]>
Commit | Line | Data |
---|---|---|
44f54a13 DSH |
1 | Preliminary status and build information for FIPS module v2.0 |
2 | ||
4c1d92c5 | 3 | NB: if you are cross compiling you now need to use the latest "incore" script |
eea98320 | 4 | this can be found at util/incore in the tarballs. |
21a40da0 | 5 | |
c36ce81c DSH |
6 | If you have any object files from a previous build do: |
7 | ||
8 | make clean | |
9 | ||
44f54a13 DSH |
10 | To build the module do: |
11 | ||
ce01482e | 12 | ./config fipscanisteronly |
44f54a13 DSH |
13 | make |
14 | ||
15 | Build should complete without errors. | |
16 | ||
0a7fcce8 DSH |
17 | Build test utilities: |
18 | ||
19 | make build_tests | |
20 | ||
44f54a13 DSH |
21 | Run test suite: |
22 | ||
23 | test/fips_test_suite | |
24 | ||
25 | again should complete without errors. | |
26 | ||
5eedacc9 DSH |
27 | Run test vectors: |
28 | ||
29 | 1. Download an appropriate set of testvectors from www.openssl.org/docs/fips | |
ce01482e | 30 | only the fips-2.0 testvector files are usable for complete tests. |
5eedacc9 DSH |
31 | |
32 | 2. Extract the files to a suitable directory. | |
33 | ||
34 | 3. Run the test vector perl script, for example: | |
35 | ||
36 | cd fips | |
ce01482e | 37 | perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted |
5eedacc9 DSH |
38 | |
39 | 4. It should say "passed all tests" at the end. Report full details of any | |
40 | failures. | |
41 | ||
ce01482e DSH |
42 | If you wish to use the older 1.2.x testvectors (for example those from 2007) |
43 | you need the command line switch --disable-v2 to fipsalgtest.pl | |
44 | ||
8aa6cff4 DSH |
45 | Examine the external symbols in fips/fipscanister.o they should all begin |
46 | with FIPS or fips. One way to check with GNU nm is: | |
47 | ||
ce025892 | 48 | nm -g --defined-only fips/fipscanister.o | grep -v -i fips |
44f54a13 | 49 | |
6cdcb925 DSH |
50 | If you get *any* output at all from this test (i.e. symbols not starting with |
51 | fips or FIPS) please report it. | |
52 | ||
f9bf6314 DSH |
53 | Restricted tarball tests. |
54 | ||
55 | The validated module will have its own tarball containing sufficient code to | |
56 | build fipscanister.o and the associated algorithm tests. You can create a | |
57 | similar tarball yourself for testing purposes using the commands below. | |
58 | ||
59 | Standard restricted tarball: | |
60 | ||
61 | make -f Makefile.fips dist | |
62 | ||
63 | Prime field field only ECC tarball: | |
64 | ||
65 | make NOEC2M=1 -f Makefile.fips dist | |
66 | ||
67 | Once you've created the tarball extract into a fresh directory and do: | |
68 | ||
69 | ./config | |
70 | make | |
71 | ||
72 | You can then run the algorithm tests as above. This build automatically uses | |
ce025892 | 73 | fipscanisterbuild and no-ec2m as appropriate. |
f9bf6314 | 74 | |
6cdcb925 DSH |
75 | FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE. |
76 | ||
77 | At least initially the test module and FIPS capable OpenSSL may change and | |
78 | by out of sync. You are advised to check for any changes and pull the latest | |
79 | source from CVS if you have problems. See anon CVS and rsync instructions at: | |
80 | ||
81 | http://www.openssl.org/source/repos.html | |
82 | ||
83 | Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/ | |
84 | ||
85 | If required set the environment variable FIPSDIR to an appropriate location | |
86 | to install the test module. If cross compiling set other environment | |
87 | variables too. | |
88 | ||
89 | In this restricted tarball on a Linux or U*ix like system run: | |
90 | ||
91 | ./config | |
92 | make | |
93 | make install | |
94 | ||
95 | On Windows from a VC++ environment do: | |
96 | ||
97 | ms\do_fips | |
98 | ||
99 | This will build and install the test module and some associated files. | |
100 | ||
101 | Now download the latest version of the OpenSSL 1.0.1 branch from either a | |
102 | snapshot or preferably CVS. For Linux do: | |
103 | ||
104 | ./config fips [other args] | |
105 | make | |
106 | ||
107 | For Windows: | |
108 | ||
a2ab6986 | 109 | perl Configure VC-WIN32 fips [other args] |
6cdcb925 DSH |
110 | ms\do_nasm |
111 | nmake -f ms\ntdll.mak | |
112 | ||
113 | (or ms\nt.mak for a static build). | |
114 | ||
115 | Where [other args] can be any other arguments you use for an OpenSSL build | |
116 | such as "shared" or "zlib". | |
117 | ||
118 | This will build the fips capable OpenSSL and link it to the test module. You | |
119 | can now try linking and testing applications against the FIPS capable OpenSSL. | |
120 | ||
121 | Please report any problems to either the openssl-dev mailing list or directly | |
122 | to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate | |
123 | reports. | |
124 | ||
44f54a13 DSH |
125 | Known issues: |
126 | ||
c9adde06 DSH |
127 | Code needs extensively reviewing to ensure it builds correctly on |
128 | supported platforms and is compliant with FIPS 140-2. | |
6cdcb925 DSH |
129 | The "FIPS capable OpenSSL" is still largely untested, it builds and runs |
130 | some simple tests OK on some systems but needs far more "real world" testing. |