README.txt 3.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118
  1. # Notes on the wolfssl-fips project
  2. First, if you did not get the FIPS files with your archive, you must contact
  3. wolfSSL to obtain them.
  4. The IDE/WIN10/wolfssl-fips.sln solution is for the FIPS 140-3 certificate or later.
  5. # Building the wolfssl-fips project
  6. The wolfCrypt FIPS library for Windows is a part of the wolfSSL library. It
  7. must be built as a static library, for the moment.
  8. The library project is built with Whole Program Optimization disabled. This is
  9. required so that necessary components of the library are not optimized away.
  10. There are two functions added to the library that are used as markers in
  11. memory for the in-core memory check of the code. WPO consolidates them into a
  12. single function. WPO also optimizes away the automatic FIPS entry function.
  13. Each of the source files inside the FIPS boundary defines their own code and
  14. constant section. The code section names start with ".fipsA$" and the constant
  15. section names start with ".fipsB$". Each subsection has a letter to organize
  16. them in a specific order. This specific ordering puts marker functions and
  17. constants on either end of the boundary so it can be hashed.
  18. # In Core Memory Test
  19. The In Core Memory test calculates a checksum (HMAC-SHA256) of the wolfCrypt
  20. FIPS library code and constant data and compares it with a known value in
  21. the code.
  22. The following wolfCrypt FIPS project linker settings are required for the DLL Win32 configuration:
  23. 1) The [Randomized Base Address setting (ASLR)](https://learn.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=msvc-170)
  24. needs to be disabled on all builds as the feature throws off the in-core memory calculation causing the test to fail.
  25. 2) The [Incremental Link](https://learn.microsoft.com/en-us/cpp/build/reference/incremental-link-incrementally?view=msvc-170)
  26. option need turned off so function pointers go to actual code, not a jump instruction.
  27. 3) The [FixedBaseAddress](https://learn.microsoft.com/en-us/cpp/build/reference/fixed-fixed-base-address?view=msvc-170)
  28. option to YES, which disables the support for ASLR.
  29. The "verifyCore" check value in the source fips_test.c needs to be updated when
  30. building the code. The POS performs this check and the default failure callback
  31. will print out the calculated checksum. When developing your code, copy this
  32. value and paste it back into your code in the verifyCore initializer then
  33. rebuild the code. When statically linking, you may have to recalculate your
  34. check value when changing your application.
  35. # Build Options
  36. The default build options should be the proper default set of options:
  37. * HAVE_FIPS
  38. * HAVE_FIPS_VERSION=5
  39. * HAVE_FIPS_VERSION_MINOR=1 (Also for FIPS Ready)
  40. * HAVE_THREAD_LS
  41. * WOLFSSL_KEY_GEN
  42. * HAVE_AESGCM
  43. * HAVE_HASHDRBG
  44. * WOLFSSL_SHA384
  45. * WOLFSSL_SHA512
  46. * NO_PSK
  47. * NO_RC4
  48. * NO_DSA
  49. * NO_MD4
  50. * WOLFSSL_SHA224
  51. * WOLFSSL_SHA3
  52. * WC_RSA_PSS
  53. * WC_RSA_NO_PADDING
  54. * HAVE_ECC
  55. * ECC_SHAMIR
  56. * HAVE_ECC_CDH
  57. * ECC_TIMING_RESISTANT
  58. * TFM_TIMING_RESISTANT
  59. * WOLFSSL_AES_COUNTER
  60. * WOLFSSL_AES_DIRECT
  61. * HAVE_AES_ECB
  62. * HAVE_AESCCM
  63. * WOLFSSL_CMAC
  64. * HAVE_HKDF
  65. * WOLFSSL_VALIDATE_ECC_IMPORT
  66. * WOLFSSL_VALIDATE_FFC_IMPORT
  67. * HAVE_FFDHE_Q
  68. * NO_DES
  69. * NO_DES3
  70. * NO_MD5
  71. * NO_OLD_TLS
  72. * WOLFSSL_TLS13
  73. * HAVE_TLS_EXTENSIONS
  74. * HAVE_SUPPORTED_CURVES
  75. * GCM_TABLE_4BIT
  76. * WOLFSSL_NO_SHAKE256
  77. * WOLFSSL_VALIDATE_ECC_KEYGEN
  78. * WOLFSSL_ECDSA_SET_K
  79. * WOLFSSL_WOLFSSH
  80. * WOLFSSL_PUBLIC_MP
  81. * WC_RNG_SEED_CB
  82. * TFM_ECC256
  83. * ECC_USER_CURVES
  84. * HAVE_ECC192
  85. * HAVE_ECC224
  86. * HAVE_ECC256
  87. * HAVE_ECC384
  88. * HAVE_ECC521
  89. * HAVE_FFDHE_2048
  90. * HAVE_FFDHE_3072
  91. * HAVE_FFDHE_4096
  92. * HAVE_FFDHE_6144
  93. * HAVE_FFDHE_8192
  94. * FP_MAX_BITS 16384
  95. The "NO" options explicitly disable algorithms that are not allowed in
  96. FIPS mode.
  97. Additionally one may enable:
  98. * WOLFSSL_AESNI
  99. * OPENSSL_EXTRA
  100. These settings are defined in IDE/WIN10/user_settings.h.