README.txt 2.4 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970
  1. # Notes on the wolfssl-fips project
  2. First, if you did not get the FIPS files with your archive, you must contact
  3. wolfSSL to obtain them.
  4. # Building the wolfssl-fips project
  5. The wolfCrypt FIPS library for Windows is a part of the wolfSSL library. It
  6. must be built as a static library, for the moment.
  7. The library project is built with Whole Program Optimization disabled. This is
  8. required so that necessary components of the library are not optimized away.
  9. There are two functions added to the library that are used as markers in
  10. memory for the in-core memory check of the code. WPO consolidates them into a
  11. single function. WPO also optimizes away the automatic FIPS entry function.
  12. Each of the source files inside the FIPS boundary defines their own code and
  13. constant section. The code section names start with ".fipsA$" and the constant
  14. section names start with ".fipsB$". Each subsection has a letter to organize
  15. them in a specific order. This specific ordering puts marker functions and
  16. constants on either end of the boundary so it can be hashed.
  17. # In Core Memory Test
  18. The In Core Memory test calculates a checksum (HMAC-SHA256) of the wolfCrypt
  19. FIPS library code and constant data and compares it with a known value in
  20. the code.
  21. The Randomized Base Address setting needs to be disabled on the 32-bit builds
  22. but can be enabled on the 64-bit builds. In the 32-bit mode the addresses
  23. being different throws off the in-core memory calculation. It looks like in
  24. 64-bit mode the library uses all offsets, so the core hash calculation
  25. is the same every time.
  26. The "verifyCore" check value in the source fips_test.c needs to be updated when
  27. building the code. The POS performs this check and the default failure callback
  28. will print out the calculated checksum. When developing your code, copy this
  29. value and paste it back into your code in the verifyCore initializer then
  30. rebuild the code. When statically linking, you may have to recalculate your
  31. check value when changing your application.
  32. # Build Options
  33. The default build options should be the proper default set of options:
  34. * HAVE_FIPS
  35. * HAVE_THREAD_LS
  36. * HAVE_AESGCM
  37. * HAVE_HASHDRBG
  38. * WOLFSSL_SHA384
  39. * WOLFSSL_SHA512
  40. * NO_HC128
  41. * NO_RC4
  42. * NO_RABBIT
  43. * NO_DSA
  44. * NO_MD4
  45. The "NO" options explicitly disable algorithms that are not allowed in
  46. FIPS mode.
  47. Additionally one may enable:
  48. * HAVE_ECC
  49. * OPENSSL_EXTRA
  50. * WOLFSSL_KEY_GEN
  51. These settings are defined in IDE/WIN/user_settings.h.