1 files changed, 56 insertions, 0 deletions

diff --git a/SoftHSMv2/FIPS-NOTES.md b/SoftHSMv2/FIPS-NOTES.md
new file mode 100644
index 0000000..1827a3b
--- /dev/null
+++ b/SoftHSMv2/FIPS-NOTES.md
@@ -0,0 +1,56 @@
+# FIPS 140-2
+
+The OpenSSL crypto backend can be a FIPS 140-2 capable library,
+cf. the OpenSSL FIPS 140 documents SecurityPolicy and UserGuide.
+
+## Introduction
+
+Please read the OpenSSL FIPS 140 documents about to get
+a FIPS Capable OpenSSL library.
+
+## Hard points
+
+Reread the OpenSSL FIPS 140 documents as they are hard to apply.
+
+Note the following is for Unix/Linux.
+
+Now I suppose you have a >= 1.0.1e capable static library (a
+dynamic library is far easier but always possible and often
+dubious from a security point of view... BTW if you have built
+a FIPS Capable OpenSSL library you should not be afraid of
+extra complexity :-).
+
+Do not forget to compile OpenSSL with position indepent code
+(aka PIC) as the libsofthsm.so requires it. The FIPS module
+canister is already compiled this way.
+
+A usual issue is the C++ compiler not compiling .c files as C code.
+A simple test can show this, put in foo.c file this code:
+
+foo() { char *x = "ab"; }
+
+and compile with the C and C++ compilers with all warnings:
+the C++ compiler should raise an extra warning or error about
+the no type for foo() and/or for the char* string constant.
+
+When this raises some errors in the fispld script, you have to
+insert '-x c' and '-x none' before and after each .c file
+in the C++ commands, for instance using this wrapper:
+
+-------------------------------- cut here --------------------------------
+#!/bin/sh
+
+commands="g++"
+
+for elem in $@
+do
+ case $elem in
+   *.c) commands+=" -x c $elem -x none";;
+   *) commands+=" $elem";;
+ esac
+done
+
+exec $commands
+-------------------------------- end --------------------------------
+
+In any cases you have to set CC and CXX to fipsld.