Home Explore Help
Sign In
RISCI_ATOM
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Files Issues 14 Wiki
Tree: 5182e2a8c8
Branches Tags
wolfssl
/
IDE
/
WIN
/
README.txt

README.txt 2.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. # Notes on the wolfssl-fips project
    2. 

  2. 

  3. First, if you did not get the FIPS files with your archive, you must contact
    4. 

  4. wolfSSL to obtain them.
    5. 

  5. 

  6. The IDE/WIN/wolfssl-fips.sln solution is for the original FIPS #2425 certificate. 
    7. 

  7. See IDE/WIN10/wolfssl-fips.sln for the FIPS v2 #3389 or later Visual Studio solution.
    8. 

  8. 

  9. # Building the wolfssl-fips project
    10. 

  10. 

  11. The wolfCrypt FIPS library for Windows is a part of the wolfSSL library. It
    12. 

  12. must be built as a static library, for the moment.
    13. 

  13. 

  14. The library project is built with Whole Program Optimization disabled. This is
    15. 

  15. required so that necessary components of the library are not optimized away.
    16. 

  16. There are two functions added to the library that are used as markers in
    17. 

  17. memory for the in-core memory check of the code. WPO consolidates them into a
    18. 

  18. single function. WPO also optimizes away the automatic FIPS entry function.
    19. 

  19. 

  20. Each of the source files inside the FIPS boundary defines their own code and
    21. 

  21. constant section. The code section names start with ".fipsA$" and the constant
    22. 

  22. section names start with ".fipsB$". Each subsection has a letter to organize
    23. 

  23. them in a specific order. This specific ordering puts marker functions and
    24. 

  24. constants on either end of the boundary so it can be hashed.
    25. 

  25. 

  26. 

  27. # In Core Memory Test
    28. 

  28. 

  29. The In Core Memory test calculates a checksum (HMAC-SHA256) of the wolfCrypt
    30. 

  30. FIPS library code and constant data and compares it with a known value in
    31. 

  31. the code.
    32. 

  32. 

  33. The Randomized Base Address setting needs to be disabled on the 32-bit builds
    34. 

  34. but can be enabled on the 64-bit builds. In the 32-bit mode the addresses
    35. 

  35. being different throws off the in-core memory calculation. It looks like in
    36. 

  36. 64-bit mode the library uses all offsets, so the core hash calculation
    37. 

  37. is the same every time.
    38. 

  38. 

  39. The "verifyCore" check value in the source fips_test.c needs to be updated when
    40. 

  40. building the code. The POS performs this check and the default failure callback
    41. 

  41. will print out the calculated checksum. When developing your code, copy this
    42. 

  42. value and paste it back into your code in the verifyCore initializer then
    43. 

  43. rebuild the code. When statically linking, you may have to recalculate your
    44. 

  44. check value when changing your application.
    45. 

  45. 

  46. 

  47. # Build Options
    48. 

  48. 

  49. The default build options should be the proper default set of options:
    50. 

  50. 

  51.  * HAVE_FIPS
    52. 

  52.  * HAVE_THREAD_LS
    53. 

  53.  * HAVE_AESGCM
    54. 

  54.  * HAVE_HASHDRBG
    55. 

  55.  * WOLFSSL_SHA384
    56. 

  56.  * WOLFSSL_SHA512
    57. 

  57.  * NO_HC128
    58. 

  58.  * NO_RC4
    59. 

  59.  * NO_RABBIT
    60. 

  60.  * NO_DSA
    61. 

  61.  * NO_MD4
    62. 

  62. 

  63. The "NO" options explicitly disable algorithms that are not allowed in
    64. 

  64. FIPS mode.
    65. 

  65. 

  66. Additionally one may enable:
    67. 

  67. 

  68.  * HAVE_ECC
    69. 

  69.  * OPENSSL_EXTRA
    70. 

  70.  * WOLFSSL_KEY_GEN
    71. 

  71. 

  72. These settings are defined in IDE/WIN/user_settings.h.
    73.