSA_NO_PADDING
  49. * HAVE_ECC
  50. * ECC_SHAMIR
  51. * HAVE_ECC_CDH
  52. * ECC_TIMING_RESISTANT
  53. * TFM_TIMING_RESISTANT
  54. * WOLFSSL_AES_COUNTER
  55. * WOLFSSL_AES_DIRECT
  56. * HAVE_AES_ECB
  57. * HAVE_AESCCM
  58. * WOLFSSL_CMAC
  59. * HAVE_HKDF
  60. * WOLFSSL_VALIDATE_ECC_IMPORT
  61. * WOLFSSL_VALIDATE_FFC_IMPORT
  62. * HAVE_FFDHE_Q
  63. * NO_DES
  64. * NO_DES3
  65. * NO_MD5
  66. * NO_OLD_TLS
  67. * WOLFSSL_TLS13
  68. * HAVE_TLS_EXTENSIONS
  69. * HAVE_SUPPORTED_CURVES
  70. * GCM_TABLE_4BIT
  71. * WOLFSSL_NO_SHAKE256
  72. * WOLFSSL_VALIDATE_ECC_KEYGEN
  73. * WOLFSSL_ECDSA_SET_K
  74. * WOLFSSL_WOLFSSH
  75. * WOLFSSL_PUBLIC_MP
  76. * WC_RNG_SEED_CB
  77. * TFM_ECC256
  78. * ECC_USER_CURVES
  79. * HAVE_ECC192
  80. * HAVE_ECC224
  81. * HAVE_ECC256
  82. * HAVE_ECC384
  83. * HAVE_ECC521
  84. * HAVE_FFDHE_2048
  85. * HAVE_FFDHE_3072
  86. * HAVE_FFDHE_4096
  87. * HAVE_FFDHE_6144
  88. * HAVE_FFDHE_8192
  89. * FP_MAX_BITS 16384
  90. The "NO" options explicitly disable algorithms that are not allowed in
  91. FIPS mode.
  92. Additionally one may enable:
  93. * WOLFSSL_AESNI
  94. * OPENSSL_EXTRA
  95. These settings are defined in IDE/WIN10/user_settings.h.