From 0c89b3ccba7c9b7332ab67ae1936aff51ca62367 Mon Sep 17 00:00:00 2001 From: NingSun Date: Thu, 8 Feb 2018 08:34:03 -0800 Subject: Initial sshsm project structure Issue-ID: AAF-94 Change-Id: I5e82fff418e7567b161acf9b98013a9b85ffc5b4 Signed-off-by: NingSun --- SoftHSMv2/FIPS-NOTES.md | 56 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 SoftHSMv2/FIPS-NOTES.md (limited to 'SoftHSMv2/FIPS-NOTES.md') diff --git a/SoftHSMv2/FIPS-NOTES.md b/SoftHSMv2/FIPS-NOTES.md new file mode 100644 index 0000000..1827a3b --- /dev/null +++ b/SoftHSMv2/FIPS-NOTES.md @@ -0,0 +1,56 @@ +# FIPS 140-2 + +The OpenSSL crypto backend can be a FIPS 140-2 capable library, +cf. the OpenSSL FIPS 140 documents SecurityPolicy and UserGuide. + +## Introduction + +Please read the OpenSSL FIPS 140 documents about to get +a FIPS Capable OpenSSL library. + +## Hard points + +Reread the OpenSSL FIPS 140 documents as they are hard to apply. + +Note the following is for Unix/Linux. + +Now I suppose you have a >= 1.0.1e capable static library (a +dynamic library is far easier but always possible and often +dubious from a security point of view... BTW if you have built +a FIPS Capable OpenSSL library you should not be afraid of +extra complexity :-). + +Do not forget to compile OpenSSL with position indepent code +(aka PIC) as the libsofthsm.so requires it. The FIPS module +canister is already compiled this way. + +A usual issue is the C++ compiler not compiling .c files as C code. +A simple test can show this, put in foo.c file this code: + +foo() { char *x = "ab"; } + +and compile with the C and C++ compilers with all warnings: +the C++ compiler should raise an extra warning or error about +the no type for foo() and/or for the char* string constant. + +When this raises some errors in the fispld script, you have to +insert '-x c' and '-x none' before and after each .c file +in the C++ commands, for instance using this wrapper: + +-------------------------------- cut here -------------------------------- +#!/bin/sh + +commands="g++" + +for elem in $@ +do + case $elem in + *.c) commands+=" -x c $elem -x none";; + *) commands+=" $elem";; + esac +done + +exec $commands +-------------------------------- end -------------------------------- + +In any cases you have to set CC and CXX to fipsld. -- cgit 1.2.3-korg