mirror of https://github.com/wolfSSL/wolfssl
update WIN IDE readme
This commit is contained in:
parent
5fe7a1b89a
commit
03a50c128a
|
@ -3,10 +3,11 @@
|
|||
First, if you did not get the FIPS files with your archive, you must contact
|
||||
wolfSSL to obtain them.
|
||||
|
||||
|
||||
# Building the wolfssl-fips project
|
||||
|
||||
The wolfCrypt FIPS library for Windows is a part of the wolfSSL library. It
|
||||
must be built as a static library.
|
||||
must be built as a static library, for the moment.
|
||||
|
||||
The library project is built with Whole Program Optimization disabled. This is
|
||||
required so that necessary components of the library are not optimized away.
|
||||
|
@ -20,15 +21,18 @@ section names start with ".fipsB$". Each subsection has a letter to organize
|
|||
them in a secific order. This specific ordering puts marker functions and
|
||||
constants on either end of the boundary so it can be hashed.
|
||||
|
||||
|
||||
# In Core Memory Test
|
||||
|
||||
The In Core Memory test calculates a checksum (HMAC-SHA256) of the wolfCrypt
|
||||
FIPS library code and constant data and compares it with a known value in
|
||||
the code.
|
||||
|
||||
The Randomized Base Address setting doesn't cause any problems because
|
||||
(I believe) that the addrsses in the executable are all offsets from the base
|
||||
rather than absolute addresses.
|
||||
The Randomized Base Address setting needs to be disabled on the 32-bit builds
|
||||
but can be enabled on the 64-bit builds. In the 32-bit mode the addresses
|
||||
being different throws off the in-core memory calculation. It looks like in
|
||||
64-bit mode the library uses all offsets, so the core hash calculation
|
||||
is the same every time.
|
||||
|
||||
The "verifyCore" check value in the source fips_test.c needs to be updated when
|
||||
building the code. The POS performs this check and the default failure callback
|
||||
|
@ -36,3 +40,30 @@ will print out the calculated checksum. When developing your code, copy this
|
|||
value and paste it back into your code in the verifyCore initializer then
|
||||
rebuild the code. When statically linking, you may have to recalculate your
|
||||
check value when changing your application.
|
||||
|
||||
|
||||
# Build Options
|
||||
|
||||
The default build options should be the proper default set of options:
|
||||
|
||||
* HAVE_FIPS
|
||||
* HAVE_THREAD_LS
|
||||
* HAVE_AESGCM
|
||||
* HAVE_HASHDRBG
|
||||
* WOLFSSL_SHA384
|
||||
* WOLFSSL_SHA512
|
||||
* NO_HC128
|
||||
* NO_RC4
|
||||
* NO_RABBIT
|
||||
* NO_DSA
|
||||
* NO_MD4
|
||||
|
||||
The "NO" options explicitly disable algorithms that are not allowed in
|
||||
FIPS mode.
|
||||
|
||||
Additionally one may enable:
|
||||
|
||||
* HAVE_ECC
|
||||
* OPENSSL_EXTRA
|
||||
* WOLFSSL_KEY_GEN
|
||||
|
||||
|
|
Loading…
Reference in New Issue