diff options
author | Rich Salz <rsalz@akamai.com> | 2015-12-14 21:24:27 +0100 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2016-01-06 18:07:26 +0100 |
commit | 700b4a4ae7c2a89ca99bfe64baef1eabfa316136 (patch) | |
tree | ffe906e1a3f0b169233ef0dcadd50c948723d487 /README.FIPS | |
parent | Remove some unused perl scripts (diff) | |
download | openssl-700b4a4ae7c2a89ca99bfe64baef1eabfa316136.tar.xz openssl-700b4a4ae7c2a89ca99bfe64baef1eabfa316136.zip |
Remove more (rest?) of FIPS build stuff.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'README.FIPS')
-rw-r--r-- | README.FIPS | 131 |
1 files changed, 1 insertions, 130 deletions
diff --git a/README.FIPS b/README.FIPS index c41bab9930..859348664e 100644 --- a/README.FIPS +++ b/README.FIPS @@ -1,130 +1 @@ -Preliminary status and build information for FIPS module v2.0 - -NB: if you are cross compiling you now need to use the latest "incore" script -this can be found at util/incore in the tarballs. - -If you have any object files from a previous build do: - -make clean - -To build the module do: - -./config fipscanisteronly -make - -Build should complete without errors. - -Build test utilities: - -make build_tests - -Run test suite: - -test/fips_test_suite - -again should complete without errors. - -Run test vectors: - -1. Download an appropriate set of testvectors from www.openssl.org/docs/fips - only the fips-2.0 testvector files are usable for complete tests. - -2. Extract the files to a suitable directory. - -3. Run the test vector perl script, for example: - - cd fips - perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted - -4. It should say "passed all tests" at the end. Report full details of any - failures. - -If you wish to use the older 1.2.x testvectors (for example those from 2007) -you need the command line switch --disable-v2 to fipsalgtest.pl - -Examine the external symbols in fips/fipscanister.o they should all begin -with FIPS or fips. One way to check with GNU nm is: - - nm -g --defined-only fips/fipscanister.o | grep -v -i fips - -If you get *any* output at all from this test (i.e. symbols not starting with -fips or FIPS) please report it. - -Restricted tarball tests. - -The validated module will have its own tarball containing sufficient code to -build fipscanister.o and the associated algorithm tests. You can create a -similar tarball yourself for testing purposes using the commands below. - -Standard restricted tarball: - -make -f Makefile.fips dist - -Prime field field only ECC tarball: - -make NOEC2M=1 -f Makefile.fips dist - -Once you've created the tarball extract into a fresh directory and do: - -./config -make - -You can then run the algorithm tests as above. This build automatically uses -fipscanisterbuild and no-ec2m as appropriate. - -FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE. - -At least initially the test module and FIPS capable OpenSSL may change and -by out of sync. You are advised to check for any changes and pull the latest -source from CVS if you have problems. See anon CVS and rsync instructions at: - -http://www.openssl.org/source/repos.html - -Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/ - -If required set the environment variable FIPSDIR to an appropriate location -to install the test module. If cross compiling set other environment -variables too. - -In this restricted tarball on a Linux or U*ix like system run: - -./config -make -make install - -On Windows from a VC++ environment do: - -ms\do_fips - -This will build and install the test module and some associated files. - -Now download the latest version of the OpenSSL 1.0.1 branch from either a -snapshot or preferably CVS. For Linux do: - -./config fips [other args] -make - -For Windows: - -perl Configure VC-WIN32 fips [other args] -ms\do_nasm -nmake -f ms\ntdll.mak - -(or ms\nt.mak for a static build). - -Where [other args] can be any other arguments you use for an OpenSSL build -such as "shared" or "zlib". - -This will build the fips capable OpenSSL and link it to the test module. You -can now try linking and testing applications against the FIPS capable OpenSSL. - -Please report any problems to either the openssl-dev mailing list or directly -to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate -reports. - -Known issues: - -Code needs extensively reviewing to ensure it builds correctly on -supported platforms and is compliant with FIPS 140-2. -The "FIPS capable OpenSSL" is still largely untested, it builds and runs -some simple tests OK on some systems but needs far more "real world" testing. +This release does not support a FIPS 140-2 validated module. |