README-FIPS.md - OpenGrok cross reference for /freebsd/crypto/openssl/README-FIPS.md

Lines Matching +full:fips +full:- +full:140 +full:- +full:2
1 OpenSSL FIPS support
5 FIPS validated. The module is implemented as an OpenSSL provider.
7 cryptographic algorithms, see the [README-PROVIDERS](README-PROVIDERS.md) file
10 A cryptographic module is only FIPS validated after it has gone through the complex
11 FIPS 140 validation process. As this process takes a very long time, it is not
13 If you need a FIPS validated module then you must ONLY generate a FIPS provider
14 using OpenSSL versions that have valid FIPS certificates. A FIPS certificate
16 in the Security Policy in order to be FIPS compliant.
18 FIPS certificates and Security Policies.
22 legacy providers) without any restrictions, but the FIPS provider must be built
26 The OpenSSL FIPS provider is a shared library called `fips.so` (on Unix), or
27 resp. `fips.dll` (on Windows). The FIPS provider does not get built and
29 the `enable-fips` option.
31 Installing the FIPS provider
34 In order to be FIPS compliant you must only use FIPS validated source code.
36 which versions are FIPS validated. The instructions given below build OpenSSL
37 just using the FIPS validated source code.  Any FIPS validated version may be
39 To determine which FIPS validated library version may be appropriate for you.
41 If you want to use a validated FIPS provider, but also want to use the latest
47 If the FIPS provider is enabled, it gets installed automatically during the
60     $ make install_fips     # for `enable-fips` only
63 the FIPS provider independently, without installing the rest of OpenSSL.
65 The Installation of the FIPS provider consists of two steps. In the first step,
68     /usr/local/lib/ossl-modules/fips.so                  on Unix, and
69     C:\Program Files\OpenSSL\lib\ossl-modules\fips.dll   on Windows.
74 - Runs the FIPS module self tests
75 - Generates the so-called FIPS module configuration file containing information
76   about the module such as the module checksum (and for OpenSSL 3.1.2 the
79 The FIPS module must have the self tests run, and the FIPS module config file
80 output generated on every machine that it is to be used on. For OpenSSL 3.1.2
81 you must not copy the FIPS module config file output data from one machine to another.
85 …$ openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.…
89 to a non-standard location, you can execute the `openssl fipsinstall` command manually.
91 Installing the FIPS provider and using it with the latest release
94 This normally requires you to download 2 copies of the OpenSSL source code.
96 Download and build a validated FIPS provider
97 --------------------------------------------
100 which versions are FIPS validated. For this example we use OpenSSL 3.1.2.
102     $ wget https://www.openssl.org/source/openssl-3.1.2.tar.gz
103     $ tar -xf openssl-3.1.2.tar.gz
104     $ cd openssl-3.1.2
105     $ ./Configure enable-fips
110 ------------------------------------------------
114     $ wget https://www.openssl.org/source/openssl-3.5.0.tar.gz
115     $ tar -xf openssl-3.5.0.tar.gz
116     $ cd openssl-3.5.0
117     $ ./Configure enable-fips
120 Use the OpenSSL FIPS provider for testing
121 -----------------------------------------
123 We do this by replacing the artifact for the OpenSSL 3.5.0 FIPS provider.
124 Note that the OpenSSL 3.5.0 FIPS provider has not been validated
125 so it must not be used for FIPS purposes.
127     $ cp ../openssl-3.1.2/providers/fips.so providers/.
128     $ cp ../openssl-3.1.2/providers/fipsmodule.cnf providers/.
129     // Note that for OpenSSL 3.1.2 that the `fipsmodule.cnf` file should not
131     // `install-status`. (Otherwise the self tests would be skipped).
134     // OpenSSL 3.1.2 FIPS provider
135     $ ./util/wrap.pl -fips apps/openssl list -provider-path providers \
136     -provider fips -providers
138     // Now run the current tests using the OpenSSL 3.1.2 FIPS provider.
141 Copy the FIPS provider artifacts (`fips.so` & `fipsmodule.cnf`) to known locations
142 -------------------------------------------------------------------------------------
144     $ cd ../openssl-3.1.2
147 Check that the correct FIPS provider is being used
148 --------------------------------------------------
150     $ cd ../openssl-3.5.0
151     $./util/wrap.pl -fips apps/openssl list -provider-path providers \
152     -provider fips -providers
160       fips
161         name: OpenSSL FIPS Provider
162         version: 3.1.2
165 Using the FIPS Module in applications
168 Documentation about using the FIPS module is available on the [fips_module(7)]
176 The FIPS provider typically relies on an external entropy source,
178 enabling the `enable-fips-jitter` option during configuration, an internal
180 the FIPS provider to operate in a non-compliant mode unless an entropy
183 Note that the `enable-fips-jitter` option is only available in OpenSSL
186  [CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
187  [ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
189 3rd-Party Vendor Builds
192 Some Vendors choose to patch/modify/build their own FIPS provider,
195 so, FIPS provider should uniquely identify its own name and version
196 number. The build infrastructure allows to customize FIPS provider
200 suffix), and "FIPS_VENDOR" allow to control reported FIPS provider