Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
大约 1 年 前同步成功

通知 9
Star 18
Fork 1
T
Third Party Openssl

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
README.FIPS 2.3 KB
Newer Older
D
Add preliminary FIPS information.  
Dr. Stephen Henson 已提交
1 2 
Preliminary status and build information for FIPS module v2.0
D
Clarification.  
Dr. Stephen Henson 已提交
3 4 5 6 
If you have any object files from a previous build do:

make clean
D
Add preliminary FIPS information.  
Dr. Stephen Henson 已提交
7 8 9 10 11 12 13 14 15 16 17 18 19 
To build the module do:

./config fipscanisterbuild
make

Build should complete without errors.

Run test suite:

test/fips_test_suite

again should complete without errors.
D
update README.FIPS  
Dr. Stephen Henson 已提交
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 
Run test vectors: 

1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
   those for 2007 are OK.

2. Extract the files to a suitable directory.

3. Run the test vector perl script, for example:

   cd fips
   perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted

4. It should say "passed all tests" at the end. Report full details of any
   failures.
D
Clarify README.FIPS.  
Dr. Stephen Henson 已提交
35 36 37 38 39 40 
Run:

make clean

to remove any object modules from previous compile.
D
Update status information.  
Dr. Stephen Henson 已提交
41 42 43 44 45 46 47 48 49 50 51 
Run symbol hiding test:

./config fipscanisteronly -DOPENSSL_FIPSSYMS
make

This time only the fips utilities should be built.

Examine the external symbols in fips/fipscanister.o they should all begin
with FIPS or fips. One way to check with GNU nm is:

nm -g --defined-only fips/fipscanister.o | grep -v -i fips
D
Add preliminary FIPS information.  
Dr. Stephen Henson 已提交
52
D
Don't give dependency warning for fips builds.  
Dr. Stephen Henson 已提交
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 
Restricted tarball tests.

The validated module will have its own tarball containing sufficient code to
build fipscanister.o and the associated algorithm tests. You can create a
similar tarball yourself for testing purposes using the commands below.

Standard restricted tarball:

make -f Makefile.fips dist

Prime field field only ECC tarball:

make NOEC2M=1 -f Makefile.fips dist

Once you've created the tarball extract into a fresh directory and do:

./config
make

You can then run the algorithm tests as above. This build automatically uses
fipscanisteronly and -DOPENSSL_FIPSYMS and no-ec2m as appropriate.
D
Add preliminary FIPS information.  
Dr. Stephen Henson 已提交
75 76 77 
Known issues:

Algorithm tests are pre-2011.
D
Update status information.  
Dr. Stephen Henson 已提交
78 
The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
D
updated FIPS status  
Dr. Stephen Henson 已提交
79 
Usage of ECDH/DH needs review and whether any KDFs need to be implemented.
D
Update status information.  
Dr. Stephen Henson 已提交
80 81 
Selftests need updating with larger key sizes in some cases and redundant
tests pruned.
D
updated FIPS status  
Dr. Stephen Henson 已提交
82 83 84 
SP800-90 DRBG needs more work: check for compliance, continuous PRNG test
when entropy gathering, periodic health tests.
Some algorithms need to check security strength of PRNG: keygen etc.
D
Update status information.  
Dr. Stephen Henson 已提交
85 
No CCM.
D
updated FIPS status  
Dr. Stephen Henson 已提交
86 87 88 89 
No XTS.
The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of
OpenSSL doesn't always use the correct FIPS module APIs and block others
in FIPS mode.