Home
Name Modified Size InfoDownloads / Week
README.FIPS 2014-03-16 3.7 kB
TABLE 2014-03-16 173.5 kB
README.ECC 2014-03-16 3.6 kB
README.ENGINE 2014-03-16 16.1 kB
README 2014-03-16 8.0 kB
README.ASN1 2014-03-16 7.7 kB
openssl.spec 2014-03-16 7.9 kB
PROBLEMS 2014-03-16 8.7 kB
NEWS 2014-03-16 30.9 kB
openssl.doxy 2014-03-16 137 Bytes
Makefile.shared 2014-03-16 21.9 kB
makevms.com 2014-03-16 40.1 kB
Makefile.fips 2014-03-16 20.6 kB
Makefile.org 2014-03-16 26.8 kB
INSTALL.WCE 2014-03-16 3.3 kB
LICENSE 2014-03-16 6.3 kB
INSTALL.W64 2014-03-16 2.2 kB
INSTALL.VMS 2014-03-16 11.0 kB
INSTALL.W32 2014-03-16 11.9 kB
INSTALL.NW 2014-03-16 18.9 kB
INSTALL.OS2 2014-03-16 744 Bytes
INSTALL.DJGPP 2014-03-16 2.1 kB
INSTALL.MacOS 2014-03-16 3.3 kB
INSTALL 2014-03-16 14.3 kB
install.com 2014-03-16 3.7 kB
GitMake 2014-03-16 134 Bytes
GitConfigure 2014-03-16 260 Bytes
Totals: 27 Items   447.6 kB 0
Preliminary status and build information for FIPS module v2.0

NB: if you are cross compiling you now need to use the latest "incore" script
this can be found at util/incore in the tarballs.

If you have any object files from a previous build do:

make clean

To build the module do:

./config fipscanisteronly
make

Build should complete without errors.

Build test utilities:

make build_tests

Run test suite:

test/fips_test_suite

again should complete without errors.

Run test vectors: 

1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
   only the fips-2.0 testvector files are usable for complete tests.

2. Extract the files to a suitable directory.

3. Run the test vector perl script, for example:

   cd fips
   perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted

4. It should say "passed all tests" at the end. Report full details of any
   failures.

If you wish to use the older 1.2.x testvectors (for example those from 2007)
you need the command line switch --disable-v2 to fipsalgtest.pl

Examine the external symbols in fips/fipscanister.o they should all begin
with FIPS or fips. One way to check with GNU nm is:

	nm -g --defined-only fips/fipscanister.o | grep -v -i fips

If you get *any* output at all from this test (i.e. symbols not starting with
fips or FIPS) please report it.

Restricted tarball tests.

The validated module will have its own tarball containing sufficient code to
build fipscanister.o and the associated algorithm tests. You can create a
similar tarball yourself for testing purposes using the commands below.

Standard restricted tarball:

make -f Makefile.fips dist

Prime field field only ECC tarball:

make NOEC2M=1 -f Makefile.fips dist

Once you've created the tarball extract into a fresh directory and do:

./config
make

You can then run the algorithm tests as above. This build automatically uses
fipscanisterbuild and no-ec2m as appropriate.

FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE.

At least initially the test module and FIPS capable OpenSSL may change and
by out of sync. You are advised to check for any changes and pull the latest
source from CVS if you have problems. See anon CVS and rsync instructions at:

http://www.openssl.org/source/repos.html

Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/

If required set the environment variable FIPSDIR to an appropriate location
to install the test module. If cross compiling set other environment
variables too.

In this restricted tarball on a Linux or U*ix like system run:

./config
make
make install

On Windows from a VC++ environment do:

ms\do_fips

This will build and install the test module and some associated files.

Now download the latest version of the OpenSSL 1.0.1 branch from either a
snapshot or preferably CVS. For Linux do:

./config fips [other args]
make

For Windows:

perl Configure VC-WIN32 fips [other args]
ms\do_nasm
nmake -f ms\ntdll.mak

(or ms\nt.mak for a static build).

Where [other args] can be any other arguments you use for an OpenSSL build
such as "shared" or "zlib".

This will build the fips capable OpenSSL and link it to the test module. You
can now try linking and testing applications against the FIPS capable OpenSSL.

Please report any problems to either the openssl-dev mailing list or directly
to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate
reports.

Known issues:

Code needs extensively reviewing to ensure it builds correctly on 
supported platforms and is compliant with FIPS 140-2.
The "FIPS capable OpenSSL" is still largely untested, it builds and runs
some simple tests OK on some systems but needs far more "real world" testing.
Source: README.FIPS, updated 2014-03-16