README.txt 3.4 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485
  1. # Notes on the wolfssl-fips project
  2. First, if you did not get the FIPS files with your archive, you must contact
  3. wolfSSL to obtain them.
  4. The IDE/WIN/wolfssl-fips.sln solution is for the original FIPS #2425 certificate.
  5. See IDE/WIN10/wolfssl-fips.sln for the FIPS v2 #3389 or later Visual Studio solution.
  6. # Building the wolfssl-fips project
  7. The wolfCrypt FIPS library for Windows is a part of the wolfSSL library. It
  8. must be built as a static library, for the moment.
  9. The library project is built with Whole Program Optimization disabled. This is
  10. required so that necessary components of the library are not optimized away.
  11. There are two functions added to the library that are used as markers in
  12. memory for the in-core memory check of the code. WPO consolidates them into a
  13. single function. WPO also optimizes away the automatic FIPS entry function.
  14. Each of the source files inside the FIPS boundary defines their own code and
  15. constant section. The code section names start with ".fipsA$" and the constant
  16. section names start with ".fipsB$". Each subsection has a letter to organize
  17. them in a specific order. This specific ordering puts marker functions and
  18. constants on either end of the boundary so it can be hashed.
  19. # In Core Memory Test
  20. The In Core Memory test calculates a checksum (HMAC-SHA256) of the wolfCrypt
  21. FIPS library code and constant data and compares it with a known value in
  22. the code.
  23. The following wolfCrypt FIPS project linker settings are required for the DLL Win32 configuration:
  24. 1) The [Randomized Base Address setting (ASLR)](https://learn.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=msvc-170)
  25. needs to be disabled on all builds as the feature throws off the in-core memory calculation causing the test to fail.
  26. 2) The [Incremental Link](https://learn.microsoft.com/en-us/cpp/build/reference/incremental-link-incrementally?view=msvc-170)
  27. option need turned off so function pointers go to actual code, not a jump instruction.
  28. 3) The [FixedBaseAddress](https://learn.microsoft.com/en-us/cpp/build/reference/fixed-fixed-base-address?view=msvc-170)
  29. option to YES, which disables the support for ASLR.
  30. The "verifyCore" check value in the source fips_test.c needs to be updated when
  31. building the code. The POS performs this check and the default failure callback
  32. will print out the calculated checksum. When developing your code, copy this
  33. value and paste it back into your code in the verifyCore initializer then
  34. rebuild the code. When statically linking, you may have to recalculate your
  35. check value when changing your application.
  36. # Build Options
  37. The default build options should be the proper default set of options:
  38. * HAVE_FIPS
  39. * HAVE_THREAD_LS
  40. * HAVE_AESGCM
  41. * HAVE_HASHDRBG
  42. * WOLFSSL_SHA384
  43. * WOLFSSL_SHA512
  44. * NO_RC4
  45. * NO_DSA
  46. * NO_MD4
  47. The "NO" options explicitly disable algorithms that are not allowed in
  48. FIPS mode.
  49. Additionally one may enable:
  50. * HAVE_ECC
  51. * OPENSSL_EXTRA
  52. * WOLFSSL_KEY_GEN
  53. These settings are defined in IDE/WIN/user_settings.h.
  54. # Notes on enabling DTLS including DTLS version 1.3
  55. The file IDE/WIN/user_settings_dtls.h contains the needed build options for
  56. enabling DTLS and DTLS version 1.3.
  57. To incorporate the build options:
  58. * Rename IDE/WIN/user_settings.h to IDE/WIN/user_settings.h.bak
  59. * Rename IDE/WIN/user_settings_dtls.h to IDE/WIN/user_settings.h
  60. Alternatively, copy the DTLS labeled section from IDE/WIN/user_settings_dtls.h
  61. in to IDE/WIN/user_settings.h.